On Mar. 6, 2025, IND BSE reminded that if any open vulnerabilities are found in VAPT report, members must submit ATR with proof of concept (PoC) by Mar. 31, 2025.
If vulnerabilities remain unresolved after Mar. 31, 2025, trading member must implement compensatory controls, submit detailed report with closure dates via email.
This report must be endorsed by the Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or the designated officer responsible for cybersecurity.
Stockbrokers and trading members must note cir 20230831-17 (#162560) on penalties for non-submission of VAPT/compliance reports or unresolved vulnerabilities.
Submission of ATR for VAPT will be considered complete only after the digitally signed report is submitted and the member receives an acknowledgment email from IND BSE.
On Sep. 16, IND BSE issued notice on compliance reporting.
IND BSE issued notice re submission of vulnerability assessment and penetration testing (VAPT) report and action taken report (ATR), within one month of VAPT.
Guidelines for submission of VAPT report and ATR will be published in Oct. 2024.
Follows IND BSE Sep. 2023 issued notice on submission compliance reports, #185790.
Also follows IND BSE Aug. 2023 issued notice on disciplinary actions, see #162560.
Report Submission
The detailed VAPT report, along with a summary (as per format in annexure A) shall be digitally signed by IND CERT-In empaneled entity and submitted by Dec. 31, 2024.
Any identified gaps must be remedied immediately, compliance of closure of findings from VAPT shall be submitted within 3 months post submission of VAPT report.
Members are required to submit VAPT report/action taken report for FY 2024-25, as per the format in annexure B, by Mar. 31, 2025, on the BSE e-filing system.
Members are advised to adhere strictly to reporting timelines, ensure all vulnerabilities are addressed, confirmed in reports as per IND BSE's Aug. 2023 guidance (#162560).
Non-compliance penalties applicable in FY 2024-2025 are set out in annexure C.
Mar. 2025 Submission Deadline
On Mar. 6, 2025, IND BSE reminded that if any open vulnerabilities are found in VAPT report, members must submit ATR with proof of concept (PoC) by Mar. 31, 2025.
If vulnerabilities remain unresolved after Mar. 31, 2025, trading member must implement compensatory controls, submit detailed report with closure dates via email.
This report must be endorsed by the Chief Information Security Officer (CISO), Chief Technology Officer (CTO), or the designated officer responsible for cybersecurity.
Stockbrokers and trading members must note cir 20230831-17 (#162560) on penalties for non-submission of VAPT/compliance reports or unresolved vulnerabilities.
Submission of ATR for VAPT will be considered complete only after the digitally signed report is submitted and the member receives an acknowledgment email from IND BSE.
