SEBI’s SBOM Mandate Reshapes India’s Financial Sector Cybersecurity

As cybersecurity concerns grow globally, India is taking firm steps to safeguard its digital infrastructure, especially within the financial sector. The Securities and Exchange Board of India (SEBI) has introduced the Cybersecurity and Cyber Resilience Framework (CSCRF). Central to this new initiative is the requirement for regulated financial entities to adopt Software Bills of Materials (SBOMs), a move designed to improve software transparency and reduce supply chain risk.

Under the CSCRF, all SEBI-regulated organisations are now required to maintain SBOMs for both new and existing software that supports core business operations. For new software or SaaS solutions being introduced, SBOMs must be generated from procurement onwards. Existing systems must achieve compliance within six months of the framework rollout (CyberNX, 2024). In the case of legacy systems that cannot produce SBOMs, organisations must submit a board-approved risk mitigation plan (KPMG India, 2024).

SBOMs provide a clear, detailed inventory of every open source and proprietary component within a piece of software. This inventory is the first step towards exposing potential security and other risks in the software. SBOMs also support audit readiness and streamline compliance in sectors like finance, where risk management is critical (Sonatype India, 2024).

The CSCRF also requires the creation of Security Operations Centres (SOCs), either in-house or via shared “Market-SOCs” operated by exchanges like NSE and BSE (SecurityHQ, 2024). It also introduces a Cyber Capability Index (CCI), enabling firms to benchmark their cybersecurity maturity. Regular vulnerability assessments, penetration testing, and compliance reporting will now be mandatory (KPMG India, 2024).

SEBI’s direction reflects a broader global trend. In the United States, executive orders and guidance from the Cybersecurity and Infrastructure Security Agency (CISA) have elevated SBOMs as foundational tools for software transparency. The European Union’s Cyber Resilience Act also mandates SBOM usage across critical sectors. India’s CERT-In has taken this a step further by expanding SBOM categories to include AI Bills of Materials (AIBOM), Quantum BOMs (QBOM), Cryptographic BOMs (CBOM), and Hardware BOMs (HBOM).

For financial institutions, the challenge will be operationalising SBOM requirements without slowing down development or procurement cycles. Platforms such as SCANOSS can automate SBOM generation or enhance existing SBOMs with risk intelligence, linking components to known vulnerabilities, outdated cryptographic functions, and other high-risk dependencies. This turns compliance into an integrated process, ensuring alignment with SEBI’s framework while reducing manual effort and embedding security into existing development workflows.

By mandating software transparency, SEBI is positioning India’s financial sector as a global leader in proactive cyber regulation. Firms that meet  these requirements will not only reduce their exposure to software supply chain attacks but also demonstrate resilience to regulators, partners, and customers alike.