Cyber Security & Cyber Resilience Audit
Cyber Security & Cyber Resilience Audit of Member
In view of the circular issued regarding Cyber Security & Cyber Resilience Audit of Trading Members of the Exchange issued by SEBI, the members using trading software are required to conduct Cyber Security & Cyber
Resilience Audit of their trading facility in accordance with the Cyber Security & Cyber Resilience Framework which includes auditor selection norms, Terms of Reference (ToR). Separate ToRs are specified for the Members as categorized below:-- Type I - Members who trade through exchange provided terminals such as TWS.
- Type II - Members who trade through API based trading terminals like CTCL or IBT or WT facility and who may also be Type I Members.
- Type III - Members who use Algorithmic Trading Facility (ATF/ALGO) to trade and who may also be TYPE I or Type II Members.
Members based on their category are required to undertake Cyber Security & Cyber Resilience Audit of their Software for the period specified below through System Auditor appointed as per Auditor Selection Norms and submit the Cyber Security & Cyber Resilience Audit Report (CSR) to the Exchange within the timeline as mentioned in the table below:
| Categories | Audit Period | Due Date for Submission of Reports | ||
| System Audit Report | Action Taken Report, if applicable | Follow-on Audit Report, if applicable | ||
| Type I - Annual | April-March | 30-Jun | 31-Aug | 31-Dec |
| Type II – Annual | ||||
| Type III – Half Yearly | April-September | 31-Dec | 28-Feb | 30-April |
| October-March | 30-Jun | 31-Aug | 31-Oct | |
- The Auditor shall have minimum 3 years of experience in IT audit of Commodities / Securities market participants e.g. exchanges, clearing corporations, depositories, stock brokers, depository participants etc. The audit experience should cover all the major areas mentioned under Terms of Reference (ToR) of the Cyber Security Resilience audit specified by SEBI / stock exchange from time to time.
- The appointed Auditor’s resources should possess at least one of the following certifications:
- CISA (Certified Information System Auditors) from ISACA
- DISA (Post Qualification Certification in Information Systems Audit) from Institute of Chartered Accountants of India (ICAI)
- CISM (Certified Information Securities Manager) from ISACA
- CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium, commonly known as (ISC)
- CERT-IN empanelled auditor
- The Auditor should have experience of IT audit/governance frameworks and processes conforming to industry leading practices like CobiT.
- The Auditor shall not have any conflict of interest in conducting fair, objective and independent audit of the Trading Member. Further, the directors / partners of Auditor firm shall not be related to any Trading Member including its directors or promoters either directly or indirectly.
- The Auditor shall not have any cases pending against its previous audited companies/firms, which fall under SEBI’s jurisdiction, which point to its incompetence and/or unsuitability to perform the audit task.
- The Auditor can perform maximum of 3 successive Cyber Security Resilience audits of the Trading member. Follow-on audits conducted by the auditor shall not be considered in the successive audits.
Members are required to submit the System Audit Report online through Member Portal - https://member.mcxindia.com. Terms of Reference (ToR) are incorporated in the online Member portal and detailed help file for online submission is available on the path: https://sftp.mcxindia.com/Common. The online CSR portal will be available only to the applicable Members for report submission as per the schedule specified below:
| Periodicity of System Audit | Portal Availability |
| Half Yearly (April –September) | October 01 to December 31 |
| Half Yearly (October–March) | April 01 to June 30 |
| Annual / Yearly (April – March) | April 01 to June 30 |
Members are requested to note the list of System Auditors available in the Member Portal - https://member.mcxindia.com. Kindly submit Annexure 1 to ctcl@mcxindia.com for updating the Auditor details which are not reflecting in online CSR portal of Exchange.
Penalty for Late Submission
Late submission charges of Rs. 500/- per day will be levied on trading members failing to submit the said reports for the period of non-submission. The penalty will commence after due date of respective audit period and will be levied up to the date of submission of report. Further, Non-compliant members shall render themselves liable for action as may be deemed fit by the Exchange.
No comments:
Post a Comment