SEBI strengthens cybersecurity framework, categorises financial entities based on risk and size

Capital market regulator SEBI has introduced an updated Cybersecurity and Cyber Resilience Framework (CSCRF) to bolster security within financial market entities. The new framework categorises entities into four distinct groups based on size and risk levels, ensuring a more structured approach to cybersecurity.

Four categories for entities

SEBI has classified financial market entities into the following categories:

• Qualified REs: Entities with the highest risk, subject to the most stringent obligations 
• Mid-size REs: Entities with moderate risk and moderate obligations 
• Small-size REs: Entities with lower risk and fewer obligations 
• Self-certification REs: Entities with minimal risk and the least stringent obligations 

Once classified based on data from the previous year, these categories will remain fixed for the financial year, regardless of changes in conditions.

Key Entity Classifications

• Stock Brokers: Classification depends on the number of clients and annual turnover:
  • Qualified REs: Over 10 lakh clients or Rs 10 lakh crore turnover 
  • Mid-size REs: Over 1 lakh clients or Rs 1 lakh crore turnover 
  • Small-size REs: Over 10,000 clients or Rs 10,000 crore turnover 
  • Self-certification REs: Over 1,000 clients or Rs 1,000 crore turnover 
  • Exempt: Brokers with fewer than 1,000 clients or turnover below Rs 1,000 crore 
• Depository Participants: If registered as a stock broker or bank, they follow the higher applicable category. DPs with fewer than 100 clients are exempt from Security Operations Center (SOC) requirements.
• Investment Advisers and Research Analysts: Exempt from CSCRF unless they are also registered as brokers or portfolio managers, in which case they must comply with the highest applicable category.
• KYC Registration Agencies: Now classified as Qualified REs, reflecting their critical role in market infrastructure.
• Portfolio Managers: Categorized based on their Assets Under Management (AUM):
  • Mid-size REs: AUM over Rs 3,000 crore 
  • Self-certification REs: AUM up to Rs 3,000 crore 
  • Exempt: Fewer than 100 clients 
• AIFs and VCFs: Classification is based on the combined corpus of all managed schemes:
  • Mid-size REs: Over Rs 10,000 crore 
  • Small-size REs: Rs 3,000 crore to Rs 10,000 crore 
  • Self-certification REs: Below Rs 3,000 crore 
  • Exempt: Fewer than 100 clients 
• Merchant Bankers: Those managing IPOs or buybacks are classified as Mid-size REs, while others fall into the Small-size category
• Registrars to an Issue and Share Transfer Agents (RTAs): Exempt from SOC requirements if they have fewer than 100 clients

Compliance and deadlines

Entities registered under multiple SEBI categories are required to comply with the highest applicable category’s CSCRF obligations. Qualified REs and Market Infrastructure Institutions (MIIs) are mandated to implement Hardware Security Modules (HSM) to secure data. Lower-tier entities may opt for alternative solutions, provided they are approved through a board-assessed risk management framework.

SEBI has set a deadline of June 30, 2025, for entities to comply with the provisions of the updated framework. Additionally, cybersecurity audits will be mandatory starting from FY26.