SEBI's Operational Circular SEBI/HO/MRD/MRD_DP/CIR/P/2019/067 dated May 22, 2019, and subsequent updates establish comprehensive technology risk management and business continuity planning requirements for market infrastructure institutions and intermediaries. The framework mandates stock exchanges like NSE and BSE, depositories like NSDL and CDSL, and clearing corporations to maintain stringent cybersecurity standards, real-time monitoring systems, and geographically separated disaster recovery sites with defined RTO and RPO parameters. It requires periodic cyber audits, vendor risk assessments, incident response protocols, and board-level oversight of technology risks to ensure market stability and investor protection.

• Ensures market continuity and operational resilience during cyber incidents or system failures, protecting investor confidence and preventing market disruptions
• Mandates geographically separated DR sites with RTO of 4 hours and RPO near-zero for critical systems, ensuring rapid recovery of trading and settlement operations
• Requires regular cybersecurity audits (CERT-In empanelled auditors), penetration testing, and vulnerability assessments to proactively identify and remediate security weaknesses
• Establishes board-level accountability with designated Chief Information Security Officers (CISOs) and Technology Committees for strategic oversight of technology risks
• Mandates comprehensive incident response mechanisms with immediate reporting to SEBI, facilitating coordinated response to sector-wide threats

• Many smaller brokers and sub-brokers lack adequate investment in cybersecurity infrastructure, relying on minimal controls and outsourced IT without proper vendor risk management
• Inconsistent implementation of multi-factor authentication and endpoint security across intermediaries, leaving vulnerabilities in customer access points and trading terminals
• Insufficient testing frequency and realism in business continuity drills, with many entities conducting perfunctory annual tests that don't simulate actual crisis scenarios
• Inadequate third-party and supply chain risk management, particularly for cloud service providers, data centres, and software vendors supporting critical operations
• Limited cyber threat intelligence sharing mechanisms between market participants, reducing collective ability to defend against emerging threats and coordinated attacks

• NSE experienced a trading halt for nearly 4 hours on February 24, 2021, due to telecom connectivity issues between primary and DR sites at Mumbai and Navi Mumbai, highlighting gaps in network redundancy despite SEBI's mandates and resulting in SEBI imposing a Rs 625 crore penalty.
• In October 2020, Upstox (RKSV Securities) suffered a data breach exposing KYC details of approximately 2.5 million customers due to inadequate API security and third-party vendor controls, demonstrating weaknesses in broker-level cybersecurity implementation despite regulatory requirements.
• BSE faced multiple instances of trading halts in 2019-2020 due to system glitches in their BSE StAR MuHurat trading platform, prompting SEBI to mandate enhanced testing protocols and system capacity planning for all exchanges before introducing new features or conducting major upgrades.

• Implement continuous automated security monitoring with AI-driven threat detection and response capabilities rather than relying solely on periodic audits and manual reviews
• Establish mandatory cyber insurance coverage with minimum thresholds tied to transaction volumes and client assets to ensure financial resilience against cyber incidents
• Create a SEBI-coordinated Information Sharing and Analysis Center (ISAC) for securities market participants to share real-time threat intelligence, attack patterns, and defensive measures
• Mandate quarterly crisis simulation exercises involving coordinated scenarios across exchanges, depositories, and major intermediaries to test inter-organizational recovery procedures and communication protocols
• Strengthen cloud security and data localization requirements with specific controls for Software-as-a-Service (SaaS) platforms used by intermediaries, including broker management systems and CRM tools