SEBI Revises Cybersecurity Norms and Regulated Entities Thresholds

  • Blog|News|Company Law|
  • 3 Min Read
  • By Taxmann
  • |
  • Last Updated on 2 May, 2025

Latest from Taxmann

SEBI CSCRF thresholds

1. Background

On 30 April 2025, SEBI issued Circular No. SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/60 to update and clarify the application of its Cybersecurity and Cyber Resilience Framework (CSCRF) for all SEBI-regulated entities (REs). The CSCRF, first introduced in 2023, lays down minimum standards and processes to ensure that intermediaries and market infrastructure participants maintain robust cyber-risk management and resilience capabilities.

2. Scope of the Circular

This circular applies to the following categories of SEBI-regulated entities:

  • Stock Brokers (SBs)
  • Depository Participants (DPs)
  • Investment Advisers (IAs)
  • Research Analysts (RAs)
  • Portfolio Managers (PMs)

SEBI has clarified that any entity registered in more than one category must comply with the strictest requirements that apply to any of its registrations.

3. Key Clarifications and Revisions

  1. Revised Classification Thresholds for Stock Brokers

    • Qualified REs (QREs)

      • Client Count Threshold Stock brokers with more than 1,000,000 active clients will be classified as QREs.

      • Trading Volume Threshold Stock brokers handling a total annual trading volume exceeding ₹10 lakh crore will also be designated as QREs.

      • Implication QREs are subject to the highest tier of cyber-resilience requirements, including more frequent risk assessments, mandatory external audits of security controls, and detailed incident-reporting protocols.

    • Standard REs

      • Stock brokers below either threshold remain standard REs and continue to follow the baseline CSCRF requirements (e.g., annual self-assessments, periodic vulnerability scanning, and internal incident-response drills).

  2. Single Standard for Multi-Category Registrants

    • If an entity is registered both as, say, a DP and a PM, it must adhere to the more stringent provisionsapplicable to either category.

    • Example: A DP with fewer than 1 lakh accounts but also acting as a Portfolio Manager overseeing assets above a certain threshold will need to meet the higher resilience standards mandated for PMs.

4. Why These Changes Matter

  • Risk Proportionality By scaling requirements to entity size and complexity, SEBI ensures that larger intermediaries—whose cyber-incidents could have systemic repercussions—maintain stronger defenses.
  • Consistency Across Roles Multi-category entities can no longer “pick and choose” lower standards; they must implement a single, unified set of controls aligned with their highest risk profile.
  • Enhanced Market Stability Stronger cybersecurity and resilience protocols among large brokers and systemically important intermediaries reduce the likelihood and potential impact of cyber disruptions on Indian capital markets.

5. Next Steps for Regulated Entities

  • Threshold Assessment

    1. Each stock broker should immediately verify its total active client count and annual trading volumes against the new thresholds.
    2. Other REs must identify whether any of their registrations carry more stringent requirements.
  • Framework Alignment
    1. QREs must review and, if needed, upgrade their cybersecurity policies, incident-response plans, and audit schedules to meet Tier-1 CSCRF standards.
    2. Standard REs should continue to comply with baseline requirements but prepare for periodic reviews.
  • Documentation & Reporting
    1. All REs should update their internal compliance manuals to reflect these clarifications.
    2. QREs must schedule external audits by SEBI-approved cybersecurity assessors and plan for more frequent submission of incident-reporting forms.

  • Timeline: These clarifications are effective immediately. SEBI expects entities to complete their threshold assessments and framework adjustments within the next 90 days and to furnish a status report by 30 July 2025.

By refining the CSCRF thresholds and ensuring that larger, systemically important intermediaries adhere to heightened cybersecurity norms, SEBI aims to bolster the resilience of India’s financial markets against evolving cyber threats.

Click Here To Read The Full Circular

Disclaimer: The content/information published on the website is only for general information of the user and shall not be construed as legal advice. While the Taxmann has exercised reasonable efforts to ensure the veracity of information/content published, Taxmann shall be under no liability in any manner whatsoever for incorrect information, if any.

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.

The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:

  • The statutory material is obtained only from the authorized and reliable sources
  • All the latest developments in the judicial and legislative fields are covered
  • Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
  • Every content published by Taxmann is complete, accurate and lucid
  • All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
  • The golden rules of grammar, style and consistency are thoroughly followed
  • Font and size that’s easy to read and remain consistent across all imprint and digital publications are applied

Leave a Reply

Your email address will not be published. Required fields are marked *

«
»

Everything on Tax and Corporate Laws of India

To subscribe to our weekly newsletter please log in/register on Taxmann.com

Author: Taxmann

Taxmann Publications has a dedicated in-house Research & Editorial Team. This team consists of a team of Chartered Accountants, Company Secretaries, and Lawyers. This team works under the guidance and supervision of editor-in-chief Mr Rakesh Bhargava.

The Research and Editorial Team is responsible for developing reliable and accurate content for the readers. The team follows the six-sigma approach to achieve the benchmark of zero error in its publications and research platforms. The team ensures that the following publication guidelines are thoroughly followed while developing the content:

  • The statutory material is obtained only from the authorized and reliable sources
  • All the latest developments in the judicial and legislative fields are covered
  • Prepare the analytical write-ups on current, controversial, and important issues to help the readers to understand the concept and its implications
  • Every content published by Taxmann is complete, accurate and lucid
  • All evidence-based statements are supported with proper reference to Section, Circular No., Notification No. or citations
  • The golden rules of grammar, style and consistency are thoroughly followed
  • Font and size that's easy to read and remain consistent across all imprint and digital publications are applied