To All Members,
In accordance with SEBI circular no. SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018, SEBI/HO/MIRSD/DOP/CIR/P/2019/109 dated October 15, 2019, SEBI/HO/MIRSD/TPD/P/CIR/2022/80 dated June 07, 2022 and SEBI/HO/MIRSD/TPD/P/CIR/2022/93 dated June 30, 2022 and Exchange circular no. 20191022-27 dated October 22, 2019 in relation to Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants, Stock Brokers who have used Algorithmic Trading facility (Type III brokers) to trade for the half year ended September 30, 2023, are required to conduct Cyber Security and Cyber Resilience Audit for the period April 01, 2023 to September 30, 2023.
The Trading Members are required to note the following:
Last Date for Submission
|
Type of Trading Members
|
Preliminary Audit report
|
Corrective Action Report
|
Follow on Report
|
QSB & Non QSB
|
November 30, 2023
|
February 28, 2024
|
May 31, 2024
|
All Trading members are requested to take note that, for each non-compliance reported by the auditor, trading members are required to submit corrective action taken report as per above mentioned timelines. On review of details of corrective action submitted by trading member, the auditor shall submit the status of compliance as Compliant or Non-Compliant on BESF. The process for submitting the details of corrective action taken by trading member through ATR and auditor’s confirmation on compliance status of ATR shall be provided through separate circular.
Further, based on audit findings and related risks, auditor should indicate if a follow-on audit is required to review the status of NCs (Non-Compliances). To ensure timely corrective actions are taken by the Trading members, follow-on audit, if any, shall be scheduled by the trading member as per above mentioned timelines.
Submission of Cyber Security and Cyber Resilience Audit shall be considered complete only after trading member submits the report to the Exchange after providing management comments. Further, the auditor must provide compliance status for each TOR item as Compliant/Non-Compliant/Not Applicable and in case of any TOR item which is not applicable, auditor is required to provide justification for the non-applicability of said TOR.
Trading members shall comply with any non-compliance/ non-conformities (NCs) pending submissions for Cyber Security and Cyber Resilience Audit for the previous audit period by submitting ATR and/or Follow -on audit report through BEFS Portal.
Trading members are requested to take note of the Exchange circular 20231005-54 dated October 05, 2023, regarding “Revised Penalties/disciplinary action(s)/charges for System Audit Report & Cyber Security and Cyber Resilience Audit Report related submissions”.
The following penalty/disciplinary actions as provided in Table A would be initiated against the Trading Member for Delay/Non-submission of Preliminary Audit Report / Corrective Action Taken Report and Follow-on audit report.
Table A: Penalty/disciplinary action for Delay/Non-submission of Preliminary Audit Report / Corrective Action Taken Report/ Follow on audit report and non-Closure of observations
|
Details of Violation
|
Period of violation
|
Penalty/disciplinary actions
|
Penalty/disciplinary action in case of repeated violation
|
Delay / Non-Submission of Preliminary audit / ATR / Follow-on audit report as recommended by the auditor in case of System audit report / cyber security and cyber resilience audit report.
|
From 1st day to 7th day:
|
Charges Rs. 1,500/- per day for Non QSB & Rs. 3,000/- per day for QSB from the due date till first 7 calendar days or submission of report, whichever is earlier.
|
In case of a repeat instance by the Member, levy of applicable monetary penalty along with an escalation of 50%.
|
From 8th day to 21st day:
|
Charges of Rs. 2,500/- per day for Non QSB & Rs. 5,000/- per day for QSB from 8th calendar day after the due date to 21st calendar day or submission of report, whichever is earlier.
|
Levy of applicable monetary penalty along with an escalation of 50%.
|
From 22nd day onwards:
|
In case of non-submission of report till 21st calendar days, new client registration shall be prohibited and notice of 7 calendar days for disablement of trading facility till submission of report, shall be issued. The disablement notice issued to the trading member will be shared with all the Exchanges for information.
|
After 28th day:
|
In case of non-submission of report by 28th calendar day, Trading member shall be disabled in all segments till submission of report.
|
Further, trading members are also required to submit closure status of all the non-Compliances reported in Cyber Security and Cyber Resilience Audit by submitting Corrective Action Taken Report (ATR) i.e., within 3 months from the due date of submission of Preliminary Audit Report. In order to ensure strict adherence for closure of non-Compliances within the prescribed timelines, following penalty as provided in Table - B shall be Applicable for each High/Medium/Low risk non-compliance, which has not been closed in ATR as per prescribed timelines.
Table –B
|
Risk rating reported by auditor
|
Applicable penalties for each High/Medium/Low risk non-closure of non-Compliances, which have not been closed in ATR (i.e., within prescribed timelines of submission of due date of preliminary audit report)
|
Non QSB Trading Members
|
QSB Trading Members
|
High Risk
|
15,000
|
30,000
|
Medium Risk
|
7,500
|
15,000
|
Low Risk
|
2,500
|
5,000
|
o In case observations are not closed by trading members within three weeks from the due date for submission of Action Taken Report (ATR), new client registration to be prohibited and notice of 7 days for disablement of trading facility till closure of observation(s).
o The disablement notice issued to the trading member shall be shared with all the Exchanges for information. In case of non-closure of observation(s) within four weeks from the due date of submission of ATR, Trading member shall be disabled in all segments until closure of observations(s).
|
All Trading members are requested to take note that, for each non-compliance reported by auditor, trading members are required to submit corrective action taken report as per above mentioned timelines.
Submission of Cyber Security and Cyber Resilience Audit shall be considered complete only after trading member submits the report to the Exchange after providing management comments. Further, auditor must provide compliance status for each TOR item as Compliant/Non-Compliant and Not Applicable and in case of any TOR item which is not applicable, auditor is required to provide justification for the non-applicability of said TOR.
Trading members shall comply with any Non-Compliance pending for Cyber Security and Cyber Resilience Audit for the previous audit period by submitting ATR and/or Follow-on audit report as the case may be through BEFS.
Members may note that the above-mentioned reports are required to be submitted only in electronic form through BEFS (BSE Electronic Filing System) – https://befs.bseindia.com .
Please be informed that a separate notice shall be issued shortly regarding availability of BEFS for submission of Cyber Security and Cyber Resilience Audit for the period ended September 30, 2023.
Stockbrokers are requested to refer to the following guideline documents while submitting the Cyber Security and Cyber Resilience Audit.
Ø Auditor Selection Process – Annexure I
Ø Audit Process – Annexure II
Ø Terms of Reference (ToR) – III
It may be noted that submission of Cyber Security and Cyber Resilience Audit shall be considered complete only after Member submits the report to the Exchange and receives an acknowledgment email. Saved reports/reports submitted by auditor will not be considered as final submission to Exchange.
Members are requested to take note of the above and ensure compliance to avoid disincentives.
In case of any queries/clarifications, you may contact at the following numbers as mentioned in the table 2 below.
Table 2: Submission Related Contacts
|
Purpose
|
Contact Nos.
|
Email ID
|
Cyber Security and Cyber Resilience Audit XBRL related issues
|
1800233 0445
|
bse.xbrl(at)bseindia.com
|
Cyber Security and Cyber Resilience Audit Process related
|
22725841/5842/8888
|
bse.msc(at)bseindia.com
|
For and on behalf of BSE Ltd.
Shivkumar Pandey Devendra Kulkarni
Group CISO Additional General Manager
|