MCX-SX Circular on - Cybersecurity & Cyber Resilience Audit of Trading Members
15 views
Skip to first unread message
secmarkupdates
Nov 14, 2025, 5:41:48 AM11/14/25
to UPDATES from SecMark
Date of Issue: 13-11-2025
Issuer: MCX-SX
Cybersecurity & Cyber Resilience Audit of Trading Members
Highlights of MCX-SX Circular dated November-13-2025
This is with reference to SEBI Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, on ‘Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) and subsequent clarification circulars dated December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and Frequently Asked Questions (FAQ) dated June 11, 2025, issued by SEBI.
As per clause no. 4.4. Cyber Audit of the CSCRF circular dated August 20, 2024, Cyber audit shall cover 100% of the critical systems and 25% of non-critical systems chosen on a sample basis for which the rationale of checking it on sample basis (non-critical systems) and the chosen sample size shall be explicitly mentioned in the audit report by auditor. Further, as per clause no. 4.4.1. of the CSCRF circular dated August 20, 2024, REs shall ensure that no audit cycle shall be left unaudited (if any) due to the change in category in the beginning of the financial year. In all such cases, the unaudited period shall be included in the upcoming/next audit cycle.
For the implementation of CSCRF guidelines for Cyber Audit by REs, following timelines have been prescribed in consultation with SEBI, for the conduct & submission of Cyber Audit Report on half yearly basis for trading members falling under Qualified RE’s and Mid-size RE’s/Small size RE’s providing IBT or Algo Trading facility.
For Qualified RE’s and Mid-size RE’s/Small-size RE’s providing IBT or Algo Trading facility are given in attached circular.
Further, many Trading Members/RE’s are holding multiple registrations/licenses with SEBI for services such as Custody, AIF, RA/IA, PMS, Merchant Bankers etc., for which Exchanges are not reporting authority, hence for the compliance towards standards & guidelines published under SEBI CSCRF circular dated August 20,2024 & subsequent clarification circulars issued by SEBI, Trading Members/RE’s shall categorized themselves as per criteria laid down in the said circulars.
The categorization such determined by Trading Members/REs shall be reviewed & approved by the entity’s Board of Directors/Designated Director, or the Proprietor or Partner or technical advisory committee or relevant authority, as applicable for each financial year. Additionally, during the course of the Cyber Audit under CSCRF, auditors shall verify/validate whether the categorization determined/provided by the trading member (RE) is in accordance with SEBI CSCRF framework.
Submission of Cyber Security and Cyber Resilience Audit Report shall be considered complete only after the trading member submits the report to the Exchange after providing management comments. Further, the auditor must provide compliance status for each TOR item as Compliant/Non-Compliant/Not Applicable and in case of any TOR item which is not applicable, auditor is required to provide justification for non-applicability of said TOR.
The auditor selection norms and guidelines to be adhered by auditors for conduct of cyber audit as per the provisions of CSCRF has been given in Annexure A. Further, the detailed Terms of Reference (TOR) applicable for Cyber Audit as per CSCRF Framework has been given in Annexure B.
CERT-In has published Comprehensive Cyber Security Audit Policy Guidelines, as these guidelines are intended to serve as a reference to empaneled auditing and auditee organizations. Accordingly, to ensure consistent, effective and secure approach to Cyber Security Audits, as provided in SEBI circular dated August 28,2025, REs shall follow Comprehensive Cyber Security Audit Policy Guidelines as published by CERT-In. The said CERT-In guidelines are available on CERT-In website & on following link: https://www.cert-in.org.in/
The Cyber audit which shall indicate the scope/perimeter of the coverage of the systems audited in the cyber audit report regarding the compliances checked including areas (but not limited to) computer hardware, business applications, software, cyber governance, linkage with vendor systems.
The updated formats of Cyber Audit report, Executive Summary, Auditor Declaration, Scope of Audit, Methodology/ Audit approach, Summary of findings, Control-wise compliance status of SEBI CSCRF and Conclusion of cyber audit has been enclosed as Annexure C.
The members are advised to submit the digitally signed soft copy of the Cyber Security & Cyber Resilience Audit Report in PDF format to the Exchange at mail to: compli...@msei.in or members may also submit the signed physical copy of the report to the Exchange.
Please find enclosed the following Annexures applicable for the Cybersecurity & Cyber Resilience Audit of Trading Members:
Issuer: MCX-SX
Cybersecurity & Cyber Resilience Audit of Trading Members
Highlights of MCX-SX Circular dated November-13-2025
This is with reference to SEBI Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, on ‘Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) and subsequent clarification circulars dated December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and Frequently Asked Questions (FAQ) dated June 11, 2025, issued by SEBI.
As per clause no. 4.4. Cyber Audit of the CSCRF circular dated August 20, 2024, Cyber audit shall cover 100% of the critical systems and 25% of non-critical systems chosen on a sample basis for which the rationale of checking it on sample basis (non-critical systems) and the chosen sample size shall be explicitly mentioned in the audit report by auditor. Further, as per clause no. 4.4.1. of the CSCRF circular dated August 20, 2024, REs shall ensure that no audit cycle shall be left unaudited (if any) due to the change in category in the beginning of the financial year. In all such cases, the unaudited period shall be included in the upcoming/next audit cycle.
For the implementation of CSCRF guidelines for Cyber Audit by REs, following timelines have been prescribed in consultation with SEBI, for the conduct & submission of Cyber Audit Report on half yearly basis for trading members falling under Qualified RE’s and Mid-size RE’s/Small size RE’s providing IBT or Algo Trading facility.
For Qualified RE’s and Mid-size RE’s/Small-size RE’s providing IBT or Algo Trading facility are given in attached circular.
Further, many Trading Members/RE’s are holding multiple registrations/licenses with SEBI for services such as Custody, AIF, RA/IA, PMS, Merchant Bankers etc., for which Exchanges are not reporting authority, hence for the compliance towards standards & guidelines published under SEBI CSCRF circular dated August 20,2024 & subsequent clarification circulars issued by SEBI, Trading Members/RE’s shall categorized themselves as per criteria laid down in the said circulars.
The categorization such determined by Trading Members/REs shall be reviewed & approved by the entity’s Board of Directors/Designated Director, or the Proprietor or Partner or technical advisory committee or relevant authority, as applicable for each financial year. Additionally, during the course of the Cyber Audit under CSCRF, auditors shall verify/validate whether the categorization determined/provided by the trading member (RE) is in accordance with SEBI CSCRF framework.
Submission of Cyber Security and Cyber Resilience Audit Report shall be considered complete only after the trading member submits the report to the Exchange after providing management comments. Further, the auditor must provide compliance status for each TOR item as Compliant/Non-Compliant/Not Applicable and in case of any TOR item which is not applicable, auditor is required to provide justification for non-applicability of said TOR.
The auditor selection norms and guidelines to be adhered by auditors for conduct of cyber audit as per the provisions of CSCRF has been given in Annexure A. Further, the detailed Terms of Reference (TOR) applicable for Cyber Audit as per CSCRF Framework has been given in Annexure B.
CERT-In has published Comprehensive Cyber Security Audit Policy Guidelines, as these guidelines are intended to serve as a reference to empaneled auditing and auditee organizations. Accordingly, to ensure consistent, effective and secure approach to Cyber Security Audits, as provided in SEBI circular dated August 28,2025, REs shall follow Comprehensive Cyber Security Audit Policy Guidelines as published by CERT-In. The said CERT-In guidelines are available on CERT-In website & on following link: https://www.cert-in.org.in/
The Cyber audit which shall indicate the scope/perimeter of the coverage of the systems audited in the cyber audit report regarding the compliances checked including areas (but not limited to) computer hardware, business applications, software, cyber governance, linkage with vendor systems.
The updated formats of Cyber Audit report, Executive Summary, Auditor Declaration, Scope of Audit, Methodology/ Audit approach, Summary of findings, Control-wise compliance status of SEBI CSCRF and Conclusion of cyber audit has been enclosed as Annexure C.
The members are advised to submit the digitally signed soft copy of the Cyber Security & Cyber Resilience Audit Report in PDF format to the Exchange at mail to: compli...@msei.in or members may also submit the signed physical copy of the report to the Exchange.
Please find enclosed the following Annexures applicable for the Cybersecurity & Cyber Resilience Audit of Trading Members:
- Annexure A - Auditors Selection Norms & Guidelines to Auditors for Cyber Audit
- Annexure B - Term of Reference (ToR) applicable for Cyber Audit as per CSCRF
- Annexure C - Cyber Audit Report Format
- Annexure D - Actionsfor Non-Compliance observed in periodic submissions by trading members related to Cyber Audit Report.
Trading Members are requested to refer to Annexure - 1.2 of Exchange Circular Ref No. MSE/INSP/17961/2025 dated October 10, 2025, on actions for non-compliance observed in periodic submissions by trading members related to Cyber Audit Report. The details of Penalties/disciplinary action(s)/charges have been provided in Annexure D.
All members are advised to take note of the above & bring the provisions of this circular to the notice of the auditors and put in place adequate systems and procedures to ensure strict adherence to the compliance requirements.
Members are requested to take note of the above and comply.In case of any clarification or assistance required in the implementation of this circular, you may contact : Kaushik Jethwa at kau...@secmark.in and 9870210171.
Reply all
Reply to author
Forward
0 new messages