SEBI strengthens cybersecurity framework, categorises financial entities based on risk and size

Capital market regulator SEBI has introduced an updated Cybersecurity and Cyber Resilience Framework (CSCRF) to bolster security within financial market entities. The new framework categorises entities into four distinct groups based on size and risk levels, ensuring a more structured approach to cybersecurity.

Four categories for entities

SEBI has classified financial market entities into the following categories:

Add Zee Business as a Preferred Source

• Qualified REs: Entities with the highest risk, subject to the most stringent obligations
• Mid-size REs: Entities with moderate risk and moderate obligations
• Small-size REs: Entities with lower risk and fewer obligations
• Self-certification REs: Entities with minimal risk and the least stringent obligations

Once classified based on data from the previous year, these categories will remain fixed for the financial year, regardless of changes in conditions.

Key Entity Classifications

• Stock Brokers: Classification depends on the number of clients and annual turnover:
  • Qualified REs: Over 10 lakh clients or Rs 10 lakh crore turnover
  • Mid-size REs: Over 1 lakh clients or Rs 1 lakh crore turnover
  • Small-size REs: Over 10,000 clients or Rs 10,000 crore turnover
  • Self-certification REs: Over 1,000 clients or Rs 1,000 crore turnover
  • Exempt: Brokers with fewer than 1,000 clients or turnover below Rs 1,000 crore

• Mid-size REs: AUM over Rs 3,000 crore
• Self-certification REs: AUM up to Rs 3,000 crore
• Exempt: Fewer than 100 clients

• Mid-size REs: Over Rs 10,000 crore
• Small-size REs: Rs 3,000 crore to Rs 10,000 crore
• Self-certification REs: Below Rs 3,000 crore
• Exempt: Fewer than 100 clients

Compliance and deadlines

Entities registered under multiple SEBI categories are required to comply with the highest applicable category’s CSCRF obligations. Qualified REs and Market Infrastructure Institutions (MIIs) are mandated to implement Hardware Security Modules (HSM) to secure data. Lower-tier entities may opt for alternative solutions, provided they are approved through a board-assessed risk management framework.

SEBI has set a deadline of June 30, 2025, for entities to comply with the provisions of the updated framework. Additionally, cybersecurity audits will be mandatory starting from FY26.