BSE Circular on - Cyber Security & Cyber Resilience framework for Stock Brokers
secmarkupdates
Cracking your trading password can be easier than it appears.
Contact: 9869265949,9870210171, in...@secmark.in, kau...@secmark.in
Date of Issue: 22-4-2025
Issuer: BSE
Cyber Security & Cyber Resilience framework for
Stock Brokers
Highlights of BSE
Circular dated April-22-2025
Member’s attention is drawn to
SEBI circular no. CIR/MRD/DMS/34/2013 dated November 6, 2013; and
Exchange notice no. 20131107-6 dated November 7, 2013, on the Annual
System Audit of Stockbrokers / Trading members.
Accordingly, trading members are required to carry out system audit of their
trading facility for the period ended March 31, 2025, as per the applicability
criteria given below in Table 1:
Stockbrokers who are
using trading software provided by the Exchange (BOLT/BOLT PLUS) and/or
software provided by Exchange owned application Service Provider (ASP) shall
not be covered in the system audit.
Timelines for submission of System Audit Report is given below in Table
2:
Currently, as part of
system audit requirement auditor submits the compliance status of System audit
ToR along with the compliance of section/clause 4 related to algorithmic
trading for all Algo IDs used by trading members. Auditors will be provided
with Algo MIS Link under Auditor MIS Tab (BEFS Portal) which will be a
screen-based submission where a list of all the Registered Algo IDs of trading
members shall be provided for ease of reference. In case if any Algo ID is not
complying with 38 checks of Section 4, auditor shall provide the details of
non-compliant ToR point(s) along with their observations. The detailed ToR
applicable for system audit has been given in Annexure System
Audit_TOR_III.
Additionally, auditor will also be provided details of vendor/in-house
developed products & application being used and registered with Exchange by
trading member, through a separate link <Version Compliance Confirmation>
for which system auditor shall confirm whether the trading member has deployed
the latest version in live environment and provide its version number being
used for each product in last two columns through screen-based submission.
The system audit report can be submitted only after submission of “Algo MIS
Report” and “Version Confirmation Report”. Submission of system audit report
shall be considered complete only after the trading member submits the report
to the Exchange after providing management comments.
Further, the auditor shall provide compliance status for each TOR item as
Compliant/Non-Compliant/Not Applicable and in case of any TOR item which is not
applicable, auditor is required to provide justification for the
non-applicability of said TOR.
All Trading members are requested to take note that, for each non-compliance
reported by the auditor, trading members are required to submit corrective
action taken report as per the above-mentioned timelines. On review of details
of corrective action submitted by trading members, the auditor shall submit the
status of compliance as Compliant or Non-Compliant on BEFS portal.
Members may note that the above-mentioned reports are required to be submitted
only in electronic form through BEFS (BSE Electronic Filing System) – https://befs.bseindia.com.
The link for submission of System Audit Report will be made available
from April 30, 2025.
Trading members are requested to take note of the Exchange circular 20231005-54 dated October 05, 2023, regarding “Revised
Penalties/disciplinary action(s)/charges for System Audit Report & Cyber
Security and Cyber Resilience Audit Report related submissions”. The details of
Penalties/disciplinary action(s)/charges have been provided in Annexure
V.
Stockbrokers are requested to refer to the following documents while submitting
the system audit report.
- Auditor Selection Norms – Annexure I
- Audit Process – Annexure II
- Auditor User Manual for System Audit Report (SAR) – Annexure II
- Member User Manual for System Audit Report (SAR) – Annexure IV
- Penalty/disciplinary action for
Delay/Non-submission of Preliminary?Audit Report / Corrective Action Taken
R In accordance with SEBI circular no. SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03,
2018, SEBI/HO/MIRSD/DOP/CIR/P/2019/109 dated October
15, 2019, SEBI/HO/MIRSD /TPD/P/CIR/2022/80 dated June 07,
2022, SEBI/HO/MIRSD/TPD/P/CIR/2022/93 dated June 30,
2022 and Exchange circular no. 20190201-7 dated February 01, 2019, 20191022-27 dated October 22, 2019, 20220610-1 dated June 10, 2022 and 20220712-1 dated July 12, 2022 in relation to
Cyber Security & Cyber Resilience framework for Stock Brokers /
Depository Participant, trading members are required to conduct Cyber
Security and Cyber Resilience audit and submit the report to the
Exchange.
Reference is further drawn to para 5 of the said SEBI Circular dated October 15, 2019, wherein periodicity of audit for the purpose of compliance with Cyber Security and Cyber Resilience is defined. Accordingly, trading members are required to carry-out Cyber Security & Cyber Resilience Audit for the period ended March 31, 2025, as per the applicability criteria given below in Table 1:
Timelines for submission of Cyber Security & Cyber Resilience Audit Report for the period ended March 31, 2025, is given below in Table 2:
Stock Brokers may note that the above mentioned reports are required to
be submitted only in electronic form through BEFS (BSE Electronic Filing s) –
http://befs.bseindia.com
All Trading members are requested to take note that, for each non-compliance
reported by the auditor, trading members are required to submit corrective
action taken report as per above mentioned timelines. On review of details of
corrective action submitted by trading member, the auditor shall submit the
status of compliance as Compliant or Non-Compliant on BEFS.
Submission of Cyber Audit Report with Management comments shall be considered
complete only after Member submits the report to the Exchange and receives an
acknowledgment email. Saved reports/reports submitted by auditor will not be
considered as final submission. Further, auditor must provide compliance status
for each TOR item i.e., Compliant/Non-Compliant and Not Applicable and in case
of any TOR item which is not applicable, auditor is required to provide
justification for the non-applicability of said TOR.
The link for the submission of Cyber Security Audit report shall be available
from April 30, 2025
Trading members are requested to take note of the Exchange circular 20231005-54 dated October 05, 2023, regarding “Revised
Penalties/disciplinary action(s)/charges for System Audit Report & Cyber
Security and Cyber Resilience Audit Report related submissions”. The details of
Penalties/disciplinary action(s)/charges have been provided in Annexure V.
Stockbrokers/Trading Members are requested to refer to the following documents
while submitting the Cyber Security & Cyber Resilience Audit Report.
- Auditor Selection Norms – Annexure I
- Audit Process – Annexure II
- Auditor User Manual – Annexure III
- Member User Manual – Annexure IV
- Penalty/disciplinary action for Delay/Non-submission of Preliminary?Audit Report / Corrective Action Taken Report and non-Closure of observations – Annexure V
- Cyber Terms of Reference (TOR) - Annexure VI
- All Trading Members are advised to take note of the above and comply to avoid disincentives.
- report and non-Closure of observations – Annexure V
- Terms of Reference (TOR) for System Audit Report - II and III
All Trading Members are advised to take note of the above and comply to avoid disincentives.
In case of any clarification or assistance required in the implementation of this circular, you may contact
Kaushik Jethwa - kau...@secmark.in / 9870210171
Facing issues in day-to-day processes, feeling inadequate control over your business.
“DESIGN & IMPLEMENT STANDARD OPERATING PROCEDURES”