Description

BSE circular outlining Terms of Reference (TOR) for mandatory cyber security audits of trading members, including governance requirements, CISO designation, budget allocation, employee screening, and third-party due diligence.

Summary

BSE has issued detailed Terms of Reference (TOR) for cyber security and cyber resilience audits applicable to trading members. The circular establishes comprehensive cybersecurity governance requirements based on the Cyber Security and Cyber Resilience Framework (CSCRF), including mandatory designation of Chief Information Security Officer (CISO), budget allocation, employee screening procedures, and third-party service provider management.

Key Points

  • Trading members must designate a senior official as Chief Information Security Officer (CISO) reporting directly to MD & CEO
  • CISO must possess sufficient qualifications and capabilities, with standing equivalent to CTO/CIO level
  • Adequate percentage of total IT budget must be allocated to cybersecurity under separate budgetary head
  • Time-bound reporting procedures required for cybersecurity incidents to CISO or senior management
  • All employees must undergo security screening, proper onboarding training, and regular security training
  • Confidentiality and integrity agreements mandatory with third-party service providers
  • Due diligence required for all third-party service providers accessing IT systems
  • Requirements vary by organization size: Qualified REs, Mid-size, and Small-size entities

Regulatory Changes

The circular introduces structured cybersecurity governance framework with specific standards:

  • GV.RR.S3: CISO designation and reporting structure requirements
  • GV.RR.S4: IT budget allocation for cybersecurity
  • GV.RR.S5 & GV.RR.S6: Resource allocation and employee screening procedures
  • GV.PO.S1, S2, S5: Policy formulation requirements (multiple sub-sections)

Differentiated compliance requirements based on organization classification with varying applicability (Yes/No) across Qualified REs, Mid-size, and Small-size trading members.

Compliance Requirements

Governance Structure:

  • Appoint qualified CISO with direct reporting to MD & CEO or Designated Officer for smaller entities
  • Establish cybersecurity and cyber resilience policy approved by Board/Partners/Proprietor
  • Implement incident reporting procedures complying with SEBI/GoI guidelines

Budget and Resources:

  • Allocate adequate percentage of IT budget specifically for cybersecurity
  • Maintain separate budgetary head for Board/management monitoring
  • Regularly revisit resourcing based on implementation progress

Human Resources:

  • Conduct due diligence and screening for all new hires
  • Provide mandatory security training during onboarding and regularly thereafter
  • Follow proper employment policies, agreements, and termination procedures
  • Ensure confidentiality through appropriate employment agreements

Third-Party Management:

  • Execute confidentiality and integrity agreements with all third-party service providers
  • Conduct thorough due diligence before granting IT system access
  • Monitor third-party compliance with security requirements

Important Dates

No specific deadlines mentioned in the provided content. Trading members should refer to the complete circular for implementation timelines and compliance dates.

Impact Assessment

Operational Impact:

  • High compliance burden on trading members requiring organizational restructuring
  • Significant investment needed in cybersecurity infrastructure and personnel
  • Enhanced security protocols will require process modifications across departments

Financial Impact:

  • Mandatory budget allocation for cybersecurity may increase operational costs
  • Investment required in CISO-level positions and qualified security personnel
  • Additional expenses for third-party audits and due diligence processes

Market Impact:

  • Strengthened cybersecurity posture across trading ecosystem reduces systemic risk
  • Improved investor confidence through enhanced protection of trading infrastructure
  • Potential competitive advantage for well-prepared trading members
  • Smaller trading members may face proportionally higher compliance costs

Risk Mitigation:

  • Standardized cybersecurity framework reduces vulnerability to cyber attacks
  • Clear governance structure improves incident response capabilities
  • Third-party oversight minimizes supply chain security risks
  • Regular training reduces human error and social engineering risks

Impact Justification

Mandatory cyber security audit requirements for all trading members with comprehensive governance and compliance obligations. High severity due to regulatory enforcement and critical infrastructure protection needs.