Sebi Categorizes Entities for Cybersecurity Framework

New Delhi, Apr 30 (PTI) Markets regulator Sebi on Wednesday grouped qualified registered entities into four categories based on size and risk level under the cybersecurity and cyber resilience framework (CSCRF).

Sebi introduced CSCRF in August 2024 to strengthen cybersecurity in financial market entities. Since then, many entities asked for clarifications and time extensions.

Accordingly, Sebi, in its circular, provided further clarity and updates on entity categorisation, exemptions and implementation deadlines.

The regulator said that entities are grouped into four categories based on size and risk level -- Qualified REs (highest risk, most obligations), Mid-size REs, small-size REs and self-certification REs (least risk, fewer obligations).

Once assigned a category based on previous year's data, it remains fixed for the financial year, even if conditions change.

With regards to registered entities, Sebi said that stock brokers will be categorised under CSCRF based on the number of registered clients and annual trading volume.

Stock brokers are classified as Qualified REs if they have more than 10 lakh clients or over Rs 10 lakh crore in turnover. Those with over 1 lakh clients or turnover above Rs 1 lakh crore fall into the mid-size category, while brokers with more than 10,000 clients or turnover above Rs 10,000 crore are categorised as small-size.

Further, brokers with more than 1,000 clients or turnover above Rs 1,000 crore come under the self-certification category. However, brokers with fewer than 1,000 clients and turnover below Rs 1,000 crore are exempt from the CSCRF requirements.

Also, depository participants (DPs) are classified based on their highest registration -- if they are also registered as a stock broker or a bank, they are required to follow the higher applicable category. DPs with fewer than 100 clients are exempt from Security Operations Center (SOC) requirements.

According to Sebi, investment advisers (IAs) and research analysts (RAs) who are registered only in these respective roles are exempt from CSCRF provisions. However, if they are registered in any other Sebi-regulated capacity such as a broker or portfolio manager, they are required to follow the requirements of the highest applicable category.

BSE will monitor CSCRF compliance for IAs and RAs until July 2029.

Sebi said that KYC Registration Agencies (KRAs) are now categorised as Qualified REs, reflecting their critical role in the market infrastructure.

Portfolio managers are classified based on their Assets Under Management (AUM), with those managing over Rs 3,000 crore considered mid-size REs, and those with AUM up to Rs 3,000 crore falling under the self-certification category. Further, portfolio managers with fewer than 100 clients are exempt.

For Alternative Investment Funds (AIFs) and Venture Capital Funds (VCFs), classification is done at the manager level using the combined corpus of all managed schemes. Managers overseeing over Rs 10,000 crore fall under the mid-size category, those handling Rs 3,000 to 10,000 crore are small-size, and those below Rs 3,000 crore are self-certification REs.

Managers with fewer than 100 clients are exempt from mandatory Market-SOC requirements.

Sebi said merchant bankers involved in issue management activities like IPOs and buybacks are classified as mid-size, while all others are considered small-size REs.

Registrars to an Issue and Share Transfer Agents (RTAs) are exempt from Market-SOC requirements, if they have fewer than 100 clients.

If any entity is registered under multiple Sebi categories, it is required to comply with the highest applicable category's CSCRF obligations.

Furthermore, Qualified REs and Market Infrastructure Institutions (MIIs) are required to implement Hardware Security Modules (HSM) to secure data, while lower-tier REs can use alternative solutions based on a board-approved risk assessment.

Sebi asked all applicable entities to implement the circular's provisions by June 30, 2025, and conduct cyber audits from FY26.