Description

BSE mandates Trading Members to conduct and submit Cyber Security and Cyber Resilience Audit Reports as per SEBI CSCRF guidelines, with preliminary audit reports due June 30, 2026 and corrective action reports due September 30, 2026.

Summary

BSE has issued a notice to all Trading Members regarding the conduct and submission of Cyber Security and Cyber Resilience Audit Reports in accordance with SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) circular dated August 20, 2024, and subsequent clarifications. Trading members are required to complete cyber audits covering 100% of critical systems and 25% of non-critical systems, and submit reports on a half-yearly or yearly basis depending on their category.

Key Points

  • Cyber audits must cover 100% of critical systems and 25% of non-critical systems (sample basis), with auditors explicitly documenting the rationale and sample size.
  • No audit cycle shall be left unaudited due to category changes at the beginning of a financial year; unaudited periods must be included in the current audit cycle.
  • Audit reports must include compliance status for each TOR item as Compliant/Non-Compliant/Not Applicable, with justification for non-applicability.
  • Trading Members holding multiple SEBI registrations (Custody, AIF, RA/IA, PMS, Merchant Bankers, etc.) must self-categorize as per CSCRF criteria.
  • Categorization must be reviewed and approved by the Board of Directors, Designated Director, Proprietor, Partner, or technical advisory committee annually.
  • Auditors must verify and validate the categorization provided by the trading member during the cyber audit.
  • Submission is considered complete only after the trading member submits the report with management comments.
  • CERT-In empanelled auditing organizations must be selected, with members advised to assess auditor capacity.
  • Detailed auditor selection norms are in Annexure A; Terms of Reference (TOR) for Cyber Audit are in Annexure B.

Regulatory Changes

This notice operationalizes the SEBI CSCRF circular (SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113) dated August 20, 2024, along with subsequent clarification circulars dated December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and FAQs dated June 11, 2025. BSE has prescribed specific timelines in consultation with SEBI for the submission of audit reports on a half-yearly and yearly basis.

Compliance Requirements

  • Qualified REs and Mid/Small-size REs providing IBT or Algo trading: Submit half-yearly audit (October 2025 – March 2026) preliminary report by June 30, 2026; Corrective Action Taken Report (ATR) by September 30, 2026.
  • Remaining REs (except Self-certification REs): Submit yearly audit (April 2025 – March 2026) preliminary report by June 30, 2026; ATR by September 30, 2026.
  • All trading members must self-categorize under CSCRF criteria and obtain board/designated authority approval.
  • Auditors must be CERT-In empanelled and comply with auditor selection norms in Annexure A.
  • Audit TOR as specified in Annexure B must be followed.
  • Management comments must accompany the audit report submission.

Important Dates

  • June 30, 2026: Deadline for submission of Preliminary Cyber Audit Report (both half-yearly and yearly categories).
  • September 30, 2026: Deadline for submission of Corrective Action Taken Report (ATR), if applicable.
  • Audit period (half-yearly): October 2025 – March 2026.
  • Audit period (yearly): April 2025 – March 2026.

Impact Assessment

This circular has a high compliance impact on all BSE trading members. It mandates a structured cybersecurity audit regime with board-level accountability, CERT-In empanelled auditors, and strict submission deadlines. Members providing IBT or algo trading services face additional half-yearly audit obligations. Non-compliance could result in regulatory action by BSE and SEBI. Members with multiple SEBI licenses face added complexity in self-categorization and must ensure all registrations are assessed under CSCRF. The requirement for 100% critical system coverage and explicit documentation of non-critical system sampling raises the bar for audit thoroughness across the industry.

Impact Justification

Mandatory compliance requirement affecting all BSE trading members under SEBI's Cybersecurity and Cyber Resilience Framework, with strict audit deadlines and multi-level reporting obligations including board-level oversight.