Revised TOR and Formats for System Audit and VAPT Reports for Co-location as a Service (CaaS) Vendors

Description

NSE revises Terms of Reference, system audit report formats, and VAPT report submission requirements for vendors providing Co-location as a Service (CaaS) facility, including updated penalty structures for non-compliance.

Summary

NSE has revised the Terms of Reference (TOR) and submission formats for System Audit Reports and Vulnerability Assessment and Penetration Testing (VAPT) reports applicable to vendors providing Co-location as a Service (CaaS) facilities. The circular introduces updated report formats (Annexures 4 and 5) and a structured penalty framework for delays, non-submission, and non-closure of identified vulnerabilities.

Key Points

• Updated VAPT Summary Report format (Annexure 4) requires disclosure of vendor details, auditor credentials, CERT-In empanelment validity, and a risk-categorized breakdown of open and closed vulnerabilities.
• VAPT summary reports must be digitally signed by both the CaaS vendor and the auditor.
• Action Taken Reports (ATR) for closure of VAPT findings must be submitted within 3 months of VAPT report submission.
• Penalty structure introduced for delay or non-submission of System Audit/VAPT/ATR reports.
• Additional penalties apply for non-closure of open vulnerabilities beyond 3 months from final report submission.

Regulatory Changes

• Revised Terms of Reference (TOR) for system audits and VAPT applicable to CaaS vendors.
• New standardized formats mandated for VAPT Summary Reports and penalty/disciplinary action schedules.
• CERT-In empanelled auditors required for VAPT; validity expiry date must be disclosed.

Compliance Requirements

• CaaS vendors must submit System Audit Reports, VAPT Reports, and ATRs within prescribed timelines.
• VAPT reports must include risk-categorized vulnerability counts (Critical, High, Medium, Low) with closure status and planned remediation dates.
• Digital signatures of both CaaS vendor and auditor mandatory on VAPT summary.
• Vulnerabilities must be remediated using a risk-based approach; ATR/compliance report due within 3 months post VAPT submission.
• Reports must be approved by Technology/IT/Cyber Security Committee or MD/CISO/CTO of the CaaS vendor.

Important Dates

• ATR/compliance report for VAPT findings: within 3 months from submission of final VAPT report.
• Non-closure of vulnerabilities beyond 3 months triggers financial penalties.
• Member onboarding restriction notice issued if report not submitted within 21 days of due date; prohibition on new member onboarding from day 28.

Impact Assessment

• CaaS Vendors: Subject to escalating daily monetary penalties for late or non-submission (Rs. 3,000/day for days 1–7; Rs. 5,000/day for days 8–21), and per-vulnerability penalties for non-closure (up to Rs. 1,00,000 per High/Critical vulnerability in VAPT; Rs. 30,000 per observation in System Audit).
• Repeat violations attract a 50% surcharge on applicable penalties.
• Member onboarding at CaaS facilities can be restricted or prohibited for persistent non-compliance, impacting broker/member operations.
• Market infrastructure: Strengthens cybersecurity oversight of co-location services, reducing systemic risk from unpatched vulnerabilities in exchange proximity infrastructure.

Impact Justification

Affects CaaS vendors and their member onboarding operations; introduces structured penalties for non-submission and non-closure of vulnerabilities, but limited to a specific segment of market infrastructure providers.