MCX-SX circular on Submission of VAPT Report for the FY 2025-26
secmarkupdates
Issuer: MCX-SX
Highlights of MCX-SX Circular :
This is with reference to SEBI Circular No-SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, on ‘Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) and subsequent clarification circulars dated December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and Frequently Asked Questions (FAQ) dated June 11, 2025 issued by SEBI and Exchange circular : MSE/INSP/17876/2025 dated September 29, 2025, on ‘Submission of VAPT Report for the FY 2025-26’.
As per point no 4.3.2 of the CSCRF circular dated August 20, 2024, REs/trading members shall plan their VAPT activity at the beginning of each financial year. RE’s/trading members shall ensure that no audit cycle shall be left unaudited (if any) due to the change in categorization. In all such cases, the unaudited period shall be included in the upcoming/next audit cycle.
For the implementation of CSCRF guidelines for VAPT audit by REs, following timelines have been prescribed in consultation with SEBI, for the conduct & submission of VAPT Report for trading members falling under Self-certification REs, Small-size REs, Mid-size REs and Qualified REs (not categorized as QSB’s):
- Once in a Year - Financial Year (April 01, 2025, to March 31, 2026) attached in the circular.
Note: VAPT activity shall be initiated by the REs after Financial Year (April 2025 – March 2026)
Further, there shall be no change in the timelines for the conduct & submission of VAPT report for trading members categorised as QSBs and REs which have been identified as ‘Protected systems’ and/or CII by NCIIPC. The submission timelines are as follows:
- Half-yearly period- October 01, 2025 – March 31, 2026 (applicable to QSBs & protected REs) attached in the circular
The comprehensive scope of VAPT shall include all critical assets and infrastructure components including (not limited to) Networking systems, Security devices, Servers, Databases, Applications, Systems accessible through WAN, LAN as well as with public IP’s, websites, etc. The detailed scope of VAPT and testing methodologies for conduct of VAPT activity (Half Yearly/Yearly) shall be in accordance with Annexure – L of the SEBI CSCRF circular dated August 20, 2024, same is enclosed as Annexure–1.
The updated formats of VAPT Audit report/Summary, Declaration from REs and Auditor, Assessment Details in accordance with SEBI CSCRF has been enclosed as Annexure–2. Further as per SEBI Circular no-SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2025/119 dated August 28, 2025- on Technical Clarifications to CSCRF for SEBI Regulated Entities (REs), REs/trading members shall NOT submit details of explicit vulnerabilities (detailed report) unless and otherwise asked for the details by SEBI/Exchanges.
However, Trading Members/REs are required to maintain records of detailed VAPT report as per format provided in Point 7 of Annexure- A of SEBI circular no. SEBI/HO/ITD1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, and retain records of VAPT report along with POCs for a minimum period of three years. The detailed report shall be required to submit by REs/trading members as & when sought by SEBI/Exchanges.
For the conduct of VAPT and appointment of auditor/auditing organization, RE’s/Trading Members are required to refer auditor selection norms provided in Annexure-3, which are in accordance with norms specified in SEBI Circular no- SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024.
Further, trading members and appointed auditor are requested to take note of SEBI Circular No-HO/13/19/12(1)2026-ITD-1_CIMGI/10873/2026 dated May 05, 2026, on “Advisory on Emerging Advanced Artificial Intelligence (AI) Tools for Vulnerability Detection”.
Trading members are requested to take note of Annexure 1.2 of Exchange Circular No. MSE/INSP/18897/2026 dated April 17, 2026, regarding actions for non-compliances observed in periodic submissions made by Trading Members/REs related to submission of VAPT Report. The details of financial disincentive(s)/ penalties/ disciplinary action(s) have been provided in Annexure-4.
Members are requested to submit their reports on compliancemsx@mse.co.in
All members are advised to take note of the above & bring the provisions of this circular to the notice of the auditors and put in place adequate systems and procedures to ensure strict adherence to the compliance requirements.