Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

BSE clarifies client calculation methodology and proprietary trading categorization under SEBI's Cybersecurity Framework for regulated entities.

Summary

BSE has issued clarifications on SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) implementation for regulated entities. The circular provides specific guidance on determining registered client counts based on Unique PAN and categorization criteria for trading members engaged in both proprietary and clientele trading activities.

Key Points

Registered clients must be counted based on Unique PAN including both active and inactive status
Clients marked as ‘Closed’ in UCC database should be excluded from the count
Trading members with clientele turnover less than 10% of proprietary turnover will be categorized as proprietary stockbrokers
References multiple SEBI circulars and FAQs issued between August 2024 and August 2025

Regulatory Changes

The circular clarifies the interpretation of existing SEBI CSCRF guidelines rather than introducing new regulations. Key clarifications include:

Modified definition for counting total registered clients - now explicitly based on Unique PAN with specific inclusion/exclusion criteria
Introduction of 10% threshold for determining proprietary vs clientele trading member categorization

Compliance Requirements

Trading members must recalculate their registered client count using Unique PAN methodology
Include clients with active and inactive status in the count
Exclude clients marked as ‘Closed’ in the UCC database
Trading members engaged in both proprietary and clientele trading must assess their turnover ratio
If clientele trading is less than 10% of proprietary trading turnover (April 1 to March 31), they should categorize themselves as proprietary stockbrokers for CSCRF applicability

Important Dates

Financial year period for turnover calculation: April 1 to March 31
Original SEBI CSCRF circular: August 20, 2024
Latest clarification circular: August 28, 2025
Current BSE clarification: September 2, 2025

Impact Assessment

This clarification primarily affects Research Analysts and trading members who need to determine their CSCRF compliance category. The 10% threshold rule may result in some trading members being reclassified as proprietary traders, potentially changing their compliance obligations under the cybersecurity framework. The Unique PAN-based client counting methodology provides clearer guidance for determining entity size and applicable compliance requirements.

Impact Justification

Important compliance clarifications for SEBI regulated entities regarding cybersecurity framework implementation, affecting client categorization and trading member classification

Category	Compliance
Circular ID	`0b0152c17767c7fc`
Impact	Medium
Severity	Medium
Tags	cybersecurity compliance sebi research-analysts trading-members cscrf
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink