Cyber Security and Cyber Resilience Audit of Trading Members

Description

NSE mandates cyber security and cyber resilience audit requirements for trading members in compliance with SEBI's CSCRF framework, with specific timelines for qualified and mid-size REs.

Summary

NSE issued mandatory cyber security and cyber resilience audit requirements for trading members pursuant to SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF). The circular establishes specific audit timelines for qualified REs and mid-size/small-size REs providing IBT or Algo Trading facilities. Audits must cover 100% of critical systems and 25% of non-critical systems on a sample basis, conducted by CERT-In empaneled auditors.

Key Points

• Cyber audit shall cover 100% of critical systems and 25% of non-critical systems chosen on sample basis with explicit rationale in audit report
• Trading members with multiple SEBI registrations (Custody, AIF, RA/IA, PMS, Merchant Bankers) must self-categorize according to CSCRF criteria
• Entity categorization must be reviewed and approved annually by Board of Directors/Designated Director/Proprietor/Partner or technical advisory committee
• Auditors must verify whether trading member categorization aligns with SEBI CSCRF framework during audit
• Audit report submission considered complete only after management comments provided
• Auditors must provide compliance status for each TOR item as Compliant/Non-Compliant/Not Applicable with justification for non-applicable items
• No audit cycle shall be left unaudited due to category changes; unaudited periods must be included in next audit cycle
• Half-yearly audit basis applies to Qualified REs and Mid-size/Small-size REs providing IBT or Algo Trading facilities

Regulatory Changes

Implementation of SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF) as per SEBI Circular No. SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, and subsequent clarification circulars dated December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and FAQ dated June 11, 2025. NSE establishes specific timelines in consultation with SEBI for cyber audit conduct and submission on half-yearly basis.

Compliance Requirements

• Trading members must conduct cyber audit through CERT-In empaneled auditors
• Audit report must be approved by respective IT Committee before submission to Exchange
• Self-categorization as per CSCRF criteria required for entities with multiple SEBI registrations
• Annual review and approval of categorization by appropriate authority (Board/Designated Director/Proprietor/Partner/technical advisory committee)
• Management comments must be provided with audit report submission
• Auditors must explicitly mention rationale for sample-based checking of non-critical systems and chosen sample size
• Action Taken Report (ATR)/Revalidation report providing closure status must be submitted after IT Committee approval
• Adherence to auditor selection norms and guidelines as per CSCRF provisions (detailed in Annexure A)
• Compliance with detailed Terms of Reference (TOR) applicable for Cyber Audit as per CSCRF Framework (detailed in Annexure B)
• Follow CERT-In Comprehensive Cyber Security Audit Policy Guidelines

Important Dates

For Audit Period ending September 30, 2025:

• December 31, 2025: Conduct of Cyber Audit through CERT-In Auditor and report submission to Exchange after IT Committee approval
• March 31, 2026: Submission of ATR/Revalidation report through CERT-In Auditor providing closure status after IT Committee approval

Impact Assessment

Operational Impact: High - Trading members must establish comprehensive cyber audit processes, engage CERT-In empaneled auditors, and ensure IT Committee oversight. Significant resource allocation required for audit preparation, execution, and remediation.

Compliance Impact: High - Strict timelines with multiple submission requirements. Non-compliance may result in regulatory action. Entities with multiple SEBI registrations face additional complexity in determining appropriate categorization.

Market Impact: Medium - Enhanced cybersecurity standards strengthen overall market infrastructure resilience and investor protection, though no direct impact on trading operations if compliance maintained.

Cost Impact: High - Recurring costs for half-yearly audits by specialized CERT-In auditors, potential system upgrades to meet compliance standards, and ongoing remediation activities.

Impact Justification

Mandatory cybersecurity audit framework affecting all trading members with strict deadlines and comprehensive compliance requirements for critical systems protection