Adjudication Order Against Zebu Share and Wealth Management Pvt. Ltd. for IT System Violations

Published: August 8, 2025

Processed: August 8, 2025

PDF Document

If the PDF doesn't display, click here to view it in a new tab ↗

Description

SEBI imposes penalty on Zebu Share and Wealth Management for multiple IT system compliance failures including capacity monitoring, VAPT audit non-compliance, and inadequate security controls.

Summary

SEBI has issued an adjudication order against Zebu Share and Wealth Management Pvt. Ltd. (Registration No. INM000174634) following a joint inspection with MCX conducted from October 28-29, 2024. The inspection covered the period from April 1, 2023 to September 30, 2024 and revealed multiple violations of SEBI (Stock Brokers) Regulations, 1992 related to IT systems and cybersecurity compliance.

Key Points

Joint SEBI-MCX inspection identified serious IT system compliance failures
Zebu has been a registered stockbroker since February 26, 2014
Show Cause Notice issued on May 19, 2025 for multiple regulatory violations
Company submitted reply on October 30, 2024 acknowledging some issues
Adjudication proceedings initiated under Section 15-I of SEBI Act, 1992

Regulatory Violations

Capacity Utilization Monitoring: Irregularities in capacity monitoring systems
Software Testing: Inadequate testing of software updates and system changes before deployment
Crisis Management: Deficiencies in incident response and crisis management teams
Critical Assets: Improper identification of critical IT assets
VAPT Audit: Failure to conduct Vulnerability Assessment and Penetration Testing for FY 2023-24
Monitoring Systems: Inadequate monitoring systems and processes
Access Controls: Failure to provide details on critical system access
Log Management: Non-maintenance of server and firewall logs
Vendor Management: Irregularities in systems managed by third-party service providers

Compliance Requirements

Stockbrokers must maintain robust IT infrastructure with proper capacity monitoring
Regular VAPT audits of all critical assets are mandatory
Comprehensive incident response and crisis management frameworks required
Proper identification and protection of critical IT assets
Maintenance of detailed access logs and system monitoring
Adequate testing protocols for system updates and changes

Important Dates

Inspection Period: April 1, 2023 to September 30, 2024
Inspection Conducted: October 28-29, 2024
Adjudication Proceedings Approved: April 25, 2025
Adjudicating Officer Appointed: April 28, 2025
Show Cause Notice Issued: May 19, 2025
Company Reply Submitted: October 30, 2024

Impact Assessment

This adjudication highlights SEBI’s focus on cybersecurity and IT system compliance for market intermediaries. The violations relate to fundamental IT security controls that are critical for protecting client data and maintaining market integrity. Other stockbrokers should review their IT compliance frameworks to ensure adherence to SEBI’s cybersecurity requirements.

Category	Compliance
Circular ID	`4ec8641cd1f9f452`
Impact	Medium
Severity	High
Tags	adjudication penalty stockbroker it-systems compliance cybersecurity vapt-audit capacity-monitoring zebu
Source	SEBI
Links	PDF Document ↗ Original Source ↗ Permalink