Description

BSE procedure for members to submit quarterly cyber incident reports through BEFS portal within 15 days after quarter end, along with immediate incident reporting requirements within 6 hours.

Summary

BSE has issued detailed procedures for members to report cyber incidents through the BEFS portal. Members must submit quarterly cyber incident reports within 15 days after the end of each quarter, and immediately report cyber-attacks, threats, and breaches within 6 hours of receipt of such information. The circular provides step-by-step instructions for downloading CIR templates, filling required information, and uploading digitally signed reports.

Key Points

  • Two types of cyber incident reporting: Quarterly and Immediate
  • Quarterly reports due within 15 days after quarter end through BEFS portal
  • Immediate incident reporting required within 6 hours of cyber-attack/breach detection
  • Designated Officer responsible for submitting all cyber incident reports
  • Microsoft Excel 2007 or above required for CIR template
  • Reports must be digitally signed by Designated Officer before submission
  • System generates acknowledgement email to Compliance Officer and Designated Officer upon successful submission
  • Members must report even if no cyber-attack/breach observed during the quarter

Regulatory Changes

No regulatory changes introduced. This circular provides operational procedures for existing cyber incident reporting requirements.

Compliance Requirements

Quarterly Incident Reporting:

  • Access BEFS portal at https://befs.bseindia.com/Login.aspx using member credentials
  • Download CIR template for relevant year and quarter
  • Enable macros in the downloaded Excel template
  • Fill details indicating “Yes” or “No” for cyber-attack/breach observed
  • If “Yes”, provide detailed information across all sheets including incident details
  • If “No”, provide Designated Officer details only
  • Validate all sheets using “Validate” button
  • Upload validated Excel file which converts to PDF format
  • Digitally sign the PDF file
  • Submit digitally signed PDF through BEFS portal
  • Retain acknowledgement email as proof of submission

Immediate Incident Reporting:

  • Download Immediate Incident Reporting Template from BEFS portal
  • Fill required data and validate all sheets
  • Upload to BEFS portal within 6 hours of incident detection
  • Ensure Designated Officer signs and submits the report

Important Dates

  • December 31, 2025: Quarter end for Q4 2025
  • January 15, 2026: Deadline for submitting Q4 2025 quarterly cyber incident report (within 15 days of quarter end)
  • Ongoing: 6-hour deadline for immediate incident reporting from time of detection

Impact Assessment

Operational Impact: Medium impact on member operations. All BSE members must maintain cyber incident tracking mechanisms and ensure Designated Officers are trained on BEFS portal procedures. Members need to maintain digital signature infrastructure for report submission.

Compliance Impact: Mandatory compliance requirement for all BSE members. Non-submission within specified timelines may result in regulatory action. Members must ensure proper documentation of all cyber incidents throughout the quarter for accurate reporting.

Market Impact: Minimal direct market impact. This is a procedural compliance requirement aimed at enhancing cybersecurity monitoring and incident tracking across the exchange ecosystem. Improved incident reporting helps BSE maintain market integrity and identify systemic cyber threats.

Impact Justification

Procedural circular for mandatory quarterly cyber incident reporting by members. Medium impact as it affects operational compliance requirements for all BSE members regarding cybersecurity incidents.