Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) - SEBI - SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/60

CIRCULAR SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/60 April 30, 2025 To, All Alternative Investment Funds (AIFs) All Depositories All Depository Participants through Depositories All Investment Advisors (IAs) / Research Analysts (RAs) All KYC Registration Agencies (KRAs) All Merchant Bankers All Portfolio Managers All Registrar to an Issue and Share Transfer Agents (RTAs) All Stock Brokers through Exchanges All Stock Exchanges All Venture Capital Funds (VCFs) Association of Investment Bankers of India Association of Portfolio Managers in India (APMI) BSE Limited (Investment Adviser Administration and supervisory body- IAASB) BSE Limited (Research Analysts Administration and supervisory body- RAASB) Sir / Madam, Subject: Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) 1. Securities and Exchange Board of India (SEBI) has issued Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) vide circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024. Upon receipt of various queries from REs seeking extension and clarification on the aforementioned circular, SEBI has also issued Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) vide circular SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/184 dated December 31, 2024 and Extension towards Adoption and Implementation of Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) vide circular SEBI/HO/ITD-1/ ITD_CSC_EXT/P/ CIR/2025/45 dated March 28, 2025. 2. Based on further discussions with REs, it has been decided to revise the thresholds and categorization of following REs as contained in this circular. It may be noted that the category of REs shall be decided at the beginning of the financial year based on the data of the previous financial year. Once the category of RE is decided, RE shall remain in the same category throughout the financial year irrespective of any changes in the parameters during the financial year. The category shall be validated by the respective reporting authority at the time of compliance submission. Further, the criteria given and their thresholds for different categories will continue to be updated as and when required. 2.1. Stock brokers: 2.1.1. Stockbrokers fulfilling any one of the following parameters shall be classified accordingly (the parameters shall be applied independently). The higher categorisation shall be made applicable in case a stockbroker falls into two different categories based on the two parameters independently. Table 1: Criteria and thresholds for Stockbroker categorisation S. No. Parameters Qualified REs Mid-size REs Small-size REs Self-certification REs 1. Number of total registered clients More than 10 lakhs More than 1 lakh and up to 10 lakhs More than 10,000 and up to 1 lakh More than 1,000 and up to 10,000 2. Clientele trading volume in a year (in Crores) More than 10, 00,000 More than 1,00,000 and up to 10,00,000 More than 10,000 and up to 1,00,000 More than 1,000 and up to 10,000 2.1.2. Stock Brokers with less than 1,000 crores clientele trading volume (in a year) and less than 1,000 total registered clients are exempted from CSCRF. 2.2. Depository Participants (DPs): It shall be noted that categorisation of DP shall be decided based on the highest thresholds of below-mentioned classification. For example: if a DP is registered as both stock broker and Bank, then it will be categorised as Qualified RE. Further, DPs having clients less than 100 shall be exempted from the requirement of SOC services or on-boarding to Market-SOC (M-SOC). Table 2: Criteria and thresholds for DPs categorisation S. No Regulated Entity DP also registered as Classification for CSCRF 1. Depository Participant (DP) Stock Broker To be classified as per the criteria followed for stock brokers. 2. Other than Stock Brokers Qualified RE 2.3. Investment Advisers (IAs): IAs not registered with SEBI in other capacities shall be exempted from provisions of CSCRF. With respect to IAs registered with SEBI in other capacity, those IAs shall follow the highest among the other category in which they are registered with SEBI apart from IA. 2.4. Research Analysts (RAs): RAs not registered with SEBI in any other capacity shall be exempted from the CSCRF framework. With respect to RAs registered with SEBI in other capacity, those RAs shall follow the highest among the other category in which they are registered with SEBI apart from RA. 2.4.1. The reporting authority for IAs and RAs w.r.t. CSCRF compliance shall be modified from BASL and SEBI respectively to BSE Ltd. for both IAs and RAs for a period of five years starting from July 25, 2024. 2.5. KYC Registration Agencies (KRAs): KRAs shall be re-categorised from MIIs to Qualified REs. 2.6. Portfolio Managers : Categorisation of Portfolio Managers is as per the following table. Table 3: Criteria and thresholds for Portfolio Managers categorisation S. No. Criteria Qualified REs Mid-size REs Small-size REs Self-certification REs 1. AUM N.A. Above Rs, 3000 Crores N.A. Rs. 3000 Crores and below Further, Portfolio Managers who fall under self-certification REs category and have less than 100 clients shall be exempted from the requirement of mandatory Market-SOC (M-SOC). 2.7. Alternate Investment Funds (AIFs) and Venture Capital Funds (VCFs) : Categorisation shall be at the manager level instead of AIF level. If the manager of AIF is also the manager of VCFs, then corpus of VCF schemes managed by the manager shall also be included for determining the threshold limits. Therefore, criteria and thresholds for AIFs and VCFs categorisation shall be clubbed together and provided in the single table as mentioned below: Table 4: Criteria and thresholds for AIFs and VCFs categorisation S. No. Criteria Qualified REs Mid-size REs Small-size REs Self-certification REs 1. Sum of corpus of all AIFs, VCFs, and their schemes managed by a manager N.A. Rs. 10,000 crores and above More than RS. 3000 Crores and less than Rs. 10,000 Crores Rs. 3000 Crores and below Further, managers of AIFs/ VCFs classified as self-certification REs and with a client base of less than 100 shall be exempted from the mandatory Market-SOC (M-SOC) requirement. 2.8. Merchant Bankers (MBs): The Merchant Bankers shall be categorised as per the following table: Table 5: Criteria and thresholds for MBs categorisation S. No. Merchant Banker Category for CSCRF 1. MBs which are engaged in any activity pertaining to issue management inter alia Public Issues (IPOs, FPOs, IPOs by SME), Public Offers by REITs/InvITs, Buy-Back of Securities, Delisting of Equity Shares, Open Offer under SEBI (Substantial Acquisition of Shares and Takeovers) Regulations, 2011 Mid-size REs 2. All other MBs Small-size REs 3. Further, Registrar to an Issue and share Transfer Agents (RTA) having clients less than 100 shall be exempted from the requirement of employing SOC services or on-boarding to M-SOC. 4. In case an RE is registered under more than one category of REs, then the provision of highest category under which such an RE falls shall be applicable to that RE. 5. W.r.t. Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs) issued vide SEBI circular SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033 dated March 06, 2023 (CSCRF: Annexure-J), implementation of a dedicated Hardware Security Module (HSM) shall be made mandatory for MIIs and Qualified REs (as per the classification given in CSCRF). However, mid-size REs, small-size REs, and self-certification REs shall be allowed to implement any alternative of HSM based on their risk assessment. Such risk assessment shall be approved by the Board/ Partners/ Proprietor of the RE. 6. Stock Brokers, Depository Participants, KRAs, Portfolio Managers, Investment Advisers (IAs)/ Research Analysts (RAs), Merchant Bankers (MBs), AIFs/ VCFs and Registrars to an Issue / Share Transfer Agents shall take necessary action for implementation of the circular. 7. Stock Portfolio Managers and APMI shall take necessary steps for implementing the circular, including putting the required processes and systems in place to ensure compliance with the provisions of this circular. 8. Stock Exchanges/ Depositories are directed to: 8.1. Make necessary amendments to the relevant byelaws, rules and regulations for the implementation of the above direction and 8.2. Bring the provisions of this circulars to the notice of their members/ participants and also disseminate the same on their websites. 9. BSE Limited is directed to: 9.1. Make necessary amendments to the relevant byelaws, rules and regulations for the implementation of the above direction and 9.2. Bring the provisions of this circulars to the notice of Investment Advisers (IAs) and Research Analysts (RAs) and disseminate the same on their websites. 10. As already communicated vide SEBI circular SEBI/HO/ITD-1/ ITD_CSC_EXT/P/ CIR/2025/45 dated March 28, 2025, timeline for compliance is June 30, 2025, for REs covered in the said circular. The cyber audit(s) conducted from the financial year 2025-26 shall be conducted as per the circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20,2024, read along with the clarifications issued. 11. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. 12. This circular is issued with the approval of Competent Authority. 13. This circular is available on SEBI website at www.sebi.gov.in under the category Legal and drop Circulars . Yours faithfully, Mridusmita Goswami General Manager Phone: 022-26449504 Email: [email protected]