SEBI Guidelines on Technology Service Provider Due Diligence and Risk Assessment for Market Infrastructure Institutions 2024

The SEBI Guidelines on Technology Service Provider Due Diligence and Risk Assessment for Market Infrastructure Institutions (MIIs), issued in 2024, establish a robust framework for stock exchanges, clearing corporations, and depositories to assess third-party technology vendors. MIIs must conduct comprehensive pre-onboarding due diligence, ongoing performance monitoring, and periodic risk assessments of all critical technology service providers. The guidelines mandate MIIs to maintain vendor risk registers, establish clear service level agreements with exit clauses, ensure business continuity provisions, and conduct regular audits of vendor cybersecurity controls. This framework emerged after several technology outages at NSE and BSE highlighted systemic risks from vendor dependencies.

• Reduces systemic risk in capital markets by ensuring technology vendors serving NSE, BSE, MCX-SX, NSDL, and CDSL undergo rigorous security and operational resilience assessments
• Establishes standardized vendor risk management practices across all MIIs, eliminating inconsistencies in how exchanges and depositories evaluate critical technology partners like TCS, Infosys, and specialized fintech providers
• Mandates contractual safeguards including data localization, audit rights, and exit management provisions that protect investor data and ensure service continuity during vendor transitions
• Creates accountability framework with designated vendor risk management officers at MIIs responsible for continuous monitoring and escalation of technology provider risks to boards
• Enhances investor confidence by reducing likelihood of trading disruptions caused by vendor failures, similar to NSE outages in February 2021 and April 2023

• Many MIIs lack mature vendor risk management frameworks and rely on generic procurement checklists rather than specialized technology risk assessments tailored to capital market criticality
• Due diligence of cloud service providers remains superficial with limited technical evaluation of AWS, Microsoft Azure, and Google Cloud's India-specific security controls and data residency compliance
• Smaller depositories and commodity exchanges have insufficient specialized personnel to conduct deep technical assessments of cybersecurity frameworks, penetration testing results, and disaster recovery capabilities of vendors
• Continuous monitoring mechanisms are often compliance-checkbox exercises with quarterly reviews rather than real-time assessment of vendor security incidents, patch management, and change control processes
• Exit management and vendor transition plans remain theoretical documents untested through actual simulations, creating risk when MIIs need to rapidly replace failing technology providers

• NSE suffered multiple trading outages in February 2021 and April 2023 due to technology infrastructure failures linked to telecom connectivity and middleware issues from third-party providers, resulting in SEBI imposing penalties and mandating enhanced vendor risk frameworks across all exchanges.
• BSE's migration to a new trading platform in 2017 faced significant challenges when vendor deliverables were delayed and inadequately tested, causing trading disruptions and highlighting gaps in vendor performance monitoring and contractual penalty enforcement by market infrastructure institutions.
• CDSL and NSDL's increasing reliance on cloud infrastructure providers for depository services in 2023-24 raised concerns about vendor concentration risk, data sovereignty, and the need for rigorous assessment of hyperscalers' business continuity capabilities specific to securities settlement functions.

• MIIs should establish dedicated Vendor Risk Management Units with specialized personnel trained in cybersecurity assessments, regulatory technology, and capital markets operations rather than delegating to generic procurement teams
• Implement real-time vendor performance dashboards integrating SLA metrics, security incident feeds, patch compliance status, and change management logs accessible to both operational teams and senior management for proactive risk identification
• Conduct annual tabletop exercises and live vendor transition drills to test exit management plans, especially for critical trading platforms, clearing systems, and depository infrastructure to ensure business continuity during forced vendor changes
• Develop industry-wide vendor assessment standards through collaboration between NSE, BSE, NSDL, CDSL and SEBI to create pre-certified vendor pools with standardized security audits, reducing duplication and improving vendor accountability across MIIs