This is with reference to SEBI Circular No-SEBI/HO/MIRSD/TPD/CIR/2022/80 dated June 07, 2022,  SEBI/HO/MIRSD/MIRSD-PoD-1/P/CIR/2023/24 dated February 06, 2023 and Exchange Notices 20220610-1 dated June 10,2022, 20220919-2 dated September 19, 2022, 20221208-43 dated December 8, 2022, 20230207-3 dated February 07, 2023, 20230303-66 dated March 03, 2023, and 20230601-54 dated June 01, 2023, regarding Submission of VAPT report and / or VAPT compliance report through BSE E-filing System (BEFS) portal by all members of the Exchange.

Trading Members are requested to conduct and complete the VAPT during the period September to November for FY 2024-25, in accordance with paragraph/clause 11 (identification of critical assets/applications) & 41 (VAPT) of above-mentioned SEBI circular and the final report after approval from Technology Committee of respective members within one month from the date of completion of VAPT, shall be submitted through BSE E-filing System (BEFS) portal to the Stock Exchange.

The VAPT report submission guidelines will be published separately in October 2024. 

In view of the above, all trading members shall carry out Vulnerability Assessment and Penetration Tests (VAPT) which inter-alia include all critical applications (trading, back office & used for related activities) and infrastructure components like Servers, Networking systems, Security devices, load balancers pertaining to the activities done as Stockbrokers, the broad area/scope (not limited to) for conduct of VAPT shall also include the following activities:

1. Grey Box assessment of web applications, mobile applications, APIs, and thick client applications.
2. Authenticated (wherever possible) Vulnerability Assessment of infrastructure (operating systems, databases & middleware, endpoint devices, network devices, security devices, cloud).
3. External Penetration Testing of all public facing URLs/Ips.
4. Review of network architecture of critical infrastructure.
5. Firewall rule review.
6. Configuration audit of infrastructure (operating systems, databases & middleware, endpoint devices, network devices, security devices, cloud security controls, Third-party integrations).
7. Wireless penetration testing.

Further, the detailed of scope of audit, findings and outcomes of these activities shall be provided in the comprehensive VAPT report along with checklist of test cases providing “FAIL” and “PASS” status.

The detailed VAPT report along with summary report (as per format specified in Annexure A) as a single document shall be digitally signed by CERT-In empanelled entity to be submitted to Exchange by December 31, 2024.

Further, as per para 44 of SEBI Circular No. SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 amended vide SEBI Circular No. SEBI/HO/MIRSD/TPD/P/CIR/2022/80 dated June 07, 2022, any gaps / vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the Stock Exchanges within 3 months post the submission of final VAPT report. For any open vulnerabilities as reported & submitted in VAPT report, members are required to submit ATR/Compliance Report for FY 2024-25, as per format specified in Annexure B along with Closure report of all the vulnerabilities closed digitally signed by the CERT-In empaneled entity as appointed by the member by March 31, 2025, on BSE E-filing System (BEFS) portal.

The submission shall be considered complete only if detailed Closure report along with ATR/Compliance report in single file is uploaded on BSE E-filing System (BEFS) portal.

The guidelines for submission of VAPT Compliance Report/Action Taken Report (ATR) shall be published separately in the month of October 2024.

In order to ensure strict adherence to the regulatory requirements by Members with the prescribed framework applicable for VAPT / Compliance Report submission and timely closure of vulnerabilities, penalties/disciplinary actions have been prescribed vide BSE Notice no. 20230831-17 dated August 31, 2023, which shall be applicable for submissions of FY 2024-25 (Including Half yearly for Qualified StockBrokers “QSB’s”) and onwards.

The details of penalties/disciplinary action are provided in Annexure-C.

All Members are advised to take note of the above and put in place adequate systems and procedures to ensure strict adherence to the compliance requirements.

In case of any clarifications, Members / Stockbrokers may contact on below provided contact details: 

 For and on behalf of BSE Ltd.