HDFC Securities recently settled a case with the Securities and Exchange Board of India (SEBI) for multiple lapses in IT Security, Disaster recovery framework and cybersecurity issues. SEBI issued a Show Cause Notice (SCN) on Aug 08 2024, highlighting several non-complaints with its brokerage operations. Here were some alleged regulatory lapses:
1. IT Monitoring Issues
According to the SEBI mandate, critical assets must be alerted when their capacity utilisation exceeds 70%. However, HDFC securities IT policies lacked this provision and set alert thresholds at 80% for some major applications and 75% for CPU and reminiscence memory usage, thus exceeding regulatory restrictions.
2. Partial Implementation of LAMA
The brokerage firm did not implement a Log Analytics and Monitoring Application (LAMA) system for 47 out of 52 servers during the inspection period, raising concerns about monitoring issues and operational capabilities.
3. Failing To Conduct Disaster Recovery Drills
SEBI ensures operational resilience by calling out brokers in every area and every quarter to conduct a full trading day disaster restoration drill. HDFC Securities did not adhere to this mandate during the inspection period.
4. Deficiency in Cybersecurity Measures And Resilience Policy
HDFC Securities lacked a defined frequency for conducting periodic informational security awareness training for employees. Apart from that, the company failed to categorise vendors as critical or non-critical, an essential parameter for risk management and securing adequate measures for high-risk partnerships.
5. Improper Classification of Critical Assets
According to SEBI, brokers must categorise all critical assets and servers to maintain robust security. Allegedly, HDFC securities did not classify certain applications, including an active directory of employee logins and internet facing website.
Settlement Process With SEBI
Follwing the Show Cause Notice, here were the series of events:
- HDFC Securities applied for a settlement on August 4, 2024.
- SEBI’s internal committee reviewed the application and decided on a settlement value of Rs 65 lakh
- The excessive and high-powered advisory committee assessed the application on December 24, 2024.
- The panel of whole-time members accredited the settlement amount on February 25, 2024.
- On 5 March 2025, HDFC Securities formally notified SEBI about the fee payment and settlement amount.
SEBI Retains Right For Further Action
SEBI has clarified that despite the settlement, it has the right to take further regulatory action if later HDFC is found to have provided inaccurate or incomplete information or failed to uphold their commitments.
