Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

BSE clarifies implementation guidelines for CSCRF including client count determination and proprietary trading member categorization criteria

Summary

BSE has issued clarifications regarding the implementation of SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities. The clarifications address two key areas: the methodology for determining total registered clients and the categorization criteria for trading members engaged in both clientele and proprietary trading.

Key Points

Registered clients count should be based on Unique PAN including active and inactive status
Clients marked as ‘Closed’ in UCC database should be excluded from the count
Trading members with clientele turnover less than 10% of proprietary turnover will be categorized as proprietary stockbrokers
Clarifications issued in consultation with SEBI following multiple previous circulars and FAQs

Regulatory Changes

The circular clarifies two specific parameters for CSCRF implementation:

Client Count Determination: The parameter for registered clients shall be based on Unique PAN, including clients with status reported as Active and Inactive by trading members, while excluding clients marked as Closed in the UCC database.
Trading Member Categorization: Trading members engaged in both clientele and proprietary trading will be considered proprietary stockbrokers for CSCRF purposes if their clientele trading turnover is less than 10% of their proprietary trading turnover during the financial year (April 1 to March 31).

Compliance Requirements

Investment Advisors must implement the clarified guidelines for CSCRF compliance
Trading members must assess their trading turnover ratio to determine appropriate categorization
Entities must use the specified methodology for counting registered clients
All SEBI regulated entities must align their CSCRF implementation with these clarifications

Important Dates

Notice Date: September 2, 2025
Financial Year Period for Assessment: April 1 to March 31
References previous circulars dated: August 20, 2024, December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025
FAQ Reference: June 11, 2025

Impact Assessment

These clarifications will impact how regulated entities implement cybersecurity frameworks and may result in reclassification of some trading members from clientele to proprietary category based on turnover ratios. This could affect the applicable compliance requirements and cybersecurity standards for affected entities. Investment advisors and trading members must review their client counting methodology and trading turnover patterns to ensure proper categorization under the CSCRF guidelines.

Impact Justification

Important compliance clarifications for regulated entities but not market-moving

Category	Compliance
Circular ID	`6168326e3a81f532`
Impact	Medium
Severity	Medium
Tags	cybersecurity compliance investment-advisors trading-members CSCRF SEBI-regulations
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink