Member’s attention is drawn to SEBI circular no. SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018, SEBI/HO/MIRSD/DOP/CIR/P/2019/109 dated October 15, 2019 and Exchange circular no. 20191022-27 dated October 22, 2019, in relation to Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants and Exchange notice no. 20230331-68 dated March 31, 2023, on Revised and Standardized “Terms Of Reference” for “Cyber Security and Cyber Resilience Audit report” of Stock Brokers / Trading Members across Exchanges.
Reference is further drawn to the para 5 of the said SEBI Circular dated October 15, 2019, wherein periodicity of audit for the purpose of compliance with Cyber Security and Cyber Resilience is defined. Accordingly, trading members are required to carry-out Cyber Security & Cyber Resilience Audit for the period ended March 31, 2023, as per the applicability criteria given below in Table 1:
|
Table 1: Categorization of member and periodicity of Cyber Audit
|
|
Sr. No
|
Type of stockbroker as specified in SEBI circular CIR/MRD/DMS/34/2013 dated November 06, 2013
|
Periodicity
|
|
1
|
Type I
Member using trading software provided by the Exchange (TWS) and software provided by Application Service Provider (ASP)
|
Annual
|
|
2
|
Type II
Members using CTCL Facility
|
Annual
|
|
3
|
Type III
All Members using Algorithmic Trading Facility (ATF)/Algo Facility
|
Half-yearly
|
Timelines for submission of Cyber Security & Cyber Resilience Audit Report for the period ended March 31, 2023, is given below in Table 2:
|
Table 2: Report Submission Timelines
|
|
Audit Period
|
Due Date for Submission
|
|
Preliminary Audit Report submission
|
Corrective Action Report (If Applicable)
|
Follow on Audit Report (If Applicable)
|
|
Half Yearly
(October 2022 - March 2023)
|
June 30, 2023
|
September 30, 2023
|
December 31, 2023
|
|
Yearly Submission
(April 2022 - March 2023)
|
June 30, 2023
|
September 30, 2023
|
December 31, 2023
|
Stock Brokers may note that the above mentioned reports are required to be submitted only in electronic form through BEFS (BSE Electronic Filing System) – http://befs.bseindia.com
Trading members are requested to take note that, for each non-compliance reported by auditor, trading members are required to submit corrective action taken report as per above mentioned timelines. Further, based on audit findings and related risks it should indicate if a follow-on audit is required to review the status of NCs (non-compliances). To ensure that the timely corrective actions are taken by the Trading members, follow-on audit, if any, shall be scheduled by the trading member as per above mentioned timelines.
Submission of Cyber Audit Report with Management comments shall be considered complete only after Member submits the report to the Exchange and receives an acknowledgment email. Saved reports/reports submitted by auditor will not be considered as final submission. Further, auditor must provide compliance status for each TOR item i.e., Compliant/Non-Compliant and Not Applicable and in case of any TOR item which is not applicable, auditor is required to provide justification for the non-applicability of said TOR.
The actions for late/non-submission of the Cyber Security & Cyber Resilience Audit Report shall be applicable as per Table 3 below:
|
Table 3: Penalty/Disciplinary Actions
|
|
Sr. No
|
Particulars
|
Action
|
|
1
|
Submission within 1 month from the end of due date of submission.
|
Penalty of Rs. 200/- per day
|
|
2
|
Submission after 1 month but within 3 months from the end of the due date for submission.
|
Penalty of Rs. 500/- per day
|
|
3
|
Non-Submission within 3 months from the end of due date for submission.
|
Disablement of trading facility across segments after giving 2 weeks’ notice.
Disablement notice issued to the member shall be shared with all the Exchanges for information.
Member will be enabled only after submission of cyber-Security & Cyber Resilience Audit Report
|
|
4
|
Any change or additions in the above would be communicated through a separate notice
|
Stockbrokers/Trading Members are requested to refer to the following documents while submitting the Cyber Security & Cyber Resilience Audit Report.
- Auditor Selection Norms – Annexure I
- Audit Process – Annexure II
- Auditor User Manual – Annexure III
- Member User Manual – Annexure IV
- Cyber Terms of Reference (TOR) - Annexure V
Stockbrokers/Trading Members are requested to take note of the above and ensure compliance to avoid disincentives.
In case of any queries/clarifications, you may contact us on the below numbers in Table 4.
|
Table 4: Contact Details
|
|
Sr. No
|
Purpose
|
Contact Nos.
|
Email ID
|
|
1
|
Cyber Security Audit XBRL related issues
|
1800233 0445
|
bse.auditreport(at)bseindia.com
|
|
2
|
CSAR Process related
|
22725841/5842/8888
|
bse.msc(at)bseindia.com
|
For and on behalf of BSE Ltd.
Devendra Kulkarni Shivkumar Pandey
Additional General Manager Chief Information Security Officer |