SEBI’s New Cybersecurity Circular: What Regulated Entities Need to Know (April 30, 2025)
The Securities and Exchange Board of India (SEBI) has issued a critical update to its Cybersecurity and Cyber Resilience Framework (CSCRF) via circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/60, dated April 30, 2025. This circular redefines cybersecurity compliance for SEBI-regulated entities (REs) based on risk, size, and operational exposure.
Whether you are a Stock Broker, Portfolio Manager, AIF Manager, Merchant Banker, or KRA — this is your roadmap to compliance.
What’s New?
Tier-based classification:Qualified, Mid-size, Small-size, Self-certification Res
Expanded exemptions for small REs (e.g., <100 clients for DPs, PMs, AIFs)
HSM mandatory for Qualified REs & MIIs; board-approved software HSM allowed for others
BSE Ltd. assigned as CSCRF reporting authority for IAs and RAs (2024–2029)
CSCRF based onrisk-based, scalable implementation
RE classification remains fixed for entire FY
Reporting authorities will validate submissions and thresholds
SEBI may revise thresholds periodically
Legal basis: Section 11(1) of SEBI Act, 1992
Builds on prior circulars: Aug 2024, Dec 2024, Mar 2025
Categorization Table
Entity Type | Exempted If | Qualified RE | Mid-size RE | Small-size RE | Self-certification RE |
Stockbrokers | <1,000 clients & <₹1,000 Cr volume | >10L clients or >₹10L Cr | 1–10L clients or ₹1L–10L Cr | 10K–1L clients or ₹10K–1L Cr | 1K–10K clients or ₹1K–10K Cr |
Depository Participants | <100 clients | Non-broker DPs auto-Qualified | As per broker rules | — | — |
Investment Advisers | Solely IA | Dually registered → highest cat | — | — | — |
Research Analysts | Solely RA | Dually registered → highest cat | — | — | — |
KRAs | — | All KRAs | — | — | — |
Portfolio Managers | <₹3,000 Cr AUM & <100 clients | — | >₹3,000 Cr AUM | — | ≤₹3,000 Cr AUM |
AIFs/VCFs | ≤₹3,000 Cr corpus & <100 clients | — | ≥₹10,000 Cr corpus | ₹3,000–10,000 Cr | ≤₹3,000 Cr corpus |
Merchant Bankers | — | — | IPOs, buybacks, delisting’s | Other MBs | — |
RTAs | <100 clients | — | — | — | — |
Note: If you’re registered under multiple categories (e.g., Stock Broker + IA + MB), you must follow the highest applicable category (Circular Point 4).
Key Security Concepts
- SOC: Security Operations Center
- M-SOC: Market-wide SOC designated by SEBI
- HSM: Hardware Security Module for cryptographic key protection
- WAF (Web Application Firewall):Filters, monitors, and blocks HTTP traffic to and from a web application to prevent attacks.
- API Security:Protects APIs from abuse, misuse, or attack by enforcing access control and monitoring traffic.
- VAPT: Vulnerability Assessment and Penetration Testing
- EDR: Endpoint Detection and Response
Practical Examples
- Stock Broker: 50,000 clients, ₹50,000 Cr volume → Small-size RE
- AIF Manager: ₹2,500 Cr corpus, <100 clients → Self-certification RE
- Merchant Banker: Managing IPOs and delistings → Mid-size RE
- Portfolio Manager: ₹2,000 Cr AUM, 80 clients → Self-certification RE, exempt from M-SOC but must implement baseline controls
Decision Tree: Determine Your Category
- Solely IA or RA? → Exempt
- DP/RTA with <100 clients? → Exempt
- Stock Broker <1,000 clients & <₹1,000 Cr turnover? → Exempt
- Portfolio Manager or AIF with <100 clients & <₹3,000 Cr? → Self-certification
- Else → Categorize based on thresholds above
Final Compliance Checklist
Flowchart: 7 Steps to Compliance
- Review FY24–25 client, AUM, corpus, and volume data
- Match against category thresholds
- Check for exemptions
- Implement required cybersecurity controls
- Address constraints (outsource if needed)
- Prepare for FY25–26 audit readiness
- Submit by June 30, 2025
Compliance Timeline (Updated for May–June 2025)
- May 1–10: Gap assessment
- May 11–31: Control implementation (IAM, VAPT, SOC)
- June 1–15: Audit documentation and testing
- June 30: Submission deadline
Submission Details
Submit compliance reports via SEBI’s compliance portal or to your reporting authority (e.g., BSE Ltd. for IAs and RAs). Use their templates and follow their guidance on review frequency and format. (Circular Point 2)
Cybersecurity Controls Matrix
Control | SEBI Requirement | Expert Guidance |
HSM | Mandatory for Qualified REs & MIIs (Point 5) | Use software HSM if board-approved (lower REs) |
SOC / M-SOC | Mandatory for REs except <100 clients | Join M-SOC where available |
WAF / API Security | Required if web/API in use | Deploy on all internet-facing platforms — including website, investor login portals, APIs, and onboarding tools |
IAM / MFA | Mandatory | Use role-based access and MFA everywhere |
Security Awareness | Mandatory | Include phishing simulations |
Incident Response | Mandatory | Simulate response drills annually |
VAPT | Annual (Qualified); Biennial (Lower risk) | Use tools justify delays |
EDR | Not required | Strongly recommended for endpoint-heavy orgs |
DLP | Risk-based | Apply for client data monitoring |
BCP / DR | Mandatory | Run mock recovery tests |
Cloud Security | As per SEBI Cloud Framework (Annexure-J) | Align with ISO 27017 / NIST 800-144 |
SEBI’s Ecosystem Mandate
- BSE Ltd. – Reporting authority for IAs and RAs (2024–2029)
- Exchanges/Depositories – Must update bylaws and publish circulars
- Industry Bodies (e.g., APMI) – May provide templates, training, and webinars
Frequently Asked Questions
Q1: Do I need an HSM if I’m a Portfolio Manager?
Only if you’re Qualified; otherwise, use board-approved alternative (Point 5)
Q2: My RE grew mid-year. Do I reclassify?
No. Category remains constant through FY (Point 2)
Q3: Can I use open-source tools?
Yes —a acceptable for smaller REs
Q4: What if I can’t implement everything in time?
Prioritize IAM, WAF, API Security, VAPT, SOC; document risk, outsource where needed
For additional FAQs, check www.sebi.gov.in for updates.
Industry Context
SEBI’s circular is a response to increased cyber incidents across Indian capital markets, including ransomware, API abuse, and phishing attacks. CSCRF 2025 promotes a scalable, trust-centric approach to digital market resilience.
Compliance Calendar: Where CSCRF Fits
- April 30, 2025: Circular issued
- May–June 2025: CSCRF implementation and submission
- July 2025: Begin audit preparation for FY 2025–26
- August 2025 onward: Annual review cycles expected
- Ongoing: Other filings (e.g., AIF half-yearly reports, Portfolio Manager quarterly disclosures)
Final Thoughts
This circular is a key milestone in SEBI’s shift to risk-aligned, proportionate regulation. For REs, it’s more than a checklist — it’s a call to embed cybersecurity into your operating DNA.
Use the NIST Cybersecurity Framework or ISO 27001
Small REs: Consider SOC-as-a-Service or phased rollout
Tools to consider: Check on industry security tools -evaluate the solution required.
Actionable Next Steps
- Review your RE category and exemption status
- Start gap assessments and board approvals immediately
- Engage your IT and compliance teams
- Join industry cybersecurity working groups (e.g., APMI, BSE forums)
- Bookmarksebi.gov.in for updates
Entities seeking WAF or API security implementation may explore trusted solutions like SiteWALL, www.sitewall.net which offer regulatory-aligned protection for public-facing systems.” (Ensure risk-based configuration and SEBI CSCRF mapping.)