Cyber Security and Cyber Resilience Policy

Comprehensive cyber security and cyber resilience framework per SEBI regulatory requirements

Cyber Security and Cyber Resilience Policy

Field Value
Document ID POL-007
Classification Internal
Owner CTO (interim CISO)
Effective Date April 2026
Review Cycle Annual
Field Value
Policy Name Cyber Security and Cyber Resilience Policy
Department Compliance
Effective Date July 26, 2022
Version 2025/06
Review Cycle Yearly
Approver Board of Directors
Revised Date July 1, 2025

1. Statutory Mandate

This framework is formed in accordance with the requirements of the SEBI Circular SEBI/HO/ITD 1/ITD_CSC_EXT/P/CIR/2024/113 (“the circular”) dated August 20, 2024.

2. Objective of the Framework

The objective of this framework is to provide robust cyber security and cyber resilience to the Stockbrokers and depository participants to perform their significant functions in providing services to the holders of securities.

3. Applicability

Provisions of the said circular and framing of cyber security and cyber resilience are required to be complied with by all Stockbrokers and Depository Participants registered with SEBI.

The policy has been considered, taken on record, and approved by the board of directors of the company at their duly convened meeting held on July 1, 2025.

4. Scope of the Framework

Cyber‐attacks and threats attempt to compromise the Confidentiality, Integrity, and Availability (CIA) of the computer systems, networks, and databases:

Principle Definition
Confidentiality Limiting access of systems and information to authorized users
Integrity Assurance that the information is reliable and accurate
Availability Guarantee of reliable access to the systems and information by authorized users

Cyber security framework includes measures, tools and processes that are intended to prevent cyber‐attacks and improve cyber resilience. Cyber Resilience is an organization’s ability to prepare and respond to a cyber‐attack and to continue operation during, and recover from, a cyber‐attack.

With the view to strengthening and improving Cyber Security and Cyber Resilience framework, the board of directors of the company shall review this policy documents and implementation thereof at least once annually.

5. Designated Officer

The company nominates a Designated Officer to assess, identify, and reduce security and Cyber Security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the Cyber Security Policy.

6. Constitution of Technology Committee

6.1 Committee Members

The company constitutes a technology committee (“the committee”) with the following members:

S. No. Name Designation
1 Designated Officer Chair
2 VP – Tech & CISO Member
3 Compliance Officer Member

6.2 Review Responsibilities

Such committee shall on a half-yearly basis review the implementation of the Cyber Security and Cyber Resilience policy. Such review shall include but not limited to:

  • Reviewing current IT and Cyber Security and Cyber Resilience capabilities
  • Setting up of goals for a target level of Cyber Resilience
  • Establishing plans to improve and strengthen Cyber Security and Cyber Resilience

The review shall be placed before the Board of directors to take appropriate action(s), if required.

6.3 Incident Review

The Designated officer and the technology committee shall periodically review instances of cyber‐attacks, if any, domestically and globally, and take steps to strengthen Cyber Security and cyber resilience framework.

7. Identification, Assessment and Management of Cyber Security Risk

The company shall ensure the following steps in order to identify, assess, and manage Cyber Security risk associated with processes, information, networks and systems.

7.1 Identification of Critical IT Assets and Risks

The committee and designated officer shall identify the critical assets based on their sensitivity and criticality for business operations, services and data management including various servers, data processing systems, and information technology (IT) related hardware and software.

The IT team shall maintain up‐to‐date inventory of:

  • Hardware and systems and the personnel to whom these have been issued
  • Software and information assets (internal and external)
  • Details of network resources, connections to the network and data flows

7.2 Protection of Assets

To protect the cyber safety, the company shall ensure the following measures:

  • Access controls
  • Physical Security
  • Network Security Management
  • Data security
  • Hardening of Hardware and Software
  • Application Security in Customer Facing Applications
  • Certification of off‐the‐shelf products
  • Patch management
  • Disposal of data, systems, and storage devices
  • Vulnerability Assessment and Penetration Testing (VAPT)
  • SOC dashboard monitoring
  • Cloud Infrastructure Security: Servers, applications, and networks hosted on AWS and GCP are secured and hardened as per standardized security policy settings with appropriate cloud security controls, access restrictions, and monitoring mechanisms

The company shall take all such steps to protect assets by deploying suitable controls, tools and measures in conformity with the provisions of SEBI circular SEBI/HO/ITD 1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, and any amendment or substitution thereof.

7.3 Detection of Incidents

SOC monitoring and alert setup is done to monitor for early detection of:

  • Unauthorized or malicious activities
  • Unauthorized changes
  • Unauthorized access
  • Unauthorized copying or transmission of data/information held in contractual or fiduciary capacity

The security logs of systems, applications and network devices exposed to the internet shall be monitored for anomalies. The company shall ensure high resilience, high availability and timely detection of attacks on systems and networks exposed to the internet.

7.4 Response to Incidents

The alerts generated from monitoring and detection systems shall be analyzed to determine activities to be performed to:

  • Prevent expansion of such incident of cyber-attack or breach
  • Mitigate its effect
  • Eradicate the incident

In case of affection of systems by incidents of cyber‐attacks or breaches, the company shall ensure timely restoration of the same in order to provide uninterrupted services.

The committee and designated officer shall ensure the same Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as per regulatory requirements.

7.5 Recovery from Incidents

The company shall take into account the outcomes of any incident of loss or destruction of data or systems and accordingly shall take precautionary measures to:

  • Strengthen the security mechanism
  • Improve recovery planning and processes

Periodic checks to test the adequacy and effectiveness of the response and recovery plan shall be done.

8. Compliance Principles

The technology committee shall ensure that this framework considers the principles prescribed by:

  • National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organization (NTRO), Government of India
  • Guidelines for Protection of National Critical Information Infrastructure
  • Subsequent revisions, if any

9. Communication of Unusual Activities and Events

IT team of the company under guidance of the committee shall monitor unusual activities and events and shall facilitate communication of the same to designated officer for necessary actions.

10. Responsibilities of Employees, Members and Participants

In addition to the duties communicated by the company/committee/designated officer, employees, members and participants shall assist in mitigating cyber-attacks by adhering to the following:

Prevention Measures

  • Attend cyber safety and training programs conducted by the company
  • Ensure installation, usage and regular update of antivirus and antispyware software
  • Use a firewall for Internet connections
  • Download and install software updates for operating systems and applications as they become available
  • Make backup copies of important business data and information
  • Control physical access to computers and network components
  • Keep Wi‐Fi networks secured and hidden
  • Adhere to limited employee access to data and information
  • Maintain limited authority to install software
  • Regularly change passwords
  • Do not use or attach unauthorized devices
  • Do not try to open restricted domains
  • Avoid saving personal or financial data on unauthentic websites
  • Get computers regularly scanned with anti‐virus software
  • Do not release sensitive data of the organization

Access Control Requirements

  • No person by virtue of rank or position shall have any intrinsic right to access confidential data, applications, system resources or facilities
  • Any access to systems, applications, networks, databases shall be for a defined purpose and period
  • Access granted on need‐to‐use basis based on principle of least privilege
  • Strong authentication mechanisms shall be used
  • Access policy with strong password controls shall be implemented
  • Critical systems accessible over internet should have two‐factor security (VPNs, Firewall controls, etc.)
  • Records of user access to critical systems shall be logged for audit and review purposes (minimum 2 years retention)
  • Privileged users shall be supervised with restricted number, periodic review of activities, and strong controls over remote access
  • Employees and outsourced staff with authorized access to critical systems shall be subject to stringent supervision and monitoring
  • Internet access policy shall monitor and regulate use of internet-based services within critical IT infrastructure
  • User Management shall address deactivation of access privileges for departing users
  • Physical access to critical systems shall be restricted to authorized officials only
  • Physical access shall be revoked immediately when no longer required
  • Perimeter of critical equipment rooms shall be physically secured with CCTVs, card access systems, etc.

Network and Security Requirements

  • Baseline standards for security configurations to operating systems, databases, network devices
  • LAN and wireless networks secured within premises with proper access controls
  • Adequate measures for algorithmic trading facilities
  • Network security devices (firewalls, proxy servers, IDS/IPS) to protect IT infrastructure
  • Adequate controls for virus/malware/ransomware attacks
  • Critical data encrypted in motion and at rest using strong encryption methods
  • Measures to prevent unauthorized access or copying of data held in contractual or fiduciary capacity
  • Security policy covers use of mobile phones, faxes, photocopiers, scanners
  • Only authorized data storage devices allowed through appropriate validation processes
  • Deploy hardened hardware/software with default passwords replaced
  • Open ports blocked and secured
  • Application security for customer facing applications (IBTs, portals, Back-office applications)
  • Patch management procedures for identification, categorization and prioritization of patches
  • Rigorous testing of security patches before production deployment
  • Suitable policy for disposal of storage media and systems

Vulnerability Management

  • Regular vulnerability assessment to detect security vulnerabilities
  • Penetration tests at least once a year for systems publicly available over internet
  • Vulnerability scanning and penetration testing prior to commissioning new internet-accessible systems
  • Vulnerabilities in off-the-shelf products reported to vendors and exchanges
  • Remedial actions taken immediately for gaps identified during vulnerability assessment and penetration testing

Monitoring Requirements

  • Appropriate security monitoring systems for continuous monitoring of security events/alerts
  • Security logs of systems, applications and network devices monitored for anomalies
  • Mechanisms to monitor capacity utilization of critical systems and networks
  • Alerts investigated to determine prevention and mitigation activities

Response and Recovery

  • Response and recovery plan for timely restoration of affected systems
  • Same RTO and RPO as per regulatory requirements
  • Defined responsibilities and actions for employees and outsourced staff during cyber-attacks
  • Thorough analysis of incidents with lessons incorporated
  • Periodic checks to test response and recovery plan

11. Submission of Quarterly Reports

Quarterly reports containing information on cyber‐attacks and threats experienced, if any, and measures taken to mitigate vulnerabilities, threats and attacks shall be submitted to Stock Exchanges/Depositories, as per statutory requirements/guidelines.

12. Training and Education

The committee and designated officer shall conduct training and educational sessions for employees to:

  • Build Cyber Security and basic system hygiene awareness
  • Enhance knowledge of IT/Cyber Security Policy and standards
  • Incorporate up-to-date Cyber Security threat alerts

Training shall include outsourced staff and vendors, as applicable.

13. Systems Managed by Vendors

Whenever systems (IBT, back office and other customer facing applications, IT infrastructure) are managed by vendors, the company shall instruct vendors to adhere to applicable guidelines and obtain necessary self‐certifications to ensure compliance with policy guidelines.

14. Systems Managed by MIIs

Wherever applications are offered to customers over the internet by MIIs (Market Infrastructure Institutions), such as NSE’s NOW, BSE’s BEST, etc., the responsibility of ensuring Cyber Resilience resides with the MIIs. The company is exempted from applying guidelines to such systems.

15. Periodic Audit

The company shall arrange to have its systems audited on an annual basis by:

  • CERT‐IN empaneled auditor, or
  • Independent DISA/CISA/CISM qualified auditor

The audit shall check compliance with the above areas and the report shall be submitted to Stock Exchanges/Depositories along with comments of the Board/committee within three months of the end of the financial year.

Annexure A: Illustrative Measures for Data Security on Customer Facing Applications

  1. Analyze different kinds of sensitive data shown to customers on frontend applications to ensure only necessary data is transmitted and displayed.

  2. Wherever possible, mask portions of sensitive data. For instance, display only a portion of phone numbers or bank account numbers (e.g., “XXX XXX 789” instead of “123 456 789”).

  3. Analyze data and databases holistically to create meaningful silos (physical or virtual) for different kinds of data. Databases with personal financial information should not be part of systems housing public facing websites.

  4. Implement strict data access controls amongst personnel. Limit the number of personnel with direct access, and monitor, log, and audit their activities.

  5. Use industry standard, strong encryption algorithms (e.g., RSA, AES) wherever encryption is implemented. Identify data that warrants encryption and ensure proper key management.

  6. Ensure all critical and sensitive data is adequately backed up in secure locations (isolated networks, on-premises servers, or disk drives off-limits to unauthorized personnel).

Annexure B: Illustrative Measures for Data Transport Security

  1. Applications transmitting sensitive data over the Internet should use secure, encrypted channels to prevent Man-In-The-Middle (MITM) attacks. Use strong transport encryption mechanisms such as TLS (Transport Layer Security).

  2. For applications served as web pages over the internet carrying sensitive data, a valid, properly configured TLS (SSL) certificate on the web server is mandatory (HTTPS).

  3. Avoid insecure protocols such as FTP. Adopt secure protocols such as FTPS, SSH, secure tunnels, RDP (with TLS), etc.

Annexure C: Illustrative Measures for Application Authentication Security

  1. Any application containing sensitive, private, or critical data offered to customers over the Internet should be password protected with reasonable minimum length requirements.

  2. Passwords, security PINs, etc. should never be stored in plain text and should be one-way hashed using strong cryptographic hash functions (e.g., bcrypt, PBKDF2).

  3. For added security, use multi-factor authentication (hardware or software cryptographic tokens, VPNs, biometric devices, PKI, etc.).

  4. For applications on mobile devices, cryptographically secure biometric two-factor authentication may be used.

  5. After a reasonable number of failed login attempts, lock the customer’s account until password reset is performed via out-of-band channel validation.

  6. Avoid forcing customers to change passwords at frequent intervals. Focus on strong multi-factor authentication and educate customers to choose strong passphrases.

  7. Log both successful and failed login attempts. After successive login failures, use CAPTCHAs or rate-limiting to thwart brute force and enumeration attacks.