SEBI imposes Rs 5.05 crore fine on ICCL for cyber security lapses

IANS February 25, 2025 268 views

SEBI has imposed a Rs 5.05 crore penalty on Indian Clearing Corporation Limited for multiple cyber security violations. The regulator's inspection between December 2022 and July 2023 revealed the BSE subsidiary failed to follow proper audit reporting protocols and maintain IT system standards. ICCL didn't resolve previously identified issues within required timeframes and had inadequate disaster recovery systems. The penalty highlights SEBI's focus on maintaining robust security infrastructure in systemically important financial institutions.

"These institutions are systemically important for the country's financial development and serve as the infrastructure necessary for the securities market." - Dr Bimal Jalan Committee Report
SEBI imposes Rs 5.05 crore fine on ICCL for cyber security lapses
Mumbai, Feb 25: The Securities and Exchange Board of India (SEBI) on Tuesday imposed a penalty of Rs 5.05 crore on the Indian Clearing Corporation (ICCL), a subsidiary of the Bombay Stock Exchange (BSE), for failing to comply with cyber security and system audit-related rules.

Key Points

1

ICCL submitted network audit report without management or board comments

2

Failed to maintain updated inventory of IT assets and software classifications

3

Issues from cyber audits weren't resolved within required timeframes

4

Disaster recovery system lacked required one-to-one match with primary data center

The SEBI conducted an inspection of the ICCL between December 2022 and July 2023 and later issued a show-cause notice in October 2024.

After reviewing the findings, the market regulator found several violations in the ICCL's operations.

One of the key issues was that the ICCL submitted its network audit report to the SEBI without any comments from its management or board.

According to the rules, the audit report should first be reviewed by the governing board of market infrastructure institutions, and their feedback must be included before submitting it to the SEBI within a month of the audit's completion.

The SEBI also found that the ICCL did not maintain an up-to-date inventory of IT assets, including software classifications.

Although the ICCL conducted cyber audits twice a year, the issues raised in these audits were not resolved within the required time.

Another major violation was related to the ICCL's disaster recovery system.

The SEBI guidelines require a one-to-one match between the primary data centre (PDC) and disaster recovery site (DRS), but the ICCL failed to ensure this.

Sebi's Quasi-Judicial Authority, G Ramar, referred to the Dr Bimal Jalan Committee's 2010 report on market infrastructure institutions while issuing the order.

The regulator directed ICCL to pay the penalty within 45 days.

"These institutions (i.e., stock exchanges, depositories and clearing corporations) are systemically important for the country's financial development and serve as the infrastructure necessary for the securities market. These institutions are collectively referred to as Market Infrastructure Institutions (MIIs)... They are, therefore, 'vital economic infrastructure'. The recent financial crisis has shown the importance of financial institutions to economic stability," the committee report said.

Tags:
SEBI BSE ICCL Cyber Security Regulatory Fine Market Infrastructure Institutions Financial Regulations Compliance Failure
You May Like!