SEBI’s 2025 Cybersecurity Mandate: What Regulated Entities Must Know Before June 30

Vijay Kumar | May 14, 2025

In today’s digital financial landscape, cyber risks are not just a possibility—they're a certainty. Recognizing this, the Securities and Exchange Board of India (SEBI) has taken a bold step forward with its updated Cybersecurity and Cyber Resilience Framework (CSCRF).

Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) on April 30, 2025, this circular introduces stricter and smarter cybersecurity expectations for a wide range of SEBI-regulated entities (REs). The goal? To safeguard India's capital markets against growing cyber threats through tailored compliance based on the size and impact of each entity.

GRC Cycle

What’s New in SEBI’s 2025 Cybersecurity Circular?

Here are the most significant updates introduced in the April 2025 CSCRF circular:

  1. New Four-Level Entity Classification System

    SEBI has introduced a risk-based approach by categorizing all regulated entities into four types:

    • Qualified REs: Large entities with major operations and responsibilities
    • Mid-size REs: Moderate-scale participants
    • Small-size REs: Lower operational footprint
    • Self-certification REs: Low-risk entities with limited data exposure

    The classification depends on metrics like:

    • Number of registered clients
    • Annual trading volume
    • AUM (Assets Under Management)
    • Total corpus of AIF/VCF managers

    Each category has different cybersecurity requirements, allowing for better risk alignment.

  2. Mandate on Market-SOC & HSM Integration
    • Qualified REs and MIIs must integrate with the Market Security Operations Center (M-SOC) for 24x7 cyber monitoring.
    • They must also use Hardware Security Modules (HSMs) for cloud key management.
    • Other REs can choose HSM alternatives if justified by a risk assessment approved by top leadership.
  3. Compliance Timeline You Can’t Ignore
    • Last date to implement CSCRF is June 30, 2025
    • Cybersecurity audits under the new rules begin FY 2025–26 Failing to comply can lead to regulatory action and reputational loss.

Request free consultation - Click Here

Who Must Comply and What They Need to Do

  1. Stock Brokers
    • Categorized based on either: Number of clients, or Annual trading volume
    • Brokers with <1,000 clients and <1000₹ turnover are exempt.
  2. Depository Participants (DPs)
    • Categorized based on their primary function (e.g., stockbroker or bank).
    • DPs with <100 clients do not need SOC services.
  3. Portfolio Managers
    • Classified by AUM:

      • Over ₹3,000 Cr = Mid-size RE

      Below ₹3,000 Cr = Self-certification RE

    • <100 clients? Exempt from M-SOC requirement.
  4. Alternate Investment Funds (AIFs) & Venture Capital Funds (VCFs)
    • Classification now applies to fund managers, not individual funds.
    • Total corpus of AIF and VCF schemes combined is considered.
  5. Merchant Bankers
    • Those handling IPOs, buybacks, or open offers = Mid-size REs
    • Others = Small-size REs
  6. Investment Advisers (IAs) & Research Analysts (RAs)
    • If not registered in any other capacity, they are exempt.
    • BSE Ltd. will now supervise their cybersecurity compliance for 5 years.
  7. What Does Compliance Involve?
    • Implementing 24x7 Security Operations Centers (SOCs)
    • Annual cybersecurity audits
    • Data encryption via Hardware Security Modules (HSMs)
    • Cloud adoption in line with SEBI’s prescribed framework

Who is Exempt?

SEBI has relaxed requirements for:

  • Stock brokers with <1,000 clients & <1000&#8377 turnover
  • Portfolio managers or RTAs with <100 clients
  • IAs/RAs not registered in other SEBI categories

These entities can follow a self-certification model, reducing their compliance burden.

What Should REs Do Now?

SEBI has made one thing very clear that cybersecurity is no longer optional. Delaying compliance until the deadline will strain internal resources and increase the risk of penalties or audit failures.

  • Classify your organization using the circular’s thresholds.
  • Perform a cyber risk assessment and decide on HSM alternatives if applicable.
  • Onboard to Market-SOC if mandated.
  • Implement SEBI’s Cloud Security Framework.
  • Prepare for cyber audit from FY 2025–26.

Conclusion:

Cybersecurity isn’t just about compliance—it’s about trust. Delaying until the last minute can lead to rushed decisions, compliance failures, or worse, cyber incidents.

Engage a CERT-In empanelled cybersecurity firm like DigiFortex to streamline your compliance journey with CSCRF.

To know more: Click Here

Categories

DigiFortex is a Cyber Security company focused on enhancing Security, Governance, Risk, Compliance (GRC) and Privacy postures for enterprises. Our flagship offerings are GRC, Advanced Penetration Testing(VA/PT), Cloud Security (CNAPP), Next-Gen Security Operation Center(SOC), MSSP, v-CISO and products for advanced Security Assessments.

© 2025 DigiFortex. All Rights Reserved.