SEBI lays down framework to deal with technical glitches occurring in the trading systems of stockbrokers that will become effective from 1st April, 2023

The Securities and Exchange Board of India (“SEBI”) lays down framework to deal with technical glitches occurring in the trading systems of stockbrokers to be effective from 1st April, 2023.

Definition of technical glitch:

Technical glitch shall mean any malfunction in the systems of stock broker including malfunction in its hardware, software, networks, processes or any products or services provided by the stock broker in the electronic form. The malfunction can be on account of inadequate Infrastructure / systems, cyber-attacks / incidents, procedural errors and omissions, or process failures or otherwise, in their own systems or the one outsourced from any third parties, which may lead to either stoppage, slowing down or variance in the normal functions / operations / services of systems of the stock broker for a contiguous period of five minutes or more

Key Highlights:

Reporting requirements by stock brokers –
1. Inform about the technical glitch to the stock exchanges immediately but not later than 1 hour from the time of occurrence of the glitch.
2. Submit a Preliminary Incident Report to the Exchange within T+1 day of the incident (T being the date of the incident). The report must include the date and time of the incident, the details of the incident, effect of the incident and the immediate action taken to rectify the problem
3. Submit a Root Cause Analysis (RCA)Report of the technical glitch to stock exchange, within 14 days from the date of the incident. The RCA Report must include time of incident, cause of the technical glitch (including root cause from vendor(s), if applicable), duration, chronology of events, impact analysis and details of corrective/ preventive measures taken (or to be taken), restoration of operations etc.
4. The three submissions above must be e-mail to infotechglitch@nse.co.in.

Capacity Planning –

1. Conduct capacity planning for entire trading infrastructure i.e. server capacities, network availability, and the serving capacity of trading applications.
2. Monitor peak load in your trading applications, servers and network architecture
3. Deploy adequate monitoring mechanisms within your networks and systems to get timely alerts on current utilization of capacity going beyond permissible limit of 70% of its installed capacity.

Software testing –

1. Create test driven environments for all types of software developed by you or your vendors. Regression testing, security testing and unit testing shall be included in the software development, deployment and operations practices
2. Specified stock brokers shall do their software testing in automated environments
3. Prepare a traceability matrix between functionalities and unit tests, while developing any software that is used in trading activities.
4. Implement a change management process to avoid any risk arising due to unplanned and unauthorized changes for all its information security assets (hardware, software, network, etc.).
5. periodically update all your assets including Servers, OS, databases, middleware, network devices, firewalls, IDS /IPS desktops etc. with latest applicable versions and patches

Monitoring Mechanism

1. To Proactively and independently monitoring technical glitches stock exchange shall build API based Logging and Monitoring Mechanism (LAMA) to be operated between stock exchanges and specified stock brokers’ trading systems. Under this mechanism, specified stock brokers must monitor key systems & functional parameters to ensure that their trading systems function in a smooth manner.
2. Stock brokers and stock exchanges shall preserve the logs of the key parameters for a period of 30 days in normal course. However, if a technical glitch takes place, the data related to the glitch, shall be maintained for a period of 2 years
Business Continuity Planning (BCP) and Disaster Recovery Site (DRS)
1. Stock brokers with a minimum client base across the exchanges, as may be specified by stock exchanges from time to time, shall mandatorily establish business continuity/DR set up
2. Put in place a comprehensive BCP-DR policy document outlining standard operating procedures to be followed in the event of any disaster. Put in place a framework to constantly monitor health and performance of critical systems in the normal course of business. The BCP-DR policy document shall be periodically reviewed to minimize incidents affecting the business continuity.
3. Primary Data Centre (PDC) and DRS must be separated from each other by a distance of at least 250kilometers to ensure that both of them do not get affected by the same natural disaster.
4. Specified stock brokers must conduct DR drills / live trading from DR site.
5. Stock brokers, shall constitute responsible teams for taking decisions about shifting of operations from primary site to DR site, putting adequate resources at DR site, and setting up mechanism to make DR site operational from primary data center etc
6. Hardware, system software, application environment, network and security devices and associated application environments of DRS and PDC shall have one-to-one correspondence between them.
7. Stock exchanges in consultation with stock brokers shall decide upon Recovery Time Objective(RTO) i.e. the maximum time taken to restore operations from DRS after declaration of Disaster and, Recovery Point Objective (RPO) i.e. the maximum tolerable period for which data might be lost due to a major incident.
8. Specified stock brokers shall obtain ISO certification as may be specified by stock exchanges from time to time in the area of IT and IT enabled infrastructure/processes of the stock brokers.
9. Stock exchanges shall define the term ‘critical systems’, ‘disaster’ and issue detailed guidelines with regard to review of BCP document, DR drill/live trading, operating DR site from PDC, timeline for obtaining ISO certification etc.