SEBI Categorises Registered Entities Under Cybersecurity Framework

The Securities and Exchange Board of India categorised on Wednesday four qualified registered entities using size and risk level as the criterion under the cybersecurity and cyber resilience framework.

SEBI introduced the CSCRF in August 2024 to firm up cybersecurity in financial market entities. Many entities asked for clarifications and time extensions after the introduction.

SEBI's circular offered additional clarification and revisions regarding entity categorisation, exemptions and implementation timelines.

The regulator classified entities into four tiers based on their size and risk profile: qualified regulated entities (highest risk, most obligations), mid-size regulated entities, small-size regulated entities and self-certification regulated entities (lowest risk, fewer obligations).

The assigned category, determined by the previous financial year's data, will remain unchanged for the current financial year, regardless of any subsequent changes in conditions.

Regarding registered entities, SEBI stated that stockbrokers will be categorised under the CSCRF based on their number of registered clients and annual trading volume.

The classification of stockbrokers is as follows: qualified registered entities include those with over 10 lakh clients or a turnover exceeding 10 lakh crore rupees. Mid-size registered entities encompass brokers with more than 1 lakh clients or a turnover above 1 lakh crore rupees. Small-size registered entities are those with more than 10,000 clients or a turnover exceeding 10,000 crore rupees.

Further, brokers with more than 1,000 clients or turnover above Rs 1,000 crore come under the self-certification category. However, brokers with fewer than 1,000 clients and turnover below Rs 1,000 crore are exempt from the CSCRF requirements.

Also, depository participants are classified based on their highest registration — if they are also registered as a stockbroker or a bank, they are required to follow the higher applicable category. Depository participants with fewer than 100 clients are exempt from Security Operations Center requirements.

According to SEBI, investment advisers and research analysts who are registered only in these respective roles are exempt from CSCRF provisions. However, if they are registered in any other SEBI-regulated capacity such as a broker or portfolio manager, they are required to follow the requirements of the highest applicable category.

The BSE will monitor CSCRF compliance for investment advisers and research analysts until July 2029.

SEBI said that Know Your Customer Registration Agencies are now categorised as qualified registered entities, reflecting their critical role in the market infrastructure.

Portfolio managers are classified based on their assets under management, with those managing over Rs 3,000 crore considered mid-size registered entities, and those with AUM up to Rs 3,000 crore falling under the self-certification category. Further, portfolio managers with fewer than 100 clients are exempt.

Managers with fewer than 100 clients are exempt from mandatory market-security operations center requirements.

SEBI said merchant bankers involved in issue management activities like IPOs and buybacks are classified as mid-size, while all others are considered small-size registered entities.

Registrars to an Issue and Share Transfer Agents are exempt from Market-SOC requirements, if they have fewer than 100 clients.

If any entity is registered under multiple SEBI categories, it is required to comply with the highest applicable category's CSCRF obligations.

Furthermore, qualified registered entities and market infrastructure institutions are required to implement hardware security modules to secure data, while lower-tier REs can use alternative solutions based on a board-approved risk assessment.

SEBI asked all applicable entities to implement the circular's provisions by June 30, 2025, and conduct cyber audits from fiscal 2026.

(With Inputs From PTI)