Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI clarifications on determining registered client count and categorization of proprietary trading members under the CSCRF guidelines.

Summary

BSE has issued clarifications in consultation with SEBI regarding the implementation of the Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities. The circular provides specific guidance on determining the number of registered clients for categorization purposes and clarifies the treatment of trading members engaged in both clientele and proprietary trading.

Key Points

Registered clients should be counted based on Unique PAN including both active and inactive status
Clients marked as ‘Closed’ in UCC database should be excluded from the count
Trading members with clientele turnover less than 10% of proprietary turnover will be categorized as proprietary stockbrokers
References multiple SEBI circulars including the main CSCRF circular dated August 20, 2024 and subsequent clarifications

Regulatory Changes

The circular modifies the interpretation of ‘Number of total registered clients’ parameter as specified in Clause 2.1.1, Table 1 of SEBI Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60. The parameter now explicitly includes active and inactive clients based on Unique PAN while excluding closed accounts.

Compliance Requirements

Trading members must count registered clients using Unique PAN methodology
Include both active and inactive status clients in the count
Exclude clients marked as ‘Closed’ in the UCC database
Trading members engaged in both clientele and proprietary trading must assess their turnover ratio
If clientele trading turnover is less than 10% of proprietary turnover (April 1 to March 31), categorize as proprietary stockbroker for CSCRF purposes

Important Dates

Original CSCRF circular: August 20, 2024
Subsequent clarifications: December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025
FAQ issued: June 11, 2025
Current clarification: September 2, 2025
Financial year assessment period: April 1 to March 31

Impact Assessment

This clarification impacts all trading members and regulated entities implementing CSCRF guidelines. It provides crucial guidance for proper categorization which determines the applicable cybersecurity requirements. Trading members engaged in mixed business models (clientele and proprietary) can potentially benefit from simplified compliance if their clientele business is minimal (<10% of proprietary turnover).

Impact Justification

Important operational clarifications for trading members regarding CSCRF compliance categorization and client counting methodology

Category	Compliance
Circular ID	`586ff00a4fa7453c`
Impact	Medium
Severity	Medium
Tags	cybersecurity compliance trading-members proprietary-trading client-classification regulatory-framework
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink