HDFC Securities Settles Regulatory Non-Compliance Case with SEBI for ₹65 Lakh

Domestic brokerage firm HDFC Securities has settled a case with market regulator SEBI over alleged non-compliance with regulatory norms by paying a settlement amount of ₹65 lakh. The settlement was reached through a regulatory order issued on Tuesday (March 11).

Settlement Without Admission of Guilt

The order followed an application filed by HDFC Securities with SEBI, seeking to resolve the alleged violations “without admitting or denying the findings of facts and conclusions of law.”

In its settlement order, SEBI stated, “The instant adjudication proceedings initiated against the notice viz., HDFC Securities Ltd, vide SCN (show cause notice)…dated August 8, 2024, are hereby disposed of.”

Alleged Regulatory Lapses

According to the show cause notice issued to HDFC Securities, the alleged violations primarily pertained to inadequate IT and cybersecurity compliance measures, including:

1. Failure to Generate Alerts for Critical Asset Utilisation:

SEBI mandates that alerts must be generated when the capacity utilisation of critical assets exceeds 70%.

 However, HDFC Securities’ IT policies did not include this requirement. Instead, the brokerage had set alert thresholds at 80% for the Meap application and 75% for CPU & memory utilisation, both of which exceeded the prescribed 70% limit set by the regulator.

2. Non-Implementation of LAMA System for Servers:

HDFC Securities had allegedly not implemented the LAMA system for 47 out of 52 servers during the inspection period. 

LAMA is a critical system that enables the provisioning of application servers, ensuring operational efficiency and security. The lack of implementation raised concerns about the broker’s adherence to regulatory and security standards.

3. Failure to Conduct Disaster Recovery Drills:

SEBI mandates brokers to conduct disaster recovery drills for a full trading day every quarter to ensure resilience against cyber threats and operational disruptions. 

However, HDFC Securities allegedly failed to conduct these mandatory drills during the inspection period, raising concerns about its preparedness for potential system failures and security incidents.

4. Deficiencies in Cybersecurity & Cyber Resilience Policy:

HDFC Securities’ cybersecurity policy allegedly lacked a defined frequency for conducting periodic cybersecurity and information security awareness training for employees. 

Additionally, the policy failed to categorise vendors as critical or non-critical, an essential measure for effective risk management and ensuring adequate security protocols for high-risk partnerships.

5. Inadequate Classification of Critical Assets:

SEBI mandates brokers to properly categorise all critical applications and servers to ensure robust cybersecurity measures. 

However, HDFC Securities allegedly failed to classify certain essential applications, including the active directory for employee logins and its internet-facing website, as critical assets during the inspection period, potentially exposing them to security risks.

Regulatory Closure of the Case

With the settlement amount of ₹65 lakh paid, the regulatory proceedings against HDFC Securities have been closed. While the settlement prevents further enforcement action in this specific case, SEBI’s order underscores the importance of stringent cybersecurity and IT compliance measures for financial entities.

The case highlights the growing focus on cybersecurity and regulatory compliance in India’s financial markets, with SEBI ensuring that market participants adhere to strict IT infrastructure and risk management standards to safeguard investors and trading operations.

Conclusion

The settlement of ₹65 lakh closes SEBI’s regulatory proceedings against HDFC Securities, highlighting the critical importance of stringent IT and cybersecurity compliance in financial markets. The case reinforces SEBI’s commitment to enforcing robust risk management standards, ensuring brokers maintain secure operations to safeguard investors and market integrity.

Disclaimer: This blog has been written exclusively for educational purposes. The securities mentioned are only examples and not recommendations. This does not constitute a personal recommendation/investment advice. It does not aim to influence any individual or entity to make investment decisions. Recipients should conduct their own research and assessments to form an independent opinion about investment decisions.