In an effort to enhance cybersecurity and cyber resilience within India's financial markets, the Securities and Exchange Board of India (Sebi) has categorized registered entities (REs) into four distinct groups based on their size and risk levels. This new framework, introduced in August 2024, aims to ensure better protection against cyber threats by imposing varying obligations on different entities. The guidelines set forth clear classifications for stock brokers, depository participants, portfolio managers, and other financial market players, with an implementation deadline of June 30, 2025, and mandatory cyber audits starting from FY26.
Sebi's New Cybersecurity and Resilience Framework
The Securities and Exchange Board of India (Sebi) has introduced a significant cybersecurity and cyber resilience framework (CSCRF) aimed at strengthening the security infrastructure of financial market entities in India. Following its initial rollout in August 2024, the regulatory body has issued a new circular that clarifies the categorization of registered entities (REs), defines their respective obligations, and sets deadlines for compliance.
This framework, which was designed to combat growing cyber threats within the financial sector, divides registered entities into four main categories: Qualified REs, Mid-size REs, Small-size REs, and Self-certification REs. Each category has specific cybersecurity obligations, with the highest-risk entities facing the most stringent requirements. The classifications will remain fixed for each financial year, even if there are changes in an entity’s circumstances.
Categorizing Entities Based on Size and Risk
Sebi's categorization system is built on the size and risk level of entities within the financial market. For stock brokers, classification depends on the number of registered clients and annual trading volume. Those with more than 1 million clients or a turnover exceeding Rs. 10 lakh crore are classified as Qualified REs, the highest-risk category. Mid-size REs include brokers with over 100,000 clients or turnover above Rs. 1 lakh crore, while smaller brokers with fewer clients or lower turnover are categorized as small-size or self-certification REs, depending on their client base.
Additionally, other financial players, such as depository participants (DPs), investment advisers (IAs), research analysts (RAs), and portfolio managers, are also categorized based on their business operations or assets under management (AUM). DPs that are also stock brokers or banks must follow the higher category’s regulations. Similarly, investment advisers and research analysts who hold multiple roles under Sebi’s purview must adhere to the highest applicable category’s requirements.
Exemptions and Special Provisions
While Sebi has introduced clear guidelines for large and mid-size entities, several exemptions exist for smaller players. For example, stock brokers with fewer than 1,000 clients and a turnover below Rs. 1,000 crore are exempt from most of the cybersecurity requirements. Other entities with fewer than 100 clients, such as portfolio managers and registrars to an issue, are also exempt from certain provisions, including the mandatory implementation of a Security Operations Center (SOC).
The revised circular also highlights the critical role of KYC Registration Agencies (KRAs), which have been classified as Qualified REs due to their integral function within the financial infrastructure. This new classification emphasizes the importance of robust cybersecurity measures in protecting sensitive data throughout the registration and KYC processes.
Enhanced Security Measures for High-Risk Entities
For entities categorized as Qualified REs and Market Infrastructure Institutions (MIIs), Sebi mandates the implementation of advanced security systems such as Hardware Security Modules (HSM). These tools are essential for securing data and mitigating the risks associated with cyberattacks. Entities that fall under the mid-size, small-size, or self-certification categories are permitted to use alternative, less stringent security solutions, provided they are approved through a board-approved risk assessment.
In terms of monitoring and enforcement, Sebi has assigned the Bombay Stock Exchange (BSE) to oversee CSCRF compliance for investment advisers and research analysts until 2029. Furthermore, entities are required to conduct annual cyber audits starting from FY26 to ensure their adherence to cybersecurity best practices and regulatory requirements.
Implementation Deadlines and Future Audits
Sebi has set a clear deadline of June 30, 2025, for all applicable entities to implement the provisions outlined in the latest CSCRF circular. As the regulatory body continues to work toward securing India’s financial markets from evolving cyber threats, entities must complete their compliance efforts well in advance of the final deadline.
This proactive approach to cybersecurity ensures that entities at varying levels of risk are appropriately equipped to protect both themselves and their clients from cyber threats. As part of its forward-looking strategy, Sebi will continue to monitor the effectiveness of this framework and may introduce further amendments as necessary to adapt to the rapidly changing landscape of digital security.
Conclusion: A Step Toward Secure Financial Markets
Sebi's introduction of the CSCRF marks a pivotal moment in the evolution of India’s financial markets, establishing a comprehensive cybersecurity framework that is tailored to the specific needs of different entities. By categorizing financial players based on their size, client base, and risk exposure, Sebi is creating a more secure and resilient market environment, reducing the likelihood of cyberattacks that could destabilize the financial ecosystem.
The phased implementation of these cybersecurity measures, accompanied by rigorous audits and compliance checks, will serve as a blueprint for other financial regulators globally. It reflects a growing recognition of the importance of cybersecurity in protecting not only financial institutions but also the integrity of the broader economic system. Through these efforts, Sebi is enhancing the trust and confidence of investors, regulators, and the public in India’s financial markets, laying the groundwork for a more secure future.
Comments