Cyber Security and Cyber Resilience Audit of Trading Members

Description

BSE mandates cyber security audit framework for trading members with detailed Terms of Reference covering governance, CISO requirements, budget allocation, employee security protocols, and third-party due diligence based on CSCRF standards.

Summary

BSE has issued detailed Terms of Reference (TOR) for mandatory Cyber Security and Cyber Resilience Audit of Trading Members. The framework is based on Cyber Security and Cyber Resilience Framework (CSCRF) standards and establishes comprehensive requirements for governance, personnel, budgeting, and third-party management. Requirements are tiered based on entity size (Qualified REs, Mid-size, Small-size).

Key Points

• Designation of Chief Information Security Officer (CISO) mandatory for qualified and mid-size entities
• CISO must report directly to MD & CEO and be at equivalent level to CTO/CIO
• Separate budgetary allocation required for cybersecurity with monitoring by Board/top management
• Mandatory incident reporting procedures within time-bound framework as per SEBI/GoI guidelines
• Comprehensive employee security screening, training, and termination procedures required
• Due diligence and confidentiality agreements mandatory for third-party service providers
• Resources must be aligned with cybersecurity strategy, risk, roles, and policies
• Small-size entities require Designated Officer instead of full CISO role

Regulatory Changes

The circular implements structured cyber audit requirements through:

• CISO Requirements (GV.RR.S3): Qualified and mid-size REs must designate senior CISO with sufficient qualifications, direct MD & CEO reporting, and Board-approved cybersecurity policy authority
• Budget Allocation (GV.RR.S4): Separate budgetary head for cybersecurity spending with Board monitoring
• Resource Allocation (GV.RR.S5, GV.RR.S6): Adequate resources (budget, people, material) aligned with strategy with regular review cycles
• Employee Security (GV.RR.S6): Comprehensive due diligence, security training, employment agreements, and termination procedures
• Third-Party Management (GV.RR.S6): Confidentiality agreements and due diligence for all service providers accessing IT systems
• Policy Framework (GV.PO.S1, S2, S5): Multiple policy areas requiring formulation and implementation

Compliance Requirements

For Qualified and Mid-Size Trading Members:

1. Appoint qualified CISO reporting to MD & CEO at CTO/CIO equivalent level
2. Establish time-bound cybersecurity incident reporting procedures
3. Allocate separate IT budget percentage for cybersecurity with Board monitoring
4. Implement employee security lifecycle: due diligence, onboarding training, regular training, termination procedures
5. Execute confidentiality agreements with third-party service providers
6. Conduct due diligence of all third parties accessing IT systems
7. Define and regularly review resource allocation (budget, people, material)
8. Formulate comprehensive cybersecurity policies as per GV.PO standards

For Small-Size Trading Members:

1. Appoint Designated Officer for cybersecurity (not full CISO)
2. Implement incident reporting framework
3. Most governance and policy requirements exempted

Important Dates

No specific implementation dates mentioned in the provided excerpt. Trading members should refer to the complete circular for compliance timelines.

Impact Assessment

Operational Impact: Trading members must establish formal cybersecurity governance structures, hire qualified personnel, allocate dedicated budgets, and implement comprehensive audit-ready frameworks. This represents significant operational overhead particularly for mid-size firms.

Financial Impact: Mandatory separate budget allocation for cybersecurity with Board oversight will increase IT spending. CISO-level appointments and third-party security assessments add personnel and consulting costs.

Compliance Impact: The tiered approach based on entity size provides proportionate compliance burden. Qualified and mid-size entities face comprehensive requirements while small entities have reduced obligations. The audit framework provides clear checkpoints for regulatory compliance verification.

Impact Justification

Mandatory cyber security audit framework affecting all trading members with stringent governance and technical requirements for cybersecurity posture