In a significant move to bolster cybersecurity in India’s financial markets, the Securities and Exchange Board of India (SEBI) issued a new circular on April 30, 2025. This circular provides detailed clarifications and updated thresholds regarding the Cybersecurity and Cyber Resilience Framework (CSCRF) for various SEBI-regulated entities (REs), following a series of earlier directives.
The CSCRF was first introduced in August 2024 and subsequently amended in December 2024 and March 2025. The latest circular is a response to feedback from regulated entities seeking clarity and adjustment to the implementation process. It outlines new categorizations, exemptions, and responsibilities, with the compliance deadline firmly set for June 30, 2025.
Revised Categorization of Market Participants
SEBI’s framework introduces a tiered classification system based on size and activity. This system ensures that cybersecurity obligations are proportionate to the risk exposure of each entity.
- Stock Brokers
Stock brokers are categorized using two key metrics: the number of registered clients and total trading volume in a year. Based on these, brokers fall into one of four categories:
- Qualified REs: Over 10 lakh clients or ₹10 lakh crore in trading volume
- Mid-size REs: Between 1 lakh–10 lakh clients or ₹1 lakh–10 lakh crore
- Small-size REs: 10,000–1 lakh clients or ₹10,000–1 lakh crore
- Self-certification REs: 1,000–10,000 clients or ₹1,000–10,000 crore
Brokers with fewer than 1,000 clients and less than ₹1,000 crore in volume are exempt from CSCRF requirements.
- Depository Participants (DPs)
DPs are classified based on their highest role. If a DP is also a stockbroker or a bank, it will follow the corresponding higher classification. DPs with fewer than 100 clients are exempt from Market-SOC (M-SOC) onboarding and Security Operations Center (SOC) obligations.
- Investment Advisers (IAs) and Research Analysts (RAs)
Standalone IAs and RAs are exempt from CSCRF. However, those registered in additional capacities must comply based on the highest applicable classification. Oversight of their compliance has now been transferred to BSE Ltd., effective for five years starting July 25, 2024.
- KYC Registration Agencies (KRAs)
KRAs have been reclassified from Market Infrastructure Institutions (MIIs) to Qualified REs, elevating their cybersecurity obligations.
- Portfolio Managers
These entities are classified by Assets Under Management (AUM). Those with over ₹3,000 crore fall under Mid-size REs, while others are classified as Self-certification REs. Managers with under 100 clients are exempt from M-SOC requirements.
- AIFs and VCFs
Categorization is done at the manager level. AIF and VCF corpus is aggregated, and based on total assets, managers are placed into the appropriate category.
- Merchant Bankers
Only those involved in issue management and related activities are classified as Mid-size REs.
Timeline and Enforcement
All REs must ensure compliance by June 30, 2025, as per the March 28, 2025 circular. From the financial year 2025–26 onwards, cyber audits must align with the original August 2024 framework and the subsequent clarifications.
