Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI clarifies parameters for determining registered clients and categorization of proprietary stockbrokers under the CSCRF framework.

Summary

BSE has issued clarifications regarding the implementation of SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities. The circular provides specific guidance on determining the number of registered clients and categorization criteria for proprietary stockbrokers/trading members.

Key Points

Registered clients count must be based on unique PAN, including both active and inactive status clients
Clients marked as ‘Closed’ in the UCC database should be excluded from the count
Trading members engaged in both clientele and proprietary trading may be categorized as proprietary if clientele trading is less than 10% of proprietary turnover
Classification period is based on financial year from April 1 to March 31

Regulatory Changes

The circular clarifies two key aspects of CSCRF implementation:

Modified definition for counting registered clients - now explicitly includes active and inactive clients based on unique PAN while excluding closed accounts
New threshold for proprietary trading classification - entities with clientele trading turnover less than 10% of proprietary trading turnover will be categorized as proprietary stockbrokers

Compliance Requirements

Research Analysts must note these clarifications and ensure compliance with CSCRF guidelines
Trading members must assess their trading turnover ratios to determine proper categorization
Entities must use unique PAN for client counting and exclude closed accounts from their calculations
Proper categorization must be maintained based on the specified financial year period

Important Dates

Current circular date: September 2, 2025
Financial year period for assessment: April 1 to March 31
References previous circulars dated: August 20, 2024; December 31, 2024; March 28, 2025; April 30, 2025; August 28, 2025
FAQ reference: June 11, 2025

Impact Assessment

These clarifications will primarily impact research analysts and trading members who need to accurately categorize themselves under the CSCRF framework. The 10% threshold for proprietary classification may allow some entities with minimal client business to avoid more stringent client-related cybersecurity requirements. The clarified client counting methodology ensures consistent implementation across all regulated entities.

Impact Justification

Important clarifications for CSCRF implementation affecting research analysts and trading members' compliance requirements

Category	Compliance
Circular ID	`9fa26c17c9b5411d`
Impact	Medium
Severity	Medium
Tags	cybersecurity compliance research-analysts stockbrokers trading-members cscrf
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink