Cyber Security Audit Mandate for Trading Members, June 2026

National Stock Exchange of India Limited Circular

To All Trading Members, Sub: Cyber Security and Cyber Resilience Audit of Trading Members This is with reference to SEBI Circular No. SEBI/HO/ITD-1/ITDCSCEXT/P/CIR/2024/113 dated August 20, 2024, on 'Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) and subsequent clarification circulars dated December 31, 2024, March 28, 2025, April 30, 2025, August 28, 2025, and Frequently Asked Questions (FAQ) dated June 11, 2025, issued by SEBI. As per clause no. 4.4. Cyber Audit of the CSCRF circular dated August 20, 2024, Cyber audit shall cover 100% of the critical systems and 25% of non-critical systems chosen on a sample basis for which the rationale of checking it on sample basis (non-critical systems) and the chosen sample size shall be explicitly mentioned in the audit report by auditor. Further, as per clause no. 4.4.1. of the CSCRF circular dated August 20, 2024, REs shall ensure that no audit cycle shall be left unaudited (if any) due to the change in category in the beginning of the financial year. In all such cases, the unaudited period shall be included in the current audit cycle. For the implementation of CSCRF guidelines for Cyber Audit by REs, following timelines have been prescribed in consultation with SEBI, for the conduct & submission of Cyber Audit Report on half yearly/yearly basis for trading members.

Half Yearly (i) Qualified REs June 30, 2026 September 30, 2026 Audit Period Applicability Preliminary Corrective Action Yearly June 30, 2026 September 30, 2026 (October 2025 - (ii) Mid-size REs and Small-Audit Report taken Report Submission March 2026) size REs who are providing submission (ATR) submission. (April 2025 - Rest of the REs (except Self- Date: April 22, 2026 Download Ref No: NSE/INSP/73849 Circular Ref. No: 19/2026 DEPARTMENT: INSPECTION Page 1 of 74 IBT or Algo trading facility (If applicable) March 2026) certification REs)

Further, many Trading Members/RE's are holding multiple registrations/licenses with SEBI for services such as Custody, AIF, RA/IA, PMS, Merchant Bankers etc., for which Exchanges are not reporting authority, hence for the compliance towards standards & guidelines published under SEBI CSCRF circular dated August 20,2024 & subsequent clarification circulars issued by SEBI, Trading Members/RE's shall categorized themselves as per criteria laid down in the said circulars. The categorization such determined by Trading Members/REs shall be reviewed & approved by the entity's Board of Directors/Designated Director, or the Proprietor or Partner or technical advisory committee, as applicable for each financial year. Additionally, during the course of the Cyber Audit under CSCRF, auditors shall verify/validate whether the categorization determined/provided by the trading member (RE) is in accordance with SEBI CSCRF framework. Submission of Cyber Security and Cyber Resilience Audit Report shall be considered complete only after the trading member submits the report to the Exchange after providing management comments. Further, the auditor must provide compliance status for each TOR item as Compliant/Non-Compliant/Not Applicable and in case of any TOR item which is not applicable, auditor is required to provide justification for non-applicability of said TOR. The auditor selection norms and guidelines to be adhered by auditors/REs for conduct of cyber audit as per the provisions of CSCRF has been given in Annexure A. Further, the detailed Terms of Reference (TOR) applicable for Cyber Audit as per CSCRF Framework has been given in Annexure B. While selecting/appointing CERT-In empanelled auditing organization/entity, Trading Members/REs are advised to assess the number of members the auditing organization/entity is currently servicing and the size of their audit team. This evaluation is essential to ascertain that the audit is comprehensive, and the audit team can dedicate adequate time and resources to ensure the integrity and effectiveness of the audit process is not compromised. CERT-In has published Comprehensive Cyber Security Audit Policy Guidelines, as these guidelines are intended to serve as a reference to empaneled auditing and auditee organizations. Accordingly, to ensure consistent, effective and secure approach to Cyber Security Audits (as prescribed in SEBI circular dated August 28,2025), REs shall follow Comprehensive Cyber Security Audit Policy Guidelines as published by CERT-In from time to time. The Cyber audit shall indicate the scope/perimeter of the coverage of the systems audited in the cyber audit report regarding the compliances checked including areas (but not limited to) computer hardware, business applications, software, cyber governance, linkage with vendor systems. Page 2 of 74

The formats of Cyber Audit report, Executive Summary, Auditor Declaration, Scope of Audit, Methodology/ Audit approach, Summary of findings, Control-wise compliance status of SEBI CSCRF and Conclusion of cyber audit has been enclosed as Annexure C. The link for submission of auditor details, Cyber Audit Report/Compliance related submissions, Summary of Findings, and Auditor Declaration, shall be available w.e.f. April 27, 2026. All members are advised to take note of the above & bring the provisions of this circular to the notice of the auditors and put in place adequate systems and procedures to ensure strict adherence to the compliance requirements. Trading Members are requested to refer Annexure - 1.2 of Circular Ref No. NSE/INSP/73792 dated April 17, 2026, on actions for non-compliance observed in periodic submissions by trading members related to Cyber Audit Report. The details of financial disincentive(s)/ penalties/ disciplinary action(s) have been provided in Annexure D. For and on behalf of National Stock Exchange of India Limited Prashant Aier Chief Manager - Inspection Enclosure: Annexure A - Auditors Selection Norms & Guidelines to Auditors for Cyber Audit Annexure B - Terms of Reference (TOR) applicable for Cyber Audit as per CSCRF Annexure C - Cyber Audit Report Format Annexure D - Actions for Non-Compliance observed in periodic submissions by trading members related to Cyber Audit Report. Note: The user manual for Cyber Audit submission on ENIT is as follows: For Trading Member ENIT-> NEW-TRADE-> Trade-> Cyber Audit -> Cyber Audit Help File-> Auditor Registration. ENIT-> NEW-TRADE-> Trade-> Cyber Audit -> Cyber Audit Help File-> Trading Member Submission ENIT-> NEW-TRADE-> Trade-> Cyber Audit -> Cyber Audit Help File-> ATR For Auditor Page 3 of 74

ENIT-> NEW-TRADE-> Trade-> Cyber Audit -> Cyber Audit Help File-> Auditor Submission ENIT-> NEW-TRADE-> Trade-> Cyber Audit -> Cyber Audit Help File-> ATR In case of any clarifications, Trading Members may contact our below offices:

Page 4 of 74 Regional Office E MAIL ID CONTACT NO. Ahmedabad (ARO) inspectionahm@nse.co.in 079- 49008632 Chennai (CRO) inspectioncro@nse.co.in 044- 66309915 / 17 Delhi (DRO) delhiinspection@nse.co.in 011- 23459127 / 38 / 46 Kolkata (KRO) inspectionkolkata@nse.co.in 033-4040 0455/59 Mumbai (WRO) compliancewro@nse.co.in 022-26598200 / 022-61928200 Central Help Desk compliance_assistance@nse.co.in

Annexure A

Auditors Selection Norms & Guidelines to Auditors for Cyber Audit

1. Auditor Selection Norms

2. Auditing Organization/Entity must mandatorily be CERT-In empaneled

3. Auditor of Auditing Organization/Entity must preferably have a minimum of 3 years of
   experience in IT audit of Banking and Financial services, preferably in the Securities Market. E.g. Stock exchanges, clearing houses, depositories, stockbrokers, depository participants, mutual funds, etc. The audit experience should have covered all the major areas mentioned under various cybersecurity frameworks and guidelines issued by SEBI from time to time. Auditing experience of the Cybersecurity Framework under ISO 27001 for an organization will be an added advantage.

4. The Auditor of Auditing Organization/Entity must have experience in/ direct access to
   experienced resources in the areas covered under CSCRF. It is recommended that resources employed shall have relevant industry recognized certifications e.g. CISA (Certified information Systems Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, GSNA (GIAC Systems and Network Auditor), CISSP (Certified Information Systems Security professional) from International Information systems Security Certification Consortium, commonly known as (ISC)2.

5. The Auditor of Auditing Organization/Entity shall have ISMS/ IT audit/ governance
   frameworks and processes conforming to leading industry practices like COBIT.

6. The CERT-In empanelled Auditing Organization/Entity can perform a maximum 3
   consecutive years audits of the RE. However, such CERT-In empanelled Auditing Organization/Entity shall be eligible for reappointment after a cooling-off period of Two year.

7. The Auditor & Auditing Organization/Entity must not have any conflict of interest in
   conducting fair, objective and independent audit of the REs. It shall not have been engaged over the last two years in any consulting engagement with any departments/ units of the RE being audited.

8. The Auditor & Auditing Organization/Entity may not have any cases pending against its
   previous auditees, which fall under SEBI's Jurisdiction, which point to its incompetence and/or unsuitability to perform the audit task.

9. The Auditor of Auditing Organization/Entity shall have experience of performing VAPT.

10. The Auditor of Auditing Organization/Entity must compulsorily use licensed tool.

11. The Auditing Organization/Entity must compulsorily enter into a Non-disclosure Agreement
    (NDA) with the auditee. Under no circumstances, the data sought during the review or the audit report subsequently should leave the jurisdiction of India.

Page 5 of 74

1. Guidelines to Auditors
   To conduct the cyber audit as per the provisions of CSCRF, following are the guidelines to be adhered to:

2. RE shall ensure that NDA is signed between the RE and Auditing Organization/Entity prior to
   initiation of the cyber audit.

3. All audit reports shall be submitted strictly as per the format provided in CSCRF.

4. The coverage of the audit shall be as follows:

5. REs which have been declared as CIIs by NCIIPC shall follow the guidelines/
   circulars issued by NCIIPC for selecting sample size for critical/ non-critical assets.

6. Rest of the REs shall take the sample size as mentioned in 'CSCRF Compliance, Audit
   Report'.

7. RE shall ensure that 100% of their critical systems should get covered under cyber
   audit. Further, RE shall ensure that for 25% of non-critical systems, sample size and sampling method should be mentioned explicitly in the audit report with the rationale of checking it on sample basis and the chosen sample size.

8. As part of audit of the RE, the auditor of Auditing Organization/Entity shall verify, and
   certify, whether there is a clear delineation/ demarcation of roles and responsibilities between the RE and Hosted service provider (as given in definitions section). The auditor of Auditing Organization/Entity shall also verify, and certify, whether the above-mentioned demarcations of roles and responsibilities have been incorporated in the agreement/ contract signed between the RE and Hosted service provider.

9. The auditors of Auditing Organization/Entity shall also validate the adherence to the
   timelines as stated in 'Section 4: CSCRF Compliance, Audit Report Submission, and Timelines' of CSCRF.

10. For mandatory TOR points/guidelines, auditor of Auditing Organization/Entity shall verify
    whether guidelines have been implemented as mentioned in the CSCRF. If there are any variations, auditors shall mention the same with relevant evidence in their report.

11. For TOR points/non-mandatory guidelines, auditors shall verify that whether REs have
    implemented equivalent controls or higher. If the implemented measures are not lower/ weaker than the stated guidelines, auditors of Auditing Organization/Entity shall mention the same with proper evidence in their report.

12. For standards where no guidelines are mentioned, auditors shall verify that REs have
    implemented the industry best practices.

13. Auditor of Auditing Organization/Entity shall ensure that the evidence are comprehensively
    stated with the observations made in the report. Auditors shall provide appropriate description of evidence verified for each standard/guideline.

14. The risk-rating category (critical/ high/ medium/ low) shall be presented clearly in the audit
    observations.

15. Auditor of Auditing Organization/Entity shall compulsorily give their recommendations and
    suggestions to mitigate critical and high observations made in the report for the consideration of the REs. REs shall examine these recommendations and take it to their respective IT committee for REs for remediation. Page 6 of 74

16. REs shall securely store the evidence provided by the auditor. These evidence may be
    scrutinized during regulatory inspections/investigations.

17. Auditor of Auditing Organization/Entity shall verify the closure of previous audit
    observations and mention the status of the same in the audit report.

18. If any observation is repeated from the previous audit, auditor of Auditing
    Organization/Entity shall clearly mention them as repeat observation.

19. Auditor's report(s) shall include assessment of identification of assets as critical/ non-
    critical.

20. Auditor's report(s) shall be accompanied by the auditor's certificate for adhering to the
    above-mentioned points.

21. Other recommended references:

22. IT Security Auditing Guidelines for REs:
    https://www.cert-in.org.in/PDF/guideline_auditee.pdf

23. Guidelines for CERT-In empanelled Information Security Auditing Organizations:
    https://www.cert-in.org.in/PDF/Auditor_Guidelines.pdf

24. Comprehensive Cyber Security Audit Policy Guidelines:
    https://www.cert- in.org.in/PDF/ComprehensiveCyberSecurityAuditPolicy_Guidelines.pdf

Page 7 of 74

Annexure B

Terms of Reference (TOR) applicable for Cyber Audit as per CSCRF

GV.RR.S3 Has the RE designated a senior official as Chief Yes No No 1(a) Information Security Officer (CISO) whose function would be to assess, identify, and reduce cybersecurity risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the cybersecurity and cyber resilience policy approved by the Board/Partners/Proprietor of the RE? Is the reporting of the CISO directly to the MD & CEO of their organization? Does the CISO possess sufficient qualification and capabilities to carry out his/her responsibilities? Has the RE established a reporting procedure to facilitate communication of cybersecurity incidents/unusual activities to the CISO or to the senior management in a time-bound GV.RR.S3 Has the RE appointed a senior official or No Yes Yes 1(a)(i) manner as defined by management personnel (the 'Designated Officer') responsible for assessing, identifying, , etc.? and reducing cybersecurity risks; responding Details QualifMid-Small to incidents; establishing appropriate ToR Page 8 of 74 CSCRF ied size -size Is the level, grade, and standing of the CISO at standards and controls; and directing the Type REs REs REs least equivalent to CTO/CIO? Governance development and implementation of

GV.RR.S5, Has the RE ensured that every employee hired, Yes Yes No 1(c) GV.RR.S6 irrespective of the department or role, presents a low/no threat to the REs' processes and procedures in line with the GV.RR.S4 Has the RE ensured that adequate resources Yes Yes No cybersecurity posture by following the below 1(b)(i) are allocated and aligned with the steps? cybersecurity and cyber resilience policy approved by the Board, Partners, or cybersecurity risk strategy, roles and 1. Conducting due diligence responsibilities, and policies? Whether the 2. Ensuring employees receive proper security Proprietor? Has the RE implemented a resources are defined in terms of budgetary training during onboarding and on a regular reporting procedure to communicate cybersecurity incidents/unusual activities to GV.RR.S4 Has the RE allocated an adequate percentage Yes Yes No allocation, people, and material, and are basis 1(b) resourcing requirements revisited regularly 3. Following employment screening the Designated Officer within a time-bound of the total IT budget to cybersecurity? Has Details QualifMid-Smallframework, in compliance with SEBI or GoI based upon progress or shortfalls in the procedures, employment policies and ToR this allocation been mentioned under a Page 9 of 74 implementation of standards and reflected in agreements, employment termination CSCRF ied size -size guidelines, policies, laws, circulars, or separate budgetary head for monitoring by the GV.RR.S6 Has the RE signed a confidentiality and Yes Yes No Type 1(d) REs REs REs the budgetary allocation? procedures, etc.? integrity agreement with third-party service regulations? Board of Directors or top-level management?

GV.PO.S1, Has the RE formulated a comprehensive Yes Yes Yes 1(e)(i) GV.PO.S1, Has the policy document been approved by Yes Yes Yes 1(e)(iii) GV.PO.S2, Cybersecurity and Cyber Resilience policy GV.PO.S2, the Board / Partners / Proprietor of the RE? Is GV.PO.S1, Whether the policy document is reviewed by Yes Yes Yes 1(e)(iv) GV.PO.S5 document encompassing CSCRF as part of the GV.PO.S1, In case of deviations from the suggested Yes Yes Yes GV.PO.S5 the policy document reviewed by the GV.PO.S2, the aforementioned group at least annually 1(e)(ii) Details QualifMid-Smallproviders and conducted due diligence of all operational risk management framework to aforementioned group periodically with a view GV.PO.S5 with the view to strengthen and improve its GV.PO.S1, Whether the Policy Approval Date is captured Yes Yes Yes GV.PO.S1, Has policy version maintained for all the Yes Yes Yes GV.PO.S1, Whether the policy is approval is captured in Yes Yes Yes 1(e)(vii) 1(e)(vi) 1(e)(v) ToR GV.PO.S2, framework, whether reasons for such Page 10 of 74 CSCRF ied size -size third-party service providers accessing their IT manage risks to systems, networks and GV.PO.S5 deviations, technical or otherwise, are to strengthen and improve cyber resilience Cyber Security and Cyber Resilience GV.PO.S2, in the respective policy? GV.PO.S2, policy/procedure documents? GV.PO.S2, policy/procedure documents? Type REs REs REs systems? databases from cyber-attacks and threats? GV.PO.S5 provided in the policy document? posture? framework? GV.PO.S5 GV.PO.S5

GV.PO.S1, Does the RE have policies (including but not Yes Yes Yes 1(e)(viii) GV.PO.S2, limited to) with respect to asset management, GV.PO.S5 patch management, vulnerability management, VAPT policy, audit policy, monitoring of the networks and endpoints, configuration management, change management, secure software development life cycle management, authentication policies, authorization policies and processes, network segmentation/isolation policies, commissioning internet-facing assets, encryption policies, PII and privacy policies, cybersecurity control management policy, asset ownership documentation, etc., and a chain of command for any approval process in GV.PO.S1, Does the Cybersecurity Policy include the Yes Yes Yes 1(e)(ix) the organization with respect to GV.PO.S2, following process to identify, assess, and cybersecurity? GV.PO.S5 manage cybersecurity risks associated with processes, information, networks, and Do the policies contain do's and don'ts in the systems: organization with respect to the usage of 1. Identify critical IT assets and risks information assets including desktops, associated with such assets. laptops, BYOD, networks, internet, data, etc. 2. Protect assets by deploying suitable as a part of the RE's cybersecurity policy or as controls, tools, and measures. Details QualifMid-Smallstandalone policies? The aforementioned 3. Detect incidents, anomalies, and attacks ToR Page 11 of 74 CSCRF ied size -size policies may form a part of RE's cybersecurity through appropriate monitoring Type REs REs REs policy or may be standalone policies. tools/processes.

GV.PO.S1, As part of compliance management with Yes Yes No 1(e)(xi) GV.PO.S2, respect to CSCRF, Whether the RE has applied GV.PO.S5 the following key aspects (including but not limited to) for implementing compliance management:

1. Assess Compliance with applicable
   , etc., issued by SEBI or GoI.

2. Develop compliance policies and
   procedures

3. Implement controls such as security
   measures

4. Train employees

5. Monitor and review compliance
   GV.PO.S1, Does the organization follow the Plan-Do-Yes Yes No 1(e)(x) management processes 4. Respond by taking immediate steps after GV.PO.S2, Check-Act concept while creating and using 6. Regular audits and reporting. identification of the incident, anomaly, or GV.PO.S5 documented information, where activities while the Auditor must list all applicable attack. under the 'Plan' phase are guided by Policies, GV.PO.S1, Whether the Board/Partners/Proprietor of the Yes Yes No 1(e)(xii) implementations of Circulars, Notices, 5. Recover from the incident through incident Details QualifMid-Smallthe 'Do' phase follows Procedures (SOPs), and Guidelines, and advisories published by CERT-GV.PO.S2, RE has constituted an IT Committee for REs ToR management and other appropriate recovery Page 12 of 74 the 'Check' and 'Act' phases refer to the GV.PO.S5 comprising experts proficient in technology? CSCRF ied size -size In, CSIRT-Fin Advisories, SEBI, and Type mechanisms? REs REs REs Policies and Procedures? Exchanges/Depositories. Does this IT Committee of REs meet on a

periodic basis to review the implementation of the cybersecurity and cyber resilience policy approved by their Board/Partners/Proprietor, GV.PO.S1, Whether policy document have considered the Yes Yes Yes 1(f) GV.PO.S1, Does the aforementioned committee and the Yes Yes No 1(e)(xiii) and does such review include goal setting for a GV.PO.S2, principles prescribed by National Critical GV.OC.S2, Does the RE define and document roles and Yes Yes No 1(g) GV.PO.S2, senior management of the RE, including the target level of cyber resilience, and GV.PO.S5 Information Infrastructure Protection Centre GV.OC.S3 responsibilities of its employees, outsourced establishing a plan to improve and strengthen GV.PO.S5 CISO, periodically review instances of (NCIIPC) of National Technical Research staff, and employees of vendors, members or cybersecurity incidents/attacks, if any, cybersecurity and cyber resilience? Is the GV.PO.S1, Whether the RE has incorporated best Yes Yes No Organization (NTRO), Government of India participants and other entities, who may have GV.OV.S4 Whether the RE has conducted self-Yes No No 1(e)(xiv) 1(h) Details QualifMid-Smallreview placed before the domestically and globally, and take steps to GV.PO.S2, practices from standards such as ISO 27001, (titled 'Guidelines for Protection of National assessments of its cyber resilience using CCI ToR privileged access or use systems/networks of Page 13 of 74 strengthen cybersecurity and cyber CSCRF ied size -size Board/Partners/Proprietor of the RE for GV.PO.S5 ISO 27002, etc., or their subsequent revisions, Critical Information Infrastructure') and the stockbroker/depository participants and submit corresponding evidence to its Type REs REs REs resilience? submission authority annually? Is CCI and its appropriate action? if any, from time to time? subsequent revisions, if any, from time to time. towards ensuring the goal of cybersecurity?

calculation methodology done as outlined in (Annexure-K) of SEBI CSCRF? Whether the RE has strived to build an automated tool and PR.IP.S4, Before introducing new technologies for Yes Yes Yes 1(j) suitable dashboards (preferably integrated PR.IP.S1 Has the RE ensured that IT, OT, and IS Yes Yes Yes PR.IP.S6 critical systems, has the RE ensured that the RS.IM.S2 Have the updates and changes in the Yes Yes Yes RC.CO.S1, Has the RE discussed recovery plans with the Yes Yes Yes 1(m) 1(n) 1(i) contingency plan, COOP, training exercises, with a log aggregator) for submitting infrastructure is 'secure by design', 'secure by IT/security team has assessed evolving RC.CO.S2, IT Committee for REs? Do the plans include Details QualifMid-Smallcompliance of CCI? Is a dashboard available at engineering/ implementation', and that the security concerns and achieved a fair level of PR.MA.S3 Is the procurement of hardware/software Yes Yes Yes and incident response and recovery plan been RC.CO.S3 stakeholders' coordination in the recovery PR.IP.S3 Is the change management process part of all Yes Yes No ToR 1(k) 1(o) Page 14 of 74 RS.MA.S1 Has the CCMP been approved by the Yes Yes Yes 1(l)(i) CSCRF ied size -size the time of cyber audit, onsite inspection/audit infrastructure has appropriate elements to maturity with such technologies before aligned with the technology refresh policy of RS.MA.S1 Has the RE formulated an up-to-date CCMP in Yes Yes Yes communicated and approved by the process, and both internal and external Type 1(l) agreements with third-party service providers REs REs REs by SEBI or any agency appointed by SEBI? incorporating them into IT infrastructure? the RE? Board/Partners/Proprietor of the RE? Board/Partners/Proprietor? communication? to ensure that changes to the system are ensure 'secure IT operations'? line with the national CCMP of CERT-In?

PR.IP.S14 Periodic Audit Yes Yes Yes 1(p) 1.Has the RE engaged only CERT-In empanelled IS auditing organizations for conducting external audits, including cyber audits, to audit the implementation of all standards mentioned in this framework? 2.Has the CERT-In empanelled IS auditing organization been changed after three consecutive years? 3.Along with the cyber audit reports, has the RE also submitted a declaration from the Managing Director (MD)/Chief Executive Officer (CEO) as mentioned in Annexure-C? 4.Does the audit management process of the RE include (but not limited to) audit program/calendar, planning, preparation, delivery, evaluation, reporting, and follow-up, etc.? 5.For conducting audits, are CERT-In 'IT Security Auditing Guidelines for Auditee PR.IP.S3 Does the RE have a clearly defined framework Yes Yes No Organizations' followed by the RE? 1(o)(ii) PR.IP.S3 Does the Change Management process Yes Yes No for change management including Additionally, are CERT-In 'Guidelines for 1(o)(i) include (but not limited to) submission, requirements justifying exception(s), duration CERT-In Empanelled IS Auditing Details QualifMid-Smallplanning (impact analysis, rollout plan), Organizations' (as outlined SEBI CSCRF) ToR of exception(s), the process of granting Page 15 of 74 approval, implementation, review (post-CSCRF ied size -size implemented in a controlled and coordinated exception(s), and authority for approving and Type mandated for empanelled IS auditing REs REs REs implementation), closure, etc.? manner? for periodic review of exception(s) given? organizations?

6.Is due diligence with respect to the audit process and the tools used for such audits PR.MA.S3 Has the RE established a patch management Yes No No 1(s) undertaken by RE to ensure the competence policy to ensure that all applicable patches (at and effectiveness of audits? EV.ST.S1, Does the RE proactively assess and take Yes Yes No 1(q) both PDC and DR Site) are identified, assessed, EV.ST.S2, necessary actions with respect to its system's tested, and applied to all IT PR.IP. S17 Does the RE follow the latest version of CIS Yes No No 1(r) EV.ST.S3 requirements, architecture, design, Controls or equivalent standards, which are systems/applications in a timely manner? Has configuration, acquisition processes, or the policy been approved by the IT Committee prioritized sets of safeguards and actions for DE.DP.S4 Have the results of the red teaming exercise Yes No No 1(t) Details QualifMid-Smalloperational processes as a strategy for EV.ST.S1, Does the RE strive to rapidly deploy and Yes Yes No for REs? Additionally, is the above-mentioned 1(q)(i) ToR cyber defence and provide specific and been placed before the IT Committee for REs Page 16 of 74 adaptation to the identified and prospective EV.ST.S2, integrate existing and new services, both on-CSCRF ied size -size actionable ways to mitigate prevalent policy on patch management reviewed by the and the Governing board? Have the lessons Type REs REs REs threats and vulnerabilities? EV.ST.S3 premises and in the cloud? IT Committee for REs on an annual basis? cybersecurity incidents/attacks? learned from conducting such red team

RC.RP.S2 Have the results of the Cyber resilience testing Yes No No GV.SC.S5 Has the RE obtained SBOMs for any new Yes Yes Yes 2(a)(i) 1(v) been placed before the IT Committee for REs? critical systems software products/Software- Have the lessons learned from conducting as-a-Service applications (SaaS) at the time of such cyber resilience testing been shared with procurement? Do SBOMs containing SEBI within 3 months from the end of the information such as all the open source and exercises been shared with SEBI within 3 RS.CO.S2 Does the IT Committee for REs discuss Yes No No relevant period of conducting cyber resilience third-party components present in a 1(u) testing? Is the status of the observations months of completing the exercise? Is the response plans, coordination with codebase, versions of the components used in Details QualifMid-Smallstatus of the remediation of the observations found during the cyber resilience testing being GV.SC.S5 Has the RE obtained SBOM for their existing Yes Yes Yes ToR 2(a) stakeholders for consistency in response the codebase, and their patch status, etc., Page 17 of 74 monitored and tracked by the IT Committee CSCRF ied size -size found during the red team exercise monitored actions, information sharing for better critical systems within 6 months (starting from allow security teams to quickly identify any Type REs REs REs for REs? by the IT Committee for REs? awareness, etc.? the date of applicability of SEBI CSCRF)? associated security or license risk? Identification

GV.SC.S5 Whether the SBOM obtained has included (but Yes Yes Yes 2(a)(ii) not limited to) the following?

1. License information
2. Name of the supplier

3. All primary (top level) components with all
   their transitive dependencies (including third- party dependencies whether in-house or open-source components) and relationships

4. Encryption used

5. Access control

6. Cryptographic hash of the components

7. Frequency of updates

8. Known unknown (where a SBOM does not
   include a full dependency graph)

9. Methods for accommodating occasional
   incidental error ID.AM.S1, Has the RE identified and classified critical Yes Yes Yes ID.AM.S1, Has the RE maintained an up-to-date Yes Yes Yes 2(b)(i) 2(b) ID.AM.S4 inventory of their (including but not limited to) 10. All software/ applications required for core ID.AM.S4 systems as defined in the SEBI CSCRF and critical business operations (irrespective framework based on their sensitivity and hardware and systems, software, digital assets (such as URLs, domain names, of in-house or third-party) shall have a SBOM GV.SC.S5 Are Software Bill of Materials (SBOM) regularly Yes Yes Yes criticality for business operations, services, 2(a)(iii) Details QualifMid-Smallreviewed for open-source and third-party applications, APIs, etc.), shared resources ToR which documents all (but not limited to) and data management? Is the list of critical Page 18 of 74 CSCRF ied size -size components, dependencies, data components, with documented risk systems approved by the (including cloud assets), interfacing systems Type REs REs REs assessments and update processes in place? (internal and external), details of its network relationships, etc. Board/Partners/Proprietor of the RE?

ID.RA.S1, Risk Management: Yes Yes No 2(c) ID.RA.S2 Does the RE conduct a risk assessment in consultation with their IT committee (including post-quantum risks) of the IT ID.AM.S1, For conducting criticality assessment of Yes Yes Yes environment of their organization on a yearly 2(b)(iii) resources, connections to its network, and basis to acquire visibility and a reasonably ID.RA.S1, Does Risk Assessment include (but not limited Yes Yes No 2(c)(ii) ID.AM.S4 assets, Whether the RE has taken the following data flows? steps (including but not limited to): accurate assessment of the overall ID.RA.S1, Has the RE accordingly identified cyber risks Yes Yes No ID.RA.S2 to): 2(c)(i)

1. Maintain a comprehensive asset inventory cybersecurity risk posture? Is the ID.RA.S2 that they may face, along with the likelihood of 1. Technology stack and solutions used Details QualifMid-SmallID.AM.S1, Has any additions/deletions or changes in Yes Yes Yes 2. Conduct threat modelling (based on risk aforementioned risk assessment utilized by associated threats and their impact on their 2. Known vulnerabilities 2(b)(ii) ToR Page 19 of 74 CSCRF ied size -size ID.AM.S4 existing assets reflected in the asset inventory assessment) the RE to develop a quantifiable cybersecurity business, and deployed controls Type 3. Dependence on third-party service REs REs REs within 3 working days? risk score? providers 3. Conduct vulnerability assessment commensurate to their criticality?

PR.AA.S6 Has the RE implemented strong password Yes Yes Yes 3(b) controls for users' access to systems, applications, networks, and databases, etc.? Do password controls include (but not limited to) a change of password upon first login, PR.AT.S3 Does RE provide access to mobile and web Yes Yes Yes 3(c) PR.AA.S6 Is an effective authentication policy Yes Yes Yes minimum password length and history, applications to a customer only at her/ his 2(e) 4. Data storage, security and privacy implemented with the defined complexity of password complexity as well as maximum option based on specific written or protection Details QualifMid-SmallID.AM.S6 Are all IT assets inventoried in the ITSM tool? Yes Yes No the password? authenticated electronic requisition along with ToR 2(d) validity period? 5. Threats, likelihoods and associated risks Page 20 of 74 CSCRF ied size -size Has the RE integrated cybersecurity Are all generic user IDs and email IDs which GV.SC.S5 Whether encryption is used? Whether access Yes Yes Yes Is the user credential data stored using strong a positive acknowledgement of the terms and Type 3(a) REs REs REs considerations into product life cycles? Risk Management Protection are not in use removed after the use? control is in place? hashing algorithms? conditions?

GV.RM.S1, A) Whether the design of the cyber risk Yes Yes No 4(a) GV.RM.S2 management framework has considered the following (including but not limited to):

1. Identification of the cybersecurity risk
   for the organization

2. Classification of identified and mapped
   business functions, supporting processes, and information assets at risk.

3. Determination of risk appetite for IT
   and cybersecurity risks.

4. Definition of mitigation measures and
   controls to reduce the risks.

5. Monitoring of the effectiveness of the
   above-mentioned measures and controls.

6. Evaluation of the effect of major
   changes and significant operational, technical, or cybersecurity incident(s) on the risks?

7. Whether the RE has used the latest version
   of ISO 27005 as a guidance on design, implementation, and maintenance of information security risk management?

8. Does the risk management strategy of the
   RE include (but not limited to) risk assessment, risk analysis, risk mitigation, risk monitoring and review, compliance with relevant laws and regulations, communication of risk management policies to all stakeholders, effective mitigation measures with options for compensatory controls wherever feasible, measures to reduce Details QualifMid-Smallresidual risk and ensuring that the ToR Page 21 of 74 CSCRF ied size -size cybersecurity risk tolerance is within Type REs REs REs acceptable limits?

9. Does the RE utilize metrics such as Mean GV.RM.S1, Yes Yes No 4(a)(i)
   Time to Detect (MTTD), Mean Time to GV.RM.S2 Respond (MTTR), Mean Time to Contain (MTTC), the number of cybersecurity incidents/intrusion attempts detected and resolved within a specific period, the number of false positives and false negatives generated by cybersecurity monitoring tools, the number of successful cyber attacks in the past year, and the measures taken to reduce these numbers through continuous refinement of the monitoring process to assess their cybersecurity maturity level?

10. Does the RE periodically assess the level of
    employee cybersecurity awareness, for e.g., through phishing test success rates, etc.?

11. Does the RE undertake periodic IT asset
    management for functions such as the number of devices on the network running end-of-life (EOL) software, the number of devices no longer receiving security updates, unidentified devices on the internal network, the integration of third- party devices and services into the network, etc.? Further, is IT asset management also utilized for the process of managing assets' access and permissions, patching cadence, security rating, third-party security rating, the GV.RM.S3 1. Is comprehensive scenario-based testing Yes Yes No 4(b) number of known vulnerabilities, etc.? conducted to assess the cybersecurity risks of 4. Is a risk-based transaction monitoring or Details QualifMid-SmallToR the RE? REs shall prepare their own attack surveillance process implemented as part Page 22 of 74 CSCRF ied size -size Type scenarios as per their business model and of the fraud risk management system REs REs REs assess their risks accordingly. across all delivery channels?

Physical Security Yes Yes Yes 5(a)

1. Is physical access to critical systems PR.AA.S12 restricted to a minimum and provided only
   to authorized officials?

2. Is physical access provided to third-party
   service providers properly supervised by ensuring that third-party service providers are accompanied at all times by authorized employees?

3. Are employees of the RE screened before
   being granted access to organizational information and information systems?

4. Is physical access to critical systems

5. Does any person, by virtue of rank or PR.AA.S1, Yes Yes Yes 6(a) revoked immediately when it is no longer
   position have any intrinsic right to access required? PR.AA.S2, 5. Has the RE ensured that the perimeter of confidential data applications, system PR.AA.S3, ID.RA.S4 1. Is a risk assessment of authentication-Yes Yes Yes 4(c) the critical equipment rooms, if any, is resources, or facilities? PR.AA.S7, based solutions conducted to gain insights 2. Is access to RE systems, applications, physically secured and monitored by PR.AA.S9 into the context behind each login attempt? employing physical, human, and networks, and databases granted for a Additionally, does the risk-based defined purpose and period? procedural controls such as security Details QualifMid-SmallToR authentication solution analyze factors such 3. Is access to IT systems, applications, guards, CCTVs, card access systems, Page 23 of 74 CSCRF ied size -size as device, location, network, and sensitivity Type mantraps, bollards, etc., wherever databases, and networks granted on a REs REs REs Access Control when a user attempts to sign in? Physical Security appropriate? need-to-use basis and based on the

principle of least privilege? Are such access provided for a specific duration using effective authentication mechanisms?

1. Are user access rights, delegated access,
   unused tokens, and privileged users' activities reviewed periodically?

2. Is access to external cloud services such 1. Is Privileged Identity Management (PIM) PR.AA.S1, Yes Yes No 6(a)(i)
   solution or process implemented to as Dropbox, Google Drive, iCloud, PR.AA.S2, monitor and manage privileged access? OneDrive, etc., given as per RE's policy? PR.AA.S3, 2. Does RE implement an access policy that 6. Are account access lock policies PR.AA.S7, includes strong password controls for implemented for all accounts after a PR.AA.S9 users' access to systems, applications, certain number of failed login attempts?

3. Are existing user accounts and access networks, and databases?

4. REs shall formulate an Internet access rights periodically reviewed by the system
   policy to monitor and regulate the use of owner to detect dormant accounts, internet and internet based services such accounts with excessive privileges, as social media sites, cloud-based internet unknown accounts, or any discrepancies? storage sites, etc. within the critical IT 8. Are proper 'end of life' mechanisms adopted for user management to infrastructure of REs.

5. Does RE deploy controls and security deactivate access privileges of users who
   measure RE to supervise staff with are leaving the organization or whose Details QualifMid-SmallToR elevated system access entitlements access privileges have been withdrawn? Page 24 of 74 CSCRF ied size -size Type (such as admin or privileged users)?Do Does this include named user IDs, default REs REs REs such controls and measure RE include user IDs, and generic email IDs?

Restricting the number of privileged users, periodic review of privileged users' activities, disallow privileged users from accessing systems logs in which their activities are being captured, strong controls over remote access by privileged users, etc.? Do RE deploy controls and security measures to supervise staff with elevated system access entitlements PR.AA.S4, 1. Does the REs have implemented Yes No No 6(b) (such as admin or privileged users)?Do PR.AA.S5 suggested strategies/ methodologies such such controls and measures include as Zero-trust networks, segmentation, no restricting the number of privileged users, single point of failure, high availability, etc. PR.MA.S2 Has REs ensured a proper remote access Yes Yes No 6(d) periodic review of privileged users' and the same have been approved by IT policy framework that incorporates the activities, disallow privileged users from committee for REs? specific requirements for securely accessing Is access management, including effective Yes Yes No Does the mobile application undergo re-Yes Yes No 6(c)(i) 6(c) accessing systems logs in which their Details QualifMid-Small2. Are delegated access and unused tokens PR.AA.S17 authentication whenever the device remains enterprise resources (located in the data ToR PR.AA.S17 authentication and authorization, activities are being captured, strong Page 25 of 74 centre) from home using an internet CSCRF ied size -size reviewed and cleaned at least on a quarterly implemented to ensure that only the unused for a designated period and each time Type controls over remote access by privileged REs REs REs basis? the investor/user launches the application? connection? authorized RE can access the APIs? users, etc.?

PR.AA.S1, Network Security Management Yes Yes Yes 7(b)(i) PR.AA.S2, 1. Are adequate controls deployed to address PR.AA.S3, virus, malware, and ransomware attacks on PR.AA.S7, servers and other IT systems? Do these PR.AA.S9 controls include host/network/application- based Intrusion Prevention Systems (IPS), customized kernels for Linux, anti-virus, and anti-malware software? Are anti-virus definition file updates and automatic anti-virus scanning performed regularly?

1. Has the RE established baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices, enterprise PR.AA.S1, 1. Do all critical systems accessible over the Yes Yes Yes mobile devices, etc., within the IT 7(b) PR.AA.S2, internet have multi-factor security measures environment? Does the RE also conduct PR.AA.S3, (such as VPNs, firewall controls, etc.) and regular enforcement checks to ensure that PR.AA.S7, multi-factor authentication (MFA)? baseline standards are applied uniformly? PR.AA.S9 2. Is MFA enabled for all users and systems 3. Are the LAN and wireless networks within ID.AM.S1, Has the RE prepared and maintained an up-to-Yes Yes Yes that connect using online/internet facilities, the organization's premises secured with 7(a) Details QualifMid-Smallparticularly for VPNs, webmail, and accounts proper access controls? PR.AA.S1, Network Security Management Yes Yes No 7(b)(ii) ToR ID.AM.S4 date network architecture diagram at the Page 26 of 74 CSCRF ied size -size organizational level including wired and that access critical systems from non-trusted 4. Does the RE limit the total and maximum PR.AA.S2, 1. Has the RE applied appropriate network Type REs REs REs environments to trusted environments? connections to the SMTP server? PR.AA.S3, segmentation and isolation techniques to Network Security Management wireless networks?

PR.AA.S7, restrict access to sensitive information, hosts, PR.AA.S9 and services? Is segment-to-segment access based on a strong access control policy and the principle of least privilege?

1. Has the RE installed network security
   devices, such as Web Application Firewalls (WAF), proxy servers, and Intrusion Prevention Systems (IPS), to protect their IT infrastructure exposed to the internet from security threats originating from internal and external sources?

2. Has the RE deployed web and email filters
   on the network? Are these devices configured to scan for known bad domains, sources, and addresses, block these before receiving and downloading messages, filter out emails with known malicious indicators (such as known malicious subject lines), and block suspicious IP addresses and malicious domains/URLs at the firewall? Are all emails, attachments, and downloads scanned with a reputable antivirus solution both on the host and at the mail gateway?

3. Are network devices configured in line with
   the whitelist approach of IPs, ports, and services for inbound and outbound communication with proper Access Control List (ACL) implementation?

4. Has the RE implemented DNS filtering
   services to ensure only clean DNS traffic is allowed in the environment? Is DNS security extension used for secure communication? Is the management of critical servers, applications, services, and network elements restricted through enterprise-identified intranet systems? Details QualifMid-Small6. Has the RE implemented Sender Policy ToR Page 27 of 74 Framework (SPF), Domain-based Message CSCRF ied size -size Type REs REs REs Authentication, Reporting & Conformance

(DMARC), and DomainKeys Identified Mail (DKIM) for email security?

1. Does email protection include best Remote Support Service Security Yes Yes Yes 7(c)
   practices such as strong password protection, 1. As many OEMs and their service partners, as multi-factor authentication (MFA), spam PR.AA.S12 well as System Integrators, provide remote filtering, email encryption, a secure email support services to organizations, does the RE gateway, and permissible attachment types? ensure that these services are well-governed,

2. Has the RE blocked malicious domains and controlled, logged, and that oversight is
   IPs after diligent verification without maintained on all the activities done by remote impacting operations? Are CSIRT-Fin/CERT-In support service providers? Are the above advisories, which are published periodically, complemented by regular monitoring and referred to for the latest malicious domains, audit to ensure compliance with the defined IPs, Command & Control (C&C) DNS, and policies for privileged users and remote links? access?

3. Does the RE maintain an up-to-date and 2. Does the RE ensure secure usage of RDP in
   centralized inventory of authorized devices IT systems? Is it implemented strictly on a connected to their network (both within and need-to-use basis and does it employ MFA? Is outside the RE premises) and authorized remote access, if necessary, given to Details QualifMid-Smalldevices enabling the network? Does the RE ToR authorized personnel from whitelisted IPs for Page 28 of 74 CSCRF ied size -size implement solutions to automate network a predefined time period, with a provision to Type REs REs REs discovery and management? log all activities?

PR.AA.S15 Endpoint security Yes Yes No 7(d)

1. Are solutions like Endpoint Protection Platforms (EPP), Endpoint Detection and Response (EDR), Extended Detection and Response (XDR), and anti-malware software implemented to detect threats and attacks on PR.IP.S1 1.Is the practice of whitelisting ports based on Yes Yes Yes 7(f) endpoint devices, and to enable immediate business usage implemented at the firewall response to such threats and attacks? Does level, rather than blacklisting certain ports? Is 3. Are employees and third-party service the RE ensure that signatures are updated on traffic on all other ports that have not been providers who may be given authorized access all IT systems? whitelisted blocked by default? to the critical systems, networks, and other IT 2. Are solutions like Intrusion Prevention 2. Does the RE utilize host-based firewalls to resources of REs subject to stringent Systems (IPS) and Next-Generation Intrusion 1.Does the mobile application check new Yes Yes No prevent Remote Procedure Call (RPC) and 7(e)(i) supervision, monitoring, and access Details QualifMid-SmallToR Prevention Systems (NG-IPS) used to PR.AA.S17 network connections or connections for Server Message Block (SMB) communications restrictions? Page 29 of 74 CSCRF ied size -size continuously monitor the organization's Has RE ensured connection to entities via APIs Yes Yes No unsecured networks like VPN connections, Type 7(e) among endpoints wherever possible to limit REs REs REs PR.AA.S17 being strictly based on a whitelist approach? network for malicious activities? proxy, and unsecured Wi-Fi connections? lateral movement and other attack activities?

PR.MA.S2 1. Does the RE ensure that only trusted client Yes Yes No 7(h) machines are permitted to access enterprise IT resources remotely? Has the RE put in place appropriate security control measures such as (including but not limited to) host integrity check, binding of the MAC address of the 5(k) 1. Is the Network Time Protocol (NTP) server Yes Yes Yes 7(g) device with the IP address, etc., for remote configured to be synchronised with National access and telecommuting? Has the RE PR.AA.S1, Stock Brokers who are providing algorithmic Yes Yes Yes PR.DS.S4 Does the RE have a documented data Yes Yes Yes PR.AA.S15 Restricted Use of Removable Media and Yes Yes No 8(a)(ii) 8(b) 7(i) Physical Laboratory (NPL) or National ensured that appropriate risk mitigation PR.AA.S2, trading facilities shall take adequate measures PR.DS.S4 Has the RE implemented measures to control Yes Yes Yes migration policy specifying SOPs and Electronic Devices 8(a)(i) Details QualifMid-SmallInformatics Centre (NIC) or any associated mechanisms are put in place whenever remote the usage of VBA/macros in office documents processes for data migration while ensuring ToR PR.AA.S3 to isolate and secure the perimeter and 1.Has the RE defined and implemented a Page 30 of 74 CSCRF ied size -size servers for synchronisation of all ICT system access of data center resources is permitted connectivity to the servers running algorithmic PR.DS.S4 Does the RE enforce effective data protection, Yes Yes Yes and control permissible attachment types in data integrity, completeness, and policy for restriction and secure use of Type 8(a) REs REs REs clocks? email systems? for third-party service providers? trading applications backup, and recovery measures? consistency? removable media (such as USB, external hard Data security

PR.DS.S1, Data and Storage Devices Security Yes Yes No 8(d) PR.DS.S2, 1.Is data encrypted in motion, at rest, and in- PR.DS.S3 use by using strong encryption methods?

1. Whether data-in-use encryption for cloud
   deployments as per reference mentioned in Annexure J of SEBI circular No. SEBI/HO/ dated August 20, 2024 is followed or not?

2. Is layering of Full-disk Encryption (FDE)
   along with File-based Encryption (FBE) used wherever possible?

3. Does the RE use industry-standard, strong
   encryption algorithms (e.g., RSA, AES, etc.) wherever encryption is implemented?

4. Are the illustrative measures given in
   Annexure-H and Annexure-I of CSCRF circular been provided for data security on customer- facing applications and data transport security being implemented? 1.Does the mobile application store/retain Yes Yes No 8(c) 6. Have Data Loss Prevention (DLP) solutions or processes been deployed by the RE? PR.AA.S17 sensitive personal/investor authentication 7.Has the RE implemented measures to information such as user IDs, passwords, disks, etc.) and electronic devices (such as keys, hashes, hardcoded references, etc., on prevent unauthorized access, copying, and transmission of data/information held in laptops, mobile devices, etc.)? the device? Does the application securely wipe Details QualifMid-Small2. Does the RE ensure secure erasure of data out any sensitive investor/user information contractual or fiduciary capacity? ToR Page 31 of 74 8. Does the RE ensure that the confidentiality CSCRF ied size -size so that no data is in recoverable form on such from memory when the investor/user exits the Type REs REs REs of information is not compromised during the media and electronic devices after use? application?

process of exchanging and transferring information with external parties?

1. Are the illustrative measures been provided
   in data transport security to ensure the security of data during internet transmission being implemented?

2. Does the information security policy cover
   the use of devices such as mobile phones, photocopiers, scanners, etc., which can be PR.IP.S1 Hardening of Hardware and Software Yes Yes Yes 9(b)(i)

3. Does the RE deploy only hardened and used for capturing and transmission of
   sensitive data within their IT infrastructure? vetted hardware/software? During the PR.IP.S1 Does the implementation of the principle of Yes Yes Yes 9(b) PR.DS.S4 Does the RE block administrative rights on Yes Yes Yes 9(a) 11. Are access policies for personnel and hardening process, does the RE, inter-alia, network connectivity for such devices end-user workstations/PCs/laptops by default least functionality include measures such as ensure that default usernames and passwords configuring only essential capabilities by defined? and provide access rights on a need basis as are replaced with non-standard usernames Details QualifMid-Smallper the established process and approvals and disabling unnecessary and/or unsecured and strong passwords, and all unnecessary ToR 12. Does the RE allow only authorized data Page 32 of 74 CSCRF ied size -size storage devices within their IT infrastructure for the specific duration for which it is functions, ports, protocols, services, etc., Type services are removed or disabled in REs REs REs required? within the information system? through appropriate validation processes? software/systems? Hardening of Hardware and Software

4. Has OS hardening been done to protect
   servers'/endpoints' OS and minimize attack surface and exposure to threats?

5. Does the RE ensure that for running
   services, non-default ports are used wherever applicable? Has the RE blocked open ports on networks and systems that are not in use or could potentially be exploited? Does the RE monitor all open ports and take appropriate measures to secure them?

6. Has the RE restricted the execution of
   "PowerShell" and "wscript" in their environment, if not required? Additionally, has the RE installed the latest version of PowerShell, with enhanced logging enabled, PR.IP.S1 Does the RE use application directory Yes Yes No 9(b)(ii) script block logging, and transcription whitelisting on all assets to ensure that only EV.ST.S1, Does the RE look for the feasibility of deploying Yes Yes No 9(d)(i) PR.AA.S15 Are the PowerShell and local admin rights Yes Yes No GV.PO.S1, Has the RE formulated a policy for mobile and Yes Yes Yes 10(a) 9(c) Details QualifMid-Smallenabled? Are the associated logs being sent to authorized software is run and all EV.ST.S2, diverse operating systems? Would an attack or GV.PO.S2, web applications and associated services with ToR EV.ST.S1, Does the RE strive to reduce their attack Yes Yes No 9(d) disabled by default on endpoint machines and Page 33 of 74 a centralized log repository for monitoring and CSCRF ied size -size unauthorized software is blocked from used only for a specific purpose and for a EV.ST.S2, surfaces? EV.ST.S3 compromise on one type of OS affect other GV.PO.S5 the approval of their Type REs REs REs analysis? installation/execution? OSs deployed? Application Security in Customer Facing Applications limited time? EV.ST.S3 Board/Partners/Proprietor? Do the contours of

PR.AT.S3 Has the RE mentioned/incorporated a section Yes Yes Yes 10(b) on the mobile and web application clearly specifying the process and procedure (with forms/contact information, etc.) to lodge customer/investor grievances with respect to PR.AT.S3 Does RE mention/incorporate a section on the Yes Yes Yes 10(b)(i) the policy, while discussing the parameters of technology-related issues and cybersecurity? mobile and web application clearly specifying any "new product" including its alignment with Has a mechanism been put in place to keep the process and procedure (with the overall business strategy and inherent risk this information periodically updated? Does forms/contact information, etc.) to lodge PR.AT.S3 Does the RE provide a mechanism on their Yes Yes Yes 10(b)(ii) of the product, risk management/mitigation mobile and web application for their the reporting facility on the application provide customer/investor grievances with respect to measures, compliance with regulatory an option for registering a grievance? Is technology-related issues and cybersecurity? customers/investors with necessary instructions, customer experience, etc., authentication to identify/mark a transaction customers'/investors' dispute handling, Is a mechanism in place to keep this Details QualifMid-Smallexplicitly include security requirements from reporting, and resolution procedure, including as fraudulent for seamless and immediate ToR information periodically updated? Does the Page 34 of 74 Functionality, Security, and Performance (FSP) CSCRF ied size -size the expected timelines for response, clearly reporting facility on the application provide an notification to his entities? On such notification Type REs REs REs angles? by the customer/investor, do they endeavor to defined? option for registering a grievance?

PR.IP.S4, Secure Software Development Cycle Yes Yes Yes 10(d) PR.IP.S6 (SSDLC)

1. Has the RE prepared business requirement
   documents with clear mentioning of security requirements, session management, audit trail, logging, data integrity, security event tracking, exception handling, etc.?

2. Has the RE conducted threat modelling and
   application security testing during the development phase for the secure rollout of software and applications? 3.Has the RE referred to standards, security PR.IP.S4, Secure Software Development Life Cycle Yes Yes No 10(d)(i) guidelines for application security and other build the capability for seamless/instant PR.IP.S6 (SSDLC) reporting of fraudulent transactions to the PR.DS.S4 Do web and mobile applications store Yes Yes Yes protection measures given by OWASP (for e.g., 1. Does the RE undertake regression testing 10(c)(i) OWASP-ASVS)? corresponding beneficiary/counterparty's sensitive information in HTML hidden fields, before new or modified systems are PR.DS.S4 Do the security controls for mobile and web Yes Yes Yes 10(c) Details QualifMid-Smallentities; vice-versa have a mechanism to cookies, or any other client-side storage to 4. Has the RE adopted the principle of implemented? ToR applications focus on how these applications Page 35 of 74 avoid any compromise in the integrity of the defence-in-depth to provide a layered security CSCRF ied size -size receive such fraudulent transactions reported handle, store, and protect PII and other 2. Does the scope of these tests cover Type REs REs REs from other entities? data? mechanism? business logic, security controls, system business-related data?

API Security: Yes Yes No 10(f) PR.AA.S17 1.Does the RE use effective API security strategies like rate limiting and throttling while 1. Does the mobile application implement a Yes Yes No 10(f)(i) PR.AA.S17 device-binding solution to create a unique developing APIs to prevent overuse or abuse? 2.Does the RE have API security solutions in digital identity based on the device, mobile number, and SIM? place for securing services and data transmitted through APIs? 2. Is OWASP - MASVS referred for 3.Does the RE follow OWASP documentation implementing mobile application security and other protection measures? for developing APIs, and are OWASP top 10 PR.IP.S15 1. Are the tests/audits mentioned in point 1 (a-Yes Yes Yes 10(e) API security risks mitigated? 3. Has the RE implemented measures such as

1. limited to cybersecurity aspects? Does installing a "containerized" app on 4.Any entity connecting to REs via APIs, is that application security testing also include API allowed to connect strictly on a whitelist-mobile/smartphones for exclusive business security and API discovery? based approach? use that is encrypted and separated from Details QualifMid-Small2. Does the scope of the functional audit cover other smartphone data/applications? Have ToR 5. Has the RE ensured compliance to Exchange performance under various stress-load Page 36 of 74 data integrity, report integrity, and transaction CSCRF ied size -size circular NSE/INSP/62912 dated July 11, measures been implemented to initiate a Type scenarios, and recovery conditions? REs REs REs integrity, etc.? remote wipe on the containerized app, 2024?

PR.DS.S1, Application Security in Customer Facing Yes Yes Yes 10(g) PR.DS.S2, Applications: PR.DS.S3 1. Does the RE address application security for customer-facing applications offered over the Internet, such as IBTs (Internet-Based Trading applications), portals containing sensitive or private information, and back- office applications (repositories of financial and personal information offered by RE to customers), given their significant attack surfaces due to public availability?

1. Is the illustrative list of measures provided Guidelines for Application Security and Yes No No 10(f)(ii) in Annexure G of SEBI circular No. SEBI/HO/ PR.AA.S17 Emerging Technologies PR.DS.S5 Does the RE ensure that separate production Yes No No PR.DS.S5 Does the RE conduct System Integration Yes No No 10(h)(i) 10(h) rendering the data unreadable, in case of Has the RE prepared SOPs for open-source dated August 20, 2024 for ensuring security and non-production environments are Testing (SIT) after development and/or requirement? Details QualifMid-Smallapplication security and concerns from in customer-facing applications under maintained for the development of all feature enhancement to ensure that the ToR Page 37 of 74 CSCRF ied size -size emerging technologies like Generative AI application authentication security being software/applications and feature Type complete software/application is working as REs REs REs security? implemented? enhancements? required?

PR.DS.S5 1. During the development phase of any Yes No No PR.MA.S3 1.Does the organization update all operating Yes Yes Yes 10(h)(ii) 11(c)(i) systems and applications with the latest software or application intended for use by RE or its customers, is it ensured that patches on a regular basis? 2.Does the organization consider virtual vulnerabilities identified by best practice PR.MA.S3 Has the RE established and ensured that the Yes Yes Yes 11(c) patching as an interim measure for zero-day baselines, such as OWASP Top 10 and SANS patch management procedures include the Top 25 software security vulnerabilities, are identification, categorization, and vulnerabilities when patches are not GV.SC.S5 1.Does the RE have a defined schedule for Yes Yes Yes available? 11(a) addressed? PR.DS.S4 Does the RE ensure that their digital Yes Yes Yes prioritization of patches and updates? Is an PR.MA.S3 1.Does the RE perform comprehensive and Yes Yes Yes 11(c)(ii) 11(b) Details QualifMid-Small2. Has the RE adopted methodologies such as patch updates? How frequently are these certificates used in IT systems are renewed 3.Does the organization source patches only rigorous testing of security patches and ToR implementation timeframe for each category Page 38 of 74 updates applied to ensure the security and from the authorized sites of the OEM to ensure CSCRF ied size -size DevSecOps to ensure the secure development well in advance to prevent any lapses in of patches established to apply them in a updates, wherever possible, before Type REs REs REs integrity of the software and systems? their authenticity and security? Patch management of their applications and software? security? timely manner? deployment into the production environment

1. Does the RE ensure that patches are PR.MA.S3 Yes No No 11(c)(viii implemented at both PDC and DR sites within ) the following upper/maximum time limits based on their criticality: PR.MA.S3 Does the organization implement Yes Yes Yes 11(c)(v) High: 1 week compensatory controls, such as virtual Moderate: 2 weeks PR.MA.S3 Does the organization ensure that hardware Yes Yes Yes patching, for legacy systems for a maximum 11(c)(vii) PR.MA.S3 Does the RE have established processes for Yes No No Low: 1 month 11(c)(iv) period of 6 months? Does the organization PR.MA.S3 Does the organization ensure that all patches Yes Yes Yes and software of critical systems are replaced PR.MA.S3 Does the RE ensure that post-application of Yes No No tracking patch compliance across all IT 11(c)(iii) 11(c)(vi) Details QualifMid-Smallare tested first in a non-production before they reach End-of-Life or End-of-ensure that the constraints necessitating any patch/update, the resources deployed are systems and applications, and are these 2. For emergency patching, does the RE deploy ToR Page 39 of 74 virtual patching are legitimate and properly CSCRF ied size -size to ensure that the application of patches does environment that closely resembles the Support to maintain security and operational adequate enough to deliver the expected compliance reports submitted to the patches within the timelines stipulated by the Type REs REs REs production environment? documented? performance? Disposal of data, systems, and storage devices not impact other systems? integrity? respective IT Committee on a quarterly basis? OEMs?

PR.IP.S15 1. Does the RE ensure that all categories of Yes Yes Yes 13(b) software solutions, applications, and products for critical systems mandatorily pass through the following tests, audits, and compliances?

1. Does the RE conduct Dynamic Application
   Security Testing (DAST) to scan software applications in real-time against leading vulnerability sources, such as OWASP Top 10 and SANS Top 25 CWE, to identify security flaws or open vulnerabilities?

2. Does the RE conduct Static Application
   Security Testing (SAST) to analyze program source code and identify security vulnerabilities such as SQL injection, buffer ID.AM.S1, 1.Does the organization conduct threat Yes Yes Yes overflows, XML external entity (XXE) attacks, 13(a) ID.AM.S4 modelling based on risk assessment to and OWASP Top 10 security risks? PR.AA.S13, Has the RE framed suitable policies for Yes Yes Yes 12(a)(i) identify and mitigate potential vulnerabilities 4. Does the RE conduct functional audits to PR.AA.S14 disposal of storage media and systems? Is the early in the software development lifecycle? verify that the software meets all specified critical data/information on such devices and 2.Does the organization conduct regular requirements and functions correctly? Details QualifMid-SmallPR.AA.S13, Has the RE formulated a data-disposal and Yes Yes Yes systems removed by using methods such as vulnerability assessments to identify, quantify, 5. Does the RE conduct Vulnerability 12(a) ToR Page 40 of 74 and prioritize security weaknesses in their CSCRF ied size -size PR.AA.S14 data-retention policy to identify the value and wiping/cleaning/overwrite, degauss/crypto Assessment and Penetration Testing (VAPT) Type REs REs REs lifetime of various parcels of data? shredding/physical destruction as applicable? systems and applications? after every major release of the application or Vulnerability Assessment and Penetration Testing (VAPT)

software to identify and address security weaknesses?

1. Does the RE integrate logs from all critical
   systems with the RE Security Operations Center (SOC) to ensure comprehensive monitoring and incident response?

2. Does the RE conduct audits of firewall
   configuration, Web Application Firewall (WAF) DE.CM.S5 Does the RE regularly conduct cybersecurity Yes Yes Yes 13(c)(i) configuration, token configuration, and audits and VAPT with the scope mentioned in channel identification to ensure robust security settings? CSCRF to detect vulnerabilities in the IT environment? 8. Does the RE generate a Software Bill of Does the RE conduct in-depth evaluations of Materials (SBOM) to provide a detailed the security posture of the system through inventory of all components used in the DE.CM.S5 Do the assets under these audits include (but Yes Yes Yes 13(c)(ii) simulations of actual attacks? not limited to) all critical systems, software, enhancing transparency and security? An indicative (but not exhaustive and limited infrastructure components (like networking to) VAPT scope has been attached at 9. Does the RE maintain a Requirement systems, security devices, load balancers, Details QualifMid-SmallTraceability Matrix (RTM) to ensure that all Annexure-L of SEBI circular No. SEBI/HO/ servers, databases, applications, remote ToR Page 41 of 74 CSCRF ied size -size requirements are tracked throughout the Type access points, systems accessible through REs REs REs dated August 20, 2024 circular. WAN, LAN as well as with Public IPs, websites, development lifecycle and are met?

PR.AA.S15 Guidance on Usage of Active Directory (AD) Yes Yes No 13(e) Servers

1. Does the RE regularly review the Active
   DE.CM.S5 Does the RE ensure that all Stock Brokers and Yes Yes Yes 13(f) Directory (AD) to locate and close existing Depository Participants engage only CERT-In backdoors, such as compromised service accounts, which often have administrative empanelled organizations for conducting VAPT? Does the RE ensure that the final report privileges and are potential targets of attacks?

2. Does the RE undertake penetration testing on VAPT is submitted to the RE or Depositories
   DE.CM.S5 Does the RE perform VAPT prior to the Yes Yes Yes after approval from the Technology 13(c)(iii) DE.CM.S5 Does the organization ensure that revalidation Yes Yes Yes RS.AN.S4, Does the RE conduct compromise Yes Yes Yes activities for known AD Domain Controller PR.IP.S4, For any production release, is vulnerability Yes Yes No 13(c)(iv) 13(d) 13(g) Details QualifMid-Smallcommissioning of new systems, especially RS.AN.S5 assessments through CERT-In empanelled abuse attacks? Committee of the respective Stock Brokers or ToR of VAPT is conducted in a time-bound manner PR.IP.S6 assessment undertaken? For all major etc.), and other IT systems pertaining to the Page 42 of 74 CSCRF ied size -size those which are part of critical systems or post-closure of observations to confirm that all Information Security (IS) auditing 3. Does the RE remediate identified Depository Participants within one month of releases, does the RE conduct a VAPT to Type operations of RE? REs REs REs connected to critical systems? organizations? completion of the VAPT activity? open vulnerabilities have been fixed? weaknesses with the highest priority? assess the risks and vulnerabilities arising

PR.AA.S1, Does the RE ensure that records of user access Yes Yes Yes 14(b) PR.AA.S2, to critical systems, wherever possible, are PR.AA.S3, uniquely identified and logged for audit and PR.AA.S7, review purposes? PR.AA.S9 Are such logs maintained and stored in a ID.RA.S4 Measures against Phishing websites and Yes Yes Yes secure location for a time period not less than 14(a) attacks- Does the RE proactively monitor the DE.DP.S4 Does the RE conduct red teaming exercises as Yes No No DE.DP.S4 Does the red team for red teaming exercises Yes No No 13(k)(i) 13(j)(i) PR.IP.S14 Does the RE conduct revalidation VAPT and Yes Yes Yes DE.DP.S4 Does the RE deploy a CART solution for Yes No No two (2) years (at least 6 months in online mode 13(h) 13(k) EV.ST.S1, Does the RE anticipate new attack vectors Yes Yes No 13(i) Details QualifMid-Smallcyber audits in a time-bound manner to ensure EV.ST.S1, Does the RE proactively examine controls, Yes Yes No part of their cybersecurity framework on a continuous, automated processing of testing consist of RE employees and/or outside cyberspace to identify phishing websites w.r.t. and the rest in archival mode)? 13(j) ToR Page 43 of 74 EV.ST.S2, through threat modelling (based on risk CSCRF ied size -size from recent additions or modifications in that all open vulnerabilities in its IT assets EV.ST.S2, practices, and capabilities for prospective, half-yearly basis through the use of red/blue the security of the systems and achieving experts? Additionally, is the red team RE domains and report the same to CSIRT-Does the RE also maintain records of users Type EV.ST.S3 assessment) and work to defend them? REs REs REs have been fixed? teams? independent of the function being tested? Fin/CERT-In for taking appropriate action? with access to shared accounts? Monitoring and Detection applications/software? EV.ST.S3 emerging, or potential threats? greater visibility on attack surfaces?

Security Continuous Monitoring DE.CM.S1, Yes Yes Yes 14(d) DE.CM.S2, a. Has the RE established appropriate DE.CM.S3 security monitoring systems and processes to facilitate continuous monitoring of security events/alerts and timely detection of unauthorized or malicious activities, unauthorized changes, unauthorized access, and unauthorized copying and transmission of data/information held in contractual or fiduciary capacity by internal and external parties?

1. Does the RE monitor the security logs
   of systems, applications, and network devices exposed to the internet for anomalies?

2. Does the RE generate suitable alerts in
   the event of detection of unauthorized or abnormal system activities, transmission errors, or unusual online transactions? PR.AA.S8 Does the RE ensure that all log sources are Yes Yes Yes 14(c) d. To enhance security monitoring, does identified and their respective logs are the RE (except client-based stock collected? Additionally, does the RE collect an brokers having less than 100 clients) indicative list of log data types, including employ SOC services for their systems? Details QualifMid-SmallDE.CM.S1, Does the RE utilizing third-party managed SOC Yes Yes Yes 14(d)(i) ToR system logs, application logs, network logs, PR.AA.S8 Does the RE monitor all logs of events and Yes Yes Yes 14(c)(i) e. Are small-size and self-certification Page 44 of 74 CSCRF ied size -size database logs, security logs, performance incidents to identify unusual patterns and DE.CM.S2, services or market SOC obtain an SOC efficacy Type REs onboarded on the above- REs REs REs logs, audit trail logs, and event logs? behaviors? DE.CM.S3 report from their SOC provider annually, using mentioned Market SOC?

DE.CM.S1, Functional efficacy of SOC: Yes NO NO 14(d)(ii) DE.CM.S2, Does the RE assess the functional efficacy of DE.CM.S3 their SOC using the quantifiable method as outlined in Annexure N of SEBI circular No. SEBI/HO/ ITD- 1/ITDCSCEXT/P/CIR/2024/113 dated August 20, 2024? Does the RE review the functional efficacy of SOC on a half-yearly basis? The auditor shall verify that, Trading Yes Yes Yes 14(d)(iii) Member's/RE who have implemented/opted ID.RA.S3 Does the RE engage Dark web monitoring (for Yes No No 14(f) Does REs consider deploying a range of the quantifiable method outlined given security solutions in consultation with their for Own / Group SOC (in accordance with SEBI brand intelligence, customer protection, etc.), CSCRF guidelines), are maintaining Functional Annexure N of SEBI circular No. SEBI/HO/ IT Committee, such as threat simulation, Does the RE monitor environmental controls Yes Yes No and takedown services as a cyber-defence 14(e) Details QualifMid-Smallefficacy of SOC & related reports as per strategy to check for any brand abuse, ID.RA.S3 Does the RE have processes in place to Yes No No 14(f)(i) ToR vulnerability management, and decoy (temperature, water, smoke, etc.), service Page 45 of 74 CSCRF ied size -size dated August 20, 2024 from their SOC systems, to assess and enhance their guidelines and format provided in Annexure N PR.AA.S12 availability alerts (power supply, servers, etc.), data/credentials leak, combating cyber abuse, manage and incorporate IOAs/ IOCs/ malware Type REs REs REs of SEBI-CSCRF 2024. etc.? alerts/ vulnerability alerts (received from provider on a yearly basis? cybersecurity posture? and access logs?

PR.DS.S1, Does RE implement suitable mechanisms, Yes Yes Yes 14(j) PR.DS.S2, including the generation of appropriate alerts, PR.DS.S3 to monitor capacity utilization on a real-time DE.CM.S4 Does RE ensure high resilience, high Yes Yes No basis and proactively address issues 14(i) PR.IP.S14 Does the RE strive to build an automated tool Yes No No RS.AN.S1, Does the RE suitably investigate alerts Yes Yes Yes 14(g) 14(h) and suitable dashboards (preferably pertaining to their capacity needs? For availability, and timely detection of attacks on RS.AN.S2, generated from monitoring and detection PR.MA.S2 Does the RE ensure that remote access is Yes Yes No 14(k) integrated with a log aggregator) for RS.AN.S3 systems to determine activities that should be systems and networks exposed to the internet capacity planning and monitoring, REs shall monitored continuously for any submitting compliance with CSCRF? comply with circulars/ guidelines on capacity by implementing suitable mechanisms to performed to prevent the spread of abnormal/unauthorized access, and Details QualifMid-SmallIs a dashboard available at the time of cyber cybersecurity incidents/attacks or breaches, monitor capacity utilization of its critical planning issued by SEBI & ToR appropriate alerts and alarms are generated to Page 46 of 74 systems and networks, such as using firewalls exchanges/Depositories (and updated from CSCRF ied size -size CERT-In or NCIIPC (as applicable) or any other audit, onsite inspection/audit by SEBI or any mitigate their effects, and resolve the Type address this breach before any damage is REs REs REs agency appointed by SEBI? to monitor bandwidth usage? time to time). government agencies) in their systems? incidents? done?

DE.CM.S4 a. Is the use of IT assets/resources monitored, Yes Yes No 14(l) tuned, and are projections made for future capacity requirements to ensure the required system performance for meeting the business objectives?

1. To ensure high resilience, high availability,
   and timely detection of attacks on systems and networks, does the RE implement suitable mechanisms to monitor capacity utilization of its critical systems and networks? Does the RE's capacity management comprise of three primary types; Data storage capacity - (e.g., in database systems, file storage areas, etc.), Processing power capacity - (e.g., adequate computational power to ensure timely processing operations), Communications capacity - ("bandwidth" to ensure communications are made in a timely manner).

2. Is capacity management:
   Proactive - for example, using capacity considerations as part of change management? Reactive - e.g., triggers and alerts for when EV.ST.S1, 6. Does the RE strive to rapidly correlate data Yes Yes No 14(m) Details QualifMid-SmallEV.ST.S2, using mathematical models and machine EV.ST.S1, 7. Does the RE use auditing/logging systems Yes Yes No EV.ST.S1, 8. In order to include heterogeneity, are Yes Yes No 14(m)(ii) 14(m)(i) ToR capacity usage is reaching a critical threshold Page 47 of 74 CSCRF ied size -size so that timely increments (temporary or EV.ST.S3 learning in order to make data-driven EV.ST.S2, on different OS to acquire and store EV.ST.S2, different audit/logging regimes applied at Type DE.DP.S5 Does the RE proactively search for hidden and Yes NO NO 14(n) REs REs REs decisions? EV.ST.S3 audit/logging data? EV.ST.S3 different architectural layers? permanent) can be made? undetected cyber threats in their network?

3. Has the RE developed an Incident RS.MA.S1 Yes Yes Yes 15(b)
   Response Management Plan as part of their CCMP?

4. Does the response plan define
   responsibilities and actions to be performed by the RE employees and RS.MA.S5 Reporting of Cybersecurity Incidents Yes NO NO 14(p) support/outsourced staff in the event of a Does the RE collaborate with Cyber Swachhta cyberattack or cybersecurity incident? Kendra (CSK) operated by CERT-In to trace iii. Does the RE have an SOP for handling bots and vulnerable service(s) running on their cybersecurity incident response and public IP addresses, and receive alerts recovery for the various cybersecurity regarding the same? attacks? Are the alerts received from CSK closed in a DE.CM.S5 In case of vulnerabilities discovered in COTS Yes Yes No 14(q) iv. Whether SOP as per Annexure -O of SEBI time-bound manner? Are observations (from (used for core business) or empanelled GV.OC.S2 Does the RE engage a forensic auditor to Yes Yes Yes 15(a) circular No. SEBI/HO/ ITD-Details QualifMid-SmallDE.DP.S5 Is threat hunting by leveraging threat Yes NO NO CSK) which require a longer time to close put applications, does the RE report them to the identify the root cause of any incident 14(o) ToR 1/ITDCSCEXT/P/CIR/2024/113 Page 48 of 74 CSCRF ied size -size intelligence, IOCs, IOAs, etc., conducted on a up to the IT Committee for REs for their vendors and the designated stock exchanges (cybersecurity or other incidents) related to Type dated August 20, 2024 circular is REs REs REs quarterly basis? guidance and appropriate mitigation/closure? and/ or depositories in a timely manner? Response and Recovery the RE? adhered or not?

RS.CO.S2 Does the RE notify the customer/investor, Yes Yes Yes RS.AN.S1, Incident Analysis: Does the RE analyze the Yes Yes Yes RS.AN.S1, Evidence Preservation: Does the RE preserve Yes Yes Yes RS.AN.S4, Root Cause Analysis: Does the RE perform a Yes Yes Yes 15(e)(ii) 15(e)(i) 15(d) 15(f) through alternate communication channels, of RS.CO.S1, During the processing of reported incidents by Yes Yes Yes RS.AN.S2, data to understand the scope, cause, and RS.AN.S2, evidence related to the incident, including 15(c) RS.CO.S2 For the purpose of coordinating incident Yes No No RS.CO.S2 If the cyberattack is of high impact and has a Yes No No RS.AN.S1, Data collection: Does the RE collect and Yes Yes Yes RS.AN.S5 root cause analysis (RCA) to identify the 15(d)(ii) 15(d)(i) 15(e) Details QualifMid-SmallRS.CO.S2, SEBI, does the RE provide regular reports all transactions including buy/sell, payment or broad reach, does the REs had taken action as RS.CO.S2 If the cyberattack is of low impact and has a Yes No No RS.AN.S3 impact of the incident, including how the RS.AN.S3 digital artifacts, network captures, and specific control that has failed, the underlying 15(d)(iii) ToR response, does the RE regularly update the RS.AN.S2, preserve data related to the incident, such as Page 49 of 74 RS.CO.S3 (such as RCA, forensic analysis report, etc.) on incident occurred, what systems and data CSCRF ied size -size fund transfer above a specified value contact details of service providers, per their approved Cyber Crisis Management narrow/low reach, does the RE inform all the RS.AN.S3 system logs, network traffic, and forensic memory dumps, in a secure and forensically Type cause of the incident, and the potential areas REs REs REs the progress of the incident analysis? determined by the customer/investor? Plan (CCMP)? affected customers/stakeholders? were affected, who was responsible, etc.? sound manner? of improvement? intermediaries, and other stakeholders? images of affected systems?

RC.RP.S1 Does the response and recovery plan of the RE Yes Yes Yes 15(h)(i) include plans for the timely restoration of systems affected by cybersecurity incidents/attacks or breaches (for instance, RS.IM.S1 Does the RE periodically review and update Yes Yes Yes 15(g) offering alternate services or systems to their contingency plan, COOP, training RS.AN.S4, Are incidents of loss or destruction of data or Yes Yes Yes RS.AN.S4, Reporting: Does the RE create a detailed Yes Yes Yes exercises, and incident response and recovery RS.IM.S1 Post-occurrence of a cybersecurity incident (if Yes Yes Yes RC.RP.S1 Do the response and recovery plans of the RE Yes Yes Yes customers)? Are tests designed to challenge 15(f)(iii) 15(f)(ii) 15(g)(i) 15(h) RS.AN.S5 systems thoroughly analyzed, and are lessons RS.AN.S5 incident report that includes information on the assumptions of response, resumption, and plans (including CCMP) to incorporate lessons any), does the RE update their response and include scenario-based classifications? Details QualifMid-Smalllearned from such incidents incorporated to the scope, cause, and impact of the incident, learned, and strengthen their response recovery plan (including CCMP) to improve recovery practices, including governance ToR Does the RE build their own response and Page 50 of 74 strengthen the security mechanisms and arrangements and communication plans? CSCRF ied size -size RS.AN.S4, Forensic: Is forensic analysis (as appropriate) Yes Yes Yes as well as recommendations for improving capabilities in the event of a future their cyber resilience and incorporate the recovery plan as per their business model and 15(f)(i) Type REs REs REs improve the recovery planning and processes? incident response and recovery capabilities? Do these tests include all stakeholders such as RS.AN.S5 undertaken by the RE? incident/attack? learnings from the cybersecurity incident? include the same in their CCMP?

RC.RP.S1 Has the RE explore the possibility of retaining Yes Yes Yes 15(h)(iv) spare hardware in an isolated environment to rebuild systems in an event that starting RE RC.RP.S1 Has the RE maintain regularly updated "golden Yes No No operations from PDC and/or DRS is not 15(h)(iii) images" of critical systems at off-site locations feasible? Does the RE also try to keep spare hardware in a ready-to-use state for delivering for rebuilding the systems (whenever required)? critical services, and are such systems updated as and when new changes (for Does this entail maintaining images RC.RP.S1 Is an indicative (but not exhaustive) recovery Yes Yes Yes "templates" that include a preconfigured example, OS patches, security patches, etc.) RC.RP.S1 Does Qualified RE has maintained spare Yes No No 15(h)(ii) 15(h)(v) are implemented in the primary systems? operating system (OS), configuration setting hardware in ready-to-use state for delivering plan for the RE included in Annexure C of of critical service providers, vendors, other linked Details QualifMid-Smallbackup, and associated software applications Does this spare hardware regularly undergo critical services, as it is mandated and as their ToR SEBI circular No. SEBI/HO/ ITD-REs, etc.? Page 51 of 74 that can be quickly deployed to rebuild a testing in line with the response and recovery business is critical to Indian securities market CSCRF ied size -size 1/ITDCSCEXT/P/CIR/2024/113 dated Type RC.RP.S1 Has the RE take all necessary precautions Yes No No 15(h)(vi) REs REs REs system, such as a virtual machine or server? plan of the RE? ecosystem? while updating the "golden" server images and August 20, 2024 followed or not?

RC.RP.S2 In the event of disruption of any one or more Yes Yes Yes 15(i) of the critical systems, Does the REs has designed and tested its systems and processes to enable the safe resumption of critical operations within two hours of a disruption, even in the case of extreme but plausible scenarios. Does the REs systems has capability to resume critical operations within two hours( i.e. RTO) and while dealing with a 15(h)(viiiRC.RP.S1 Has the RE undertake regular business Yes No No disruption REs have exercise judgment in effecting resumption so that risks to itself or its continuity drills to check the readiness of the ) organization and effectiveness of existing ecosystem do not thereby escalate. In RC.RP.S2 Does the RE conduct comprehensive scenario-Yes No No 15(i)(i) security controls at the ground level? Does the consultation with their IT Committee, Does the 15(h)(vii) RC.RP.S1 In case of ransomware attacks that Yes No No RE test recovering from a ransomware attack REs have also plan for scenarios in which the based cyber resilience testing at least 2 times specifically target backups, does the RE create in a financial year (periodicity of such testing considering both PDC and DRS have been resumption objective is not achieved? Does Details QualifMid-Smallbackups in an isolated and immutable (and/or impacted to assess the effectiveness of REs have RPO of 15 minutes for critical shall be of 6 months), to validate their ability ToR Page 52 of 74 air-gapped) manner to ensure recovery if the CSCRF ied size -size data backup to ensure that server images and people, processes, and technologies to deal systems as per SEBI Circular issued from time to recover and resume operations following a Type REs REs REs production system is compromised? cybersecurity incident/attack within data backups are undamaged/unbroken? with such attacks? to time.

prescribed RTO and RPO defined by SEBI RC.RP.S4 1. Has the RE formulated a backup and Yes Yes Yes 15(k) CSCRF? In this regard, does the RE incorporate recovery plan approved by their respective extreme plausible cyberattack scenarios into IT Committee for REs? their cyber response and recovery planning? 2. Does the backup and recovery plan Are the said scenarios devised by the REs in include policies and software solutions consultation with their respective IT that work together to maintain business Committee for REs based on the learning from continuity in the event of a security various sources such as past cybersecurity RC.RP.S2 For cyber resilience testing, does the RE also Yes No No 15(i)(iii) incident? Details QualifMid-Smallincidents, near-miss analysis, data from RC.RP.S2 Does the RE periodically conduct backup Yes No No RC.RP.S4 Does the backup and recovery policy include Yes Yes Yes RC.RP.S4 Are the backups of data and server images Yes Yes Yes 15(k)(ii) 15(i)(ii) 15(k)(i) ToR include stakeholders such as critical third-RC.RP.S3 Does the RE conduct suitable periodic drills to Yes Yes Yes 15(j) 3. Does such a plan include guidance on Page 53 of 74 RC.RP.S4 Are RTO and RPO, as prescribed by SEBI Yes Yes Yes 15(k)(iii) CSCRF ied size -size Security Operations Centre, honeypot logs testing and restore back-up data to check its party service providers, market test the adequacy and effectiveness of the backup of data as well as backup of server maintained at off-site locations to keep Type restoration of data with the backup REs REs REs analysis, etc.? usability? CSCRF from time to time, included in the intermediaries, linked REs, etc.? response and recovery plan? images? backup copies intact and unbroken? software used by the RE?

RS.CO.S1, Does the RE report incidents to CERT-In in Yes Yes Yes 16(a)(i) RC.IM.S1 While ensuring the protection of data, and Yes Yes Yes RS.CO.S1, Reporting of Cybersecurity Incidents Yes Yes Yes 16(a) 15(l) security of processes, do the RE's BCP-DR RC.RP.S4 Does the RE maintain offline, encrypted Yes No No RS.CO.S2, Does the RE share Threat Intelligence data RS.CO.S2, accordance with the guidelines/directions 15(p) backups of data and regularly test these RS.CO.S3 issued by CERT-In from time to time? capabilities support its cyber resilience RC.IM.S2 Does the RE meet their RTO for all Yes Yes Yes RS.CO.S3 that is collected, processed, and analyzed to 15(m) Details QualifMid-Smallobjectives, and rapid recovery and resumption interconnected systems and networks through backups at least on a quarterly basis to ensure gain insights into the motives and behavior of Additionally, does the RE, whose systems have ToR RS.MA.S2 Does the RE prepare cyber playbooks? Yes Yes No 15(n) EV.ST.S1, Does the RE maintain extra capacity of IT Yes Yes No 15(o) Page 54 of 74 RC.IM.S1 Does the RE try to incorporate lessons learned Yes Yes Yes confidentiality, integrity, and availability of 15(l)(i) CSCRF ied size -size recovery plan for the restoration of systems of critical operations after a cybersecurity capacity upgradations and periodic RC.IM.S2 Is the recovery plan improved after analyzing Yes Yes Yes Has the RE created a knowledge database for EV.ST.S2, assets for information storage, processing, or the threat actor, target, attack pattern, etc., on been identified as "Protected system" by 15(m)(i) Type REs REs REs from incidents reported (if any) by other REs? data? NCIIPC, also report the incident to NCIIPC? after cybersecurity incidents? incident? coordinated resilience testing? the learnings from periodic drills? all known adverse conditions and attacks? EV.ST.S3 communications? the SEBI Incident Reporting portal? Sharing of Information

RS.CO.S1, Does the RE submit quarterly reports Yes Yes Yes 16(a)(ii) RS.CO.S2, containing information on cyberattacks, RS.CO.S3 threats, cybersecurity incidents, and breaches PR.AT.S1, Has the RE established thoughtfully designed Yes Yes Yes 17(a)(ii) experienced, along with measures taken to PR.AT.S1, Does the RE conduct periodic training Yes Yes Yes 17(a)(iii) PR.AT.S2 security awareness campaigns as an essential RS.CO.S1, Does the RE share details deemed useful for Yes Yes Yes PR.AT.S2 programs to enhance the knowledge of 16(a)(iii) mitigate vulnerabilities, threats, and attacks, including information on bugs/vulnerabilities RS.CO.S2, other REs in a masked manner using a pillar of defense, stressing the avoidance of IT/cybersecurity policy and standards among clicking on links and attachments in emails? and threats that may be useful for other REs RS.CO.S3 mechanism specified by SEBI from time to PR.AT.S1, Does the RE work on building awareness of Yes Yes Yes employees, incorporating up-to-date 17(a) Details QualifMid-Smalland SEBI, within 15 days from the quarter time? While sharing sensitive information, PR.AT.S1, Does the RE ensure that their employees are Yes Yes Yes Additionally, does RE refer to advisories issued cybersecurity threats? Where possible, is this 17(a)(i) ToR PR.AT.S2 cybersecurity, cyber resilience, and system Page 55 of 74 by CERT-In/CSIRT-Fin for assistance in CSCRF ied size -size ended June, September, December, and does the RE follow TLP with four levels of hygiene among employees (with a focus on PR.AT.S2 aware of potential risks including social extended to outsourced staff, third-party Type REs REs REs sensitivity: white, green, amber, or red? conducting exercises for public awareness? service providers, etc.? Training and Education March of every year? employees from non-technical disciplines)? engineering attacks, phishing, etc.?

GV.SC.S4 Where the systems (IBT, Back office and other Yes No No 18(a) customer facing applications, IT infrastructure, etc.) of a RE are managed by third-party service providers and in case the RS.MA.S2 In order to optimize the RE's ability to respond Yes Yes No RE does not have direct control over the 17(c) implementation of any of the guidelines, in a timely and appropriate manner, Does the RE create cybersecurity awareness? whether the RE has instructed the third-party PR.AT.S3 Does the RE encourage customers/investors Yes Yes Yes 17(b)(i) GV.SC.S4 Does the responsibility, accountability, and Yes Yes Yes 18(a)(i) PR.AT.S3 Does the RE educate the customers/investors Yes Yes Yes Does the RE provide cybersecurity training to service providers to adhere to the applicable 17(b)(ii) Details QualifMid-SmallPR.AT.S1, Does the RE review and update training Yes Yes Yes PR.AT.S3 Does the RE improve and maintain Yes Yes Yes to report phishing mails/phishing sites and on the downside risk of sharing their login guidelines in the CSCRF and has obtained the ownership of outsourced activities lie primarily 17(a)(iv) 17(b) ToR the relevant teams? ID.RA.S3 Has the RE subscribed to anti-phishing/anti-Yes No No 17(d) Page 56 of 74 take effective remedial action on such with the RE? Does the RE come up with CSCRF ied size -size PR.AT.S2 programs to ensure that the contents remain customer/investor awareness and education credentials/passwords/OTP etc. with any Does the RE develop or hire people with rogue app services to mitigate potential necessary cyber audit certifications from them Type REs REs REs current and relevant? with regard to cybersecurity risks? reporting? to ensure compliance with the framework? appropriate monitoring mechanisms through a third-party and the consequences thereof? appropriate skill sets? phishing or impersonation attacks? Systems managed by vendors

1. Does the RE obtain the source codes for all PR.DS.S6 Yes No No 18(b)
   critical applications from their third-party service providers?

2. Where obtaining the source code is not
   possible, has the RE put in place a source code escrow arrangement or other equivalent arrangements to adequately mitigate the risk of default by the third- party service provider? Does the RE ensure that all product updates and patches/fixes are included in the source code escrow arrangement?

3. For all the software and applications
   where vulnerabilities will be identified at a later date, does the RE ensure that the vulnerabilities are mitigated in a time- bound manner? Has the RE also stipulated timelines in their SLA with their third-party service providers for the timely compliance and closure of identified vulnerabilities?

4. Has the RE put in place appropriate third-clearly defined framework to ensure that all party service providers (including software the requirements as specified in SEBI CSCRF vendors), risk assessment processes, and shall be complied with? Do the periodic controls proportionate to their reports submitted to SEBI highlight the critical criticality/risk, Service Level Agreements GV.SC.S4 Does the RE conduct background checks and Yes Yes Yes 18(a)(ii) activities handled by the third-party service (SLAs) and contractual obligations in Details QualifMid-Smallproviders, and does the RE certify that the ensure signing of Non-Disclosure Agreements ToR order to manage supply chain risks Page 57 of 74 and cybersecurity compliance for all third-CSCRF ied size -size above-mentioned requirement is complied Type effectively, Third-party service providers REs REs REs with? party service providers? shall be mandated to follow similar or
   higher standards of information security?

5. Does the RE ensure that maintenance and
   necessary support for GV.OC.S2 Do the policy and procedures of the RE Yes Yes Yes 19(a)(ii) GV.OC.S2 Does the RE understand, manage, and comply Yes Yes Yes 19(a) applications/software are provided by the GV.OC.S2 Does the RE conduct audits and inspections of Yes Yes Yes 19(a)(i) with relevant cybersecurity and data mention and support the following ?: third-party service providers (including security/protection requirements mentioned IT resources of the RE (and its sub-software vendors) and that this is enforced SEBI/Any other government agency shall at in government contractors/third-party service providers) or through a formal agreement? engage third-party auditors to conduct the any time perform search and seizure of the RE's IT resources storing/processing data and same and check the adherence with SEBI and Details QualifMid-Smallgovernment other relevant IT resources (including but not ToR Page 58 of 74 limited to logs, user details, etc.) pertaining to SEBI and Exchange/Depositories Compliances, Advisory for Financial Sector CSCRF ied size -size 2023 or any other law/circular/regulation as Type REs REs REs the RE. In this process, SEBI or SEBI- Organizations and when issued? , etc., and standard industry practices?

PR.DS.S1, Does the RE keep the Regulatory Data Yes Yes Yes 19(d) PR.DS.S2, available and easily accessible in legible and GV.PO.S1, Whether the RE's policy and procedures Yes Yes Yes PR.DS.S3 usable form within the legal boundaries of 19(b) India? For investors whose country of GV.PO.S2, includes below clause? GV.PO.S5 All information/ data (classified as Regulatory incorporation is outside India, does the RE keep the original data available and easily Data and IT and Cybersecurity Data) that is PR.AA.S8 Is a strong log retention policy implemented Yes Yes Yes 19(c) consumed/ handled by REs shall be made accessible in legible and usable form within as per government authorized personnel/agencies may access RE accessible to SEBI when required. If there is the legal boundaries of India? Further, if the GV.OC.S2 Do the policy and procedures of the RE Yes Yes Yes 19(a)(iii) Regulatory Data retained within India is not in IT infrastructure, applications, data, any dependency on external party, REs shall Details QualifMid-Smalldocuments, including other necessary mention and support the following: SEBI shall facilitate information sharing with SEBI by readable form, does the RE maintain an ToR Page 59 of 74 application/system to read/analyze the CSCRF ied size -size information given to, stored, or processed by seek the audit reports of the audits conducted including it in their agreement with external 2023, and as required by CERT-In, NCIIPC or Type REs REs REs by RE? party. retained data? third-party service providers? any other government agency?

PR.DS.S1, For SaaS-based cybersecurity solutions and Yes Yes Yes 19(d)(i) PR.DS.S2, SOC offerings utilized by the RE where the data PR.DS.S3 is not processed/stored within the legal boundaries of India, is such data classified, assessed, and periodically reviewed (at least once in a year) by the respective IT Committee PR.DS.S1, During data classification, does the RE adhere Yes Yes Yes 19(d)(ii) for REs or the equivalent body of the RE? PR.DS.S2, to data security standards and guidelines and RS.MA.S1 Cyber Security Advisory - Standard Operating Yes Yes Yes 20(a) Is such IT and cybersecurity data approved by PR.DS.S3 other government Procedure (SOP) for handling cyber security the Board/Partners/Proprietor annually? incidents of intermediaries-as per SEBI PR.DS.S1, For capacity planning and monitoring, does the Yes Yes No 19(d)(iii) Is such data made available to SEBI/CERT-GV.SC.S7 Does the RE comply with the SEBI circulars on Yes Yes No directives. The aspects which shall form part 19(f) Details QualifMid-SmallIn/any other government agency whenever PR.DS.S2, RE comply with circulars/guidelines on ID.RA.S3 Has the RE been onboarded to the CERT-In Yes No No outsourcing of activities, which are currently of the SOP and whether 19(e) ToR Page 60 of 74 PR.DS.S3 capacity planning issued by SEBI (and intelligence platform to receive the advisories CSCRF ied size -size required within a reasonable time not 2023 or any other law/circular/regulation as mandated and updated from time to time, as stockbroker/depository participant has Type REs REs REs exceeding 48 hours from the time of request? and when issued? updated from time to time)? for necessary action and implementation? listed in SEBI CSCRF? Cyber Security Advisory - Standard Operating Procedure (SOP) complied?

RS.CO.S1, Have members provided the reference details Yes Yes Yes 20(c) RS.MA.S1 Does members have a well-documented Yes Yes Yes RS.CO.S2, of the reported Cyber Security incident with 20(a)(i) RS.CO.S3 CERT-In to the Exchange and SEBI? Have Cyber Security incident handling process document (Standard Operating Procedure - members also provided details, regarding SOP) in place? Is the policy approved by Board whether CERT-In team is in touch with the Member for any assistance on the reported of the Member (in case of corporate trading member), Partners (in case of partnership RS.MA.S1 Does member examine the Cyber Security Yes Yes Yes Cyber Security incident? If the Cyber Security 20(a)(ii) incident is not reported to CERT-In, have firms) or Proprietor (in case of sole incident and classify the Cyber Security proprietorship firm) as the case may be and be incidents into High/ Medium/ Low as per their members submitted the reasons for the same reviewed annually by the "Internal Technology Cyber Security incident handling process to the Exchange/depositories and SEBI? Have members communicated with CERT-In/ Committee" as constituted under SEBI document? Does the Cyber Security incident Details QualifMid-Smallcircular SEBI/HO/MIRSD/CIR/PB/2018/147 handling process document define decision on RS.CO.S1, Have members reported the Cyber Security Yes Yes Yes Ministry of Home Affairs (MHA)/ Cyber Security 20(b) ToR Page 61 of 74 Cell of Police for further assistance on the CSCRF ied size -size dated December 03, 2018 for review of Action/ Response for the Cyber Security RS.CO.S2, incident to Indian Computer Emergency ID.RA.S3 Has the RE devised SOPs to implement the Yes No No 20(d) Type REs REs REs Security and Cyber Resilience policy? incident based on severity? RS.CO.S3 Response Team (CERT-In)? reported Cyber Security incident? advisories issued by CERT-In, NCIIPC or any

21(c) Has the RE implemented appropriate security Yes Yes Yes 21(c) measures for testing, staging, and backup environments hosted on the cloud? Has the RE 21(f) Ensure compliance with established Yes Yes Yes 21(f) ensured that the production environment is 21 (e) Ensure alignment with Governance, Risk, and Yes Yes Yes 21(g) Ensure compliance with data ownership and Yes Yes Yes 21(e) 21(g) properly segregated from these Compliance (GRC) standards within cloud guidelines and protocols in the selection and localization requirements as mandated by 21(a) Does the RE check the public accessibility of Yes Yes Yes environments? Additionally, has the RE engagement of cloud service providers. Refer relevant regulations and policies within cloud 21(a) 21(d) Has the RE considered employing hybrid data Yes Yes Yes computing operations and practices. Refer 21(d) Details QualifMid-Smallall cloud instances in use to ensure that no disabled or removed older or testing security tools that focus on operating in a principle 1 of SEBI circular principle 2 of SEBI circular operations. Refer principle 3 of SEBI circular ToR Page 62 of 74 environments if their usage is no longer CSCRF ied size -size other government agency in their IT server or bucket is inadvertently leaking data 21(b) Are the tokens exposed publicly in website Yes Yes Yes shared responsibility model for cloud-based 21(b) Type REs REs REs due to inappropriate configurations? required? Dated March 06, 2023. Dated March 06, 2023. Dated March 06, 2023. environment within a defined timeframe? source code, any configuration files etc.? environments? Security of Cloud Services:

21(l) Are Business Continuity Planning (BCP), Yes Yes Yes 21(l) 21(j) Is robust security controls implemented and Yes Yes Yes 21(j) 21(i) Ensure that the Regulated Entity conducts Yes Yes Yes 21(k) Ensure that contractual agreements with Yes Yes Yes Disaster Recovery, and Cyber Resilience 21(k) 21(i) measures integrated into cloud operations to 21(h) Ensure that the Regulated Entity assumes Yes Yes Yes maintained to safeguard data and systems in cloud service providers align with regulatory 21(h) thorough due diligence when assessing cloud responsibility for maintaining compliance with service providers and their compliance with compliance with cloud computing regulations obligations to maintain compliance within ensure compliance with regulatory 21(m) Are strategies implemented to manage vendor Yes Yes Yes 21(m) all relevant cloud computing regulations and and standards. Refer principle 6 of SEBI requirements. Refer principle 8 of SEBI regulatory requirements. Refer principle 5 of cloud operations. Refer principle 7 of SEBI lock-in and concentration risks effectively in Details QualifMid-Smallstandards. Refer principle 4 of SEBI circular SEBI circular circular circular circular cloud operations to maintain compliance with ToR Page 63 of 74 CSCRF ied size -size regulatory standards. Refer principle 9 of SEBI Type REs REs REs Dated March 06, 2023. Dated March 06, 2023? Dated March 06, 2023. Dated March 06, 2023? circular Dated March 06, 2023.

PR.IP.S15 Customized COTS: Yes Yes Yes 23(a) Does the RE ensure that compliance with the PR.IP.S15 Software services in the form of SaaS/hosted Yes Yes Yes 21(n) tests/audits stated below is met by CERT-In services used by RE: empanelled IS auditing organizations for any customized COTS? 1. Does the RE submit compliance with the GV.SC.S7 Whether the organization has identified third-Yes Yes No 22(a)(i) a. Application security testing: technical specifications mentioned in the party service providers posing a concentration hosted services definition for the i. Dynamic Application Security risk and prescribe specific cybersecurity SaaS/hosted services used by them? Testing (DAST) for scanning GV.SC.S7 Whether the RE has taken into account Yes Yes No controls, including audits of their systems and 22(a) 2. Does the RE also submit compliance with software applications in real-time concentration risk (where single third-party protocols by independent auditors, to mitigate the adoption of hosted services and SaaS against leading vulnerability Details QualifMid-Smallvendors provide services to multiple REs) such risks, and does the organization validate ToR as per the various functions of CSCRF, sources, such as OWASP Top 10, Page 64 of 74 CSCRF ied size -size while outsourcing multiple critical services to that these third-party service providers are Type including Governance, Identify, Protect, SANS Top 25 CWE, etc. to find REs REs REs the same vendor? meeting their goals of operational resiliency? Concentration Risk on Outsourced Agencies: Certification of off-the-shelf products Dated March 06, 2023? Detect, Respond, and Recover? security flaws or open

PR.IP.S15 Inhouse developed software: Yes Yes Yes 23(a)(i) Does the RE ensure that compliance with the below points is submitted by CERT-In empanelled IS auditing organizations?

1. All the categories of software
   solutions/applications/products for critical systems used by REs shall mandatorily pass- through the following tests/audits and compliances:

2. Application security testing:

3. Dynamic Application Security Testing
   (DAST) for scanning software vulnerabilities applications in real-time against ii. Static Application Security Testing leading vulnerability sources, such as (SAST) for analyzing program OWASP Top 10, SANS Top 25 CWE, etc. source code to identify security to find security flaws or open vulnerabilities such as SQL vulnerabilities. injection, buffer overflows, XML ii. Static Application Security Testing external entity (XXE) attacks, (SAST) for analyzing program source OWASP Top 10 security risks, etc. code to identify security vulnerabilities b. Functional audit such as SQL injection, buffer overflows, c. VAPT after every major release of the XML external entity (XXE) attacks, application/software OWASP Top 10 security risks, etc. d. All critical systems logs integrated with Details QualifMid-Smallb. Functional audit ToR the RE's SOC by CERT-In empanelled Page 65 of 74 CSCRF ied size -size Type c. VAPT after every major release of the IS auditing organizations for any REs REs REs application/software customized COTS

Has Member taken corrective steps to rectify Yes Yes Yes 24(a) the deficiencies observed in the inspection carried out by SEBI? Further, whether Member d. All critical systems logs shall be integrated has complied with the qualifications/violations with RE's SOC. made in last SEBI inspection report? e. Audit of firewall configuration, WAF Has Member taken corrective steps to rectify Yes Yes Yes 24(b) the deficiencies observed in the inspection configuration, token configuration and channel Details QualifMid-Smallcarried out by Exchange? Further, has Member ToR identification shall be done. Page 66 of 74 complied with the qualifications/violations CSCRF ied size -size f. Software Bill of Material (SBOM) Type REs REs REs made in last Exchange inspection report? g. Requirement Traceability Matrix Compliance status of last inspection carried out by SEBI/ Exchanges

Annexure C

Cyber Audit Report Format Cyber Audit Report Format for Compliance Submission NAME OF THE ORGANISATION: ENTITY TYPE: ENTITY CATEGORY: RATIONALE FOR THE CATEGORY: <> PERIOD OF AUDIT: <> NAME OF THE AUDITING ORGANISATION: Date on Which Cyber Audit Report presented to 'IT Committee for REs': RE's Authorised signatory declaration: I/ We hereby confirm that the information provided herein is verified by me/ us and I/ we shall take the responsibility and ownership of this cyber audit report. Further, this is to certify that:

1. Comprehensive measures and processes including suitable incentive/ disincentive structures,
   have been put in place for identification/ detection and closure of vulnerabilities in the organization's IT systems.

2. Adequate resources have been hired for staffing our Security Operations Centre (SOC).

3. There is compliance by us with CSCRF.
   Signature: Name of the signatory: Designation (choose whichever applicable): Company stamp: Annexures:

4. Minutes of the Meeting (MoM) of 'IT Committee for REs' in which the cyber audit
   report was approved.

5. Cyber audit report as submitted by the auditor
   Page 67 of 74

This is to be submitted by the auditor on the auditor's letter head.

1. Auditor's Declaration TO WHOM SO EVER IT MAY CONCERN This is to declare and certify that I am a Partner/Proprietor/Director of firm with CERT-In empanelment from to. I have conducted Cyber audit for period <….> as per the requirements of SEBI. Checklist for Cyber audit as required:

I confirm that the audit has been conducted as per the auditor's guidelines prescribed in CSCRF (Cyber Audit). I also confirm that I have no conflict of interest in undertaking the above-mentioned audit. For and on behalf of Name: Contact no.: Place: Date: Sr. No Area Details of the Is the Entity Auditor's Page 68 of 74 1. Cybersecurity and Cyber audit area Compliant? comments 3. Risk assessment and Risk 4. Supply chain risk 7. Security continuous 9. Incident Management and resilience policy management 5. Awareness and Training 6. Data security monitoring 8. SOC efficacy 10. Incident recovery planning (Yes/No) 2. Asset Inventory management Response

1. Executive Summary

2. Scope of audit/Terms of reference (as agreed between the auditee and auditor), including
   the standard/specific scope for audit:- 3.1. List of SEBI Circulars/ Guidelines/ Advisories/ Letters covered: 3.2. List of all IT infrastructure and geographical locations (including IT systems of PDC, DR, Near site, Co-lo facility) covered under audit

3.3. Any other specific item(s)

1. Methodology/ Audit approach (audit subject identification, pre-audit planning, data
   gathering methodology, sampling methodology etc. followed by the Auditing Organization)

2. Summary of findings (including identification tests, tools used, and results of tests
   performed)

3. List of IT infrastructure/ Details (assets ID, asset name, Number of Non-Any other S. Page 69 of 74 No. Geographical locations/ Third-party applications, etc.) of the Infrastructure Compliant/Observation comments No Critical High Medium Low Risk rating PDC DR Near-site Co-location Facility (if applicable) Cloud Infrastructure Third-party service provider Others S. No. SEBI circular/ letter/ advisory Issue date vendors assessed

4. Detailed Control-wise compliance report & status of SEBI CSCRF will upload detailed report in excel file as per format provided by the
   exchange/depository.

SrTOR StandaDescriptioNamStatus/naRisk C/I/A TesRoot ImpaAuditor DeadliManageWhet*List of . Claurds n of e of ture of rating affectt Causct recommendane of ment her documen Nse prescriFinding(s)the findings (C/H/ed case analytions/ correctresponse similatary

1. bed by / systeC/NC/NA M/L) of es Analysis Corrective ive r evidence SEBI Observatim the usesis actions action(issue including CSCRF on(s) belonfinding d s) was physical *Note: - (Clause gs to reportinspectio

• Explicit reference to the key auditee organisational documents (by date or version) including policy and procedure documents numbeRE or ed in n/
• Explicitly mention sample size and sample methodology covering 25% of the non-critical systems r and thirdthe sample text) -last size party three taken by Page 70 of 74 1. 1(a) GV.RR. vendauditthe 2. 1(a)(GV.RR. N 24(b S3 i) S3 … … ) or s. auditor

1. A brief description of the above-mentioned compliance requirements is as follows-

2. Standards prescribed by SEBI CSCRF (or any other cybersecurity circular/ letter/ guidelines)
   (Clause number and text)- The clause corresponding to this observation w.r.t CSCRF (or any other cybersecurity circular/ letter/ guidelines) issued by SEBI.

3. Description of findings/observations - Description of the findings in sufficient details,
   referencing any accompanying evidence

4. Name of system belongs to RE or vendor - (Self Explanatory term)

5. Status/ Nature of Findings - The category can be specified, for ex: Compliant, Non-
   Compliant, and Not Applicable

6. Risk Rating of the finding - A rating shall be given by the auditing organization for each of the
   observations, based on its impact and severity, to reflect the risk exposure as well as the suggested priority for action.

7. C/I/A Affected - The principles of Confidentiality/ integrity/ availability affected due to issued
   left unaddressed.

8. Test cases used -The details of test cases used for arriving at this observation. The test
   cases may also be provided as annexures with the report, if required.

9. Root Cause analysis - A detailed analysis on the cause of the non-conformity.

10. Impact Analysis - An analysis of the likely impact on the operations/ activity of the RE.

11. Auditor recommendations/ Corrective actions - The actions to be taken (by the RE) to correct
    the non-conformity.

12. Deadline of corrective action(s) -The RE shall specify the deadline not only for the corrective
    action(s) to be taken on the system(s) where NC/ observation was found but also specify the HIGH Represents weakness in control with respect to threat(s) that is/are MEDIUM Represents weakness in control with respect to threat(s) that is/are LOW sufficiently capable and impacts asset (s) leading to regulatory non-sufficiently capable and impacts asset (s) leading to exposure in terms of Represents weaknesses in control, which in combination with other weakness Page 71 of 74 compliance, significant financial, operational and reputational loss. These financial, operational and reputational loss. These observations need to be can develop into an exposure. Suggested improvements for situations not CRITICAL The failure shall have impact on the system-delivery resulting in outage of observations need to be addressed with utmost priority. immediately/directly affecting controls. addressed within a reasonable timeframe. Rating Description services offered by the RE.

deadline for corrective action on systems with related functionalities/ configurations where similar observations could have been found/are found.

1. Management response - Management action plan/taken to address the observation and/ or
   implementation of auditor's recommendation

2. Whether similar issue was reported in the last three audits - Yes/ No

3. List of documentary evidence including physical inspection/ sample size taken by the
   auditor

4. Conclusion of cyber audit
   Page 72 of 74

Annexure D

Actions for Non-Compliance observed in periodic submissions by trading members related to Cyber Audit Report The following penalty/disciplinary actions as provided in Table A would be initiated against the Trading Member for Delay/Non-submission of Preliminary Audit Report and Corrective Action Taken Report. Table - A

1. Charges Rs. 1,500/- per day for Non Delay/Non-2nd Time & Onwards - Levy of QRE & Rs. 3,000/- per day for QRE from submission of applicable monetary penalty the due date till first 7 calendar days or Cyber security along with an escalation of submission of report, whichever is and cyber 50%. earlier. resilience audit 2. Charges of Rs. 2,500/- per day for Non report and ATR In case of non-submission of QRE & Rs. 5,000/- per day for QRE from (if applicable) report till 21st calendar days, 8th calendar day after the due date to within the due new client registration shall be 21st calendar day or submission of date prohibited and notice of 7 report, whichever is earlier. Tag - Financial calendar days for disablement 3. In case of non-submission of report till Disincentive of trading facility till 21st calendar days, new client submission of report, shall be registration shall be prohibited and issued. notice of 7 calendar days for disablement of trading facility till submission of report, shall be issued. The disablement notice issued 4. The disablement notice issued to the to the member will be shared member will be shared with all the with all the Exchanges for Exchanges for information. information. 5. In case of non-submission of report by 28th calendar day, Member shall be In case of non-submission of disabled in all segments till submission report by 28th calendar day, of report. Member shall be disabled in all Page 73 of 74 Details of Action in case of first instance Action in case of repeat segments till submission of report. Contravention instance

Further, trading members are also required to submit closure status of all the non-Compliances reported in Cyber Audit by submitting Corrective Action Taken Report (ATR) i.e., within 3 months from the due date of submission of Preliminary Audit Report. In order to ensure strict adherence for closure of non-Compliances within the prescribed timelines, following penalty as provided in Table - B shall be Applicable for each Critical/High/Medium/Low risk non-compliance, which has not been closed in ATR as per prescribed timelines. Table - B

Non-closure of each For QRE Members: Critical/High/MediuCritical/High Risk - ₹ 1,00,000/- m/Low Medium Risk - ₹ 50,000/- observations, as Low Risk - ₹ 10,000/- reported in Compliance Report/ For Non- QRE Members: ATR in cyber Critical/High Risk - ₹ 50,000/- security and cyber Medium Risk - ₹ 25,000/- resilience audit Low Risk - ₹ 5,000/- report Tag - Material a) In case the observations are not closed by members within 3 weeks from the due date of submission of ATR, new client registration to be prohibited and notice of 7 days for disablement of trading facility till the closure of observation(s).

1. The disablement notice issued to the member shall be shared with all the Exchanges for information. In case of non-closure of observation(s) Page 74 of 74 within 4 weeks from the due date of submission of ATR, Member shall be Details of Action in case of first instance Contravention disabled in all segments until closure of observation(s).