Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities

Description

SEBI clarifies client count methodology and proprietary vs clientele trading categorization under the Cybersecurity Framework for regulated entities.

Summary

SEBI has issued clarifications regarding the implementation of the Cybersecurity and Cyber Resilience Framework (CSCRF) for regulated entities. The clarifications address two key areas: the methodology for counting registered clients for categorization purposes, and the criteria for determining whether trading members should be classified as proprietary or clientele-based for CSCRF applicability.

Key Points

Registered clients count must be based on Unique PAN, including both active and inactive clients
Closed clients (marked as closed in UCC database) are excluded from the count
Trading members with clientele turnover less than 10% of proprietary turnover are categorized as proprietary stockbrokers
References multiple SEBI circulars including the main framework from August 20, 2024 and subsequent clarifications

Regulatory Changes

The circular clarifies the interpretation of existing CSCRF regulations rather than introducing new requirements. The client counting methodology now explicitly includes both active and inactive clients based on Unique PAN, while excluding closed accounts. For mixed trading operations, a 10% threshold has been established to determine whether an entity should be classified as proprietary or clientele-based for CSCRF purposes.

Compliance Requirements

Trading members must recalculate their registered client count using the clarified methodology (Unique PAN basis, including active and inactive, excluding closed)
Entities engaged in both proprietary and clientele trading must assess their turnover ratio for the financial year (April 1 to March 31)
If clientele trading turnover is less than 10% of proprietary trading turnover, the entity must comply with CSCRF requirements as a proprietary stockbroker
All trading members must review their current categorization and adjust if necessary based on these clarifications

Important Dates

Financial year period for assessment: April 1 to March 31
Original CSCRF circular: August 20, 2024
Previous clarifications: December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025
FAQ issued: June 11, 2025
Current clarification: September 2, 2025

Impact Assessment

These clarifications will primarily impact trading members’ categorization under the CSCRF framework. Entities near the 10% threshold between proprietary and clientele trading may find themselves reclassified, potentially changing their compliance obligations. The clarified client counting methodology may also affect the tier classification of trading members, as the number of registered clients is a key parameter in determining applicable cybersecurity requirements. Trading members should reassess their position and ensure compliance with the appropriate tier of CSCRF requirements based on these clarifications.

Impact Justification

Important clarifications for cybersecurity compliance but affects categorization and reporting rather than immediate operational changes

Category	Compliance
Circular ID	`e2c3b6a510845217`
Impact	Medium
Severity	Medium
Tags	cybersecurity cscrf compliance sebi trading-members stockbrokers
Source	BSE
Links	PDF Document ↗ Original Source ↗ Permalink