Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR) of Qualified RTAs (QRTAs) - SEBI - SEBI/HO/IMD/IMD-TPD-1/P/CIR/2023/173

CIRCULAR SEBI/HO/IMD/IMD-TPD-1/P/CIR/2023/173 October 20, 2023 All Qualified RTAs (QRTAs) Dear Sir/ Madam, Sub: Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR) of Qualified RTAs (QRTAs) 1. Qualified RTAs (i.e. RTAs having more than 2 Crore folios) are systemically important institutions as they, inter-alia, provide infrastructure necessary for the smooth and uninterrupted functioning of the securities market. As part of the operational risk management, these QRTAs need to have high level of resiliency to provide essential facilities and perform systemically critical functions uninterruptedly in the securities market. 2. In view of the above, based on consultation with Technical Advisory Committee (TAC) of SEBI, it has been decided to issue guidelines for strengthening overall resiliency, the procedures at / governance of QRTAs for handling disruption, augmentation of systems and practices to achieve better Recovery Time Objective ( RTO ) and Recovery Point Objective ( RPO ), and to improve overall preparedness by conducting periodic announced / unannounced drills. Hence, QRTAs are required to comply with the following framework for BCP and DR: 3. Organizational Resilience and Documentation 3.1. QRTAs shall have in place Business Continuity Plan (BCP) and Disaster Recovery Site (DRS) so as to ensure continuity of operations, maintain data and transaction integrity. 3.2. The manpower deployed at DRS/ Near Site (NS) shall have the same expertise as available at PDC in terms of knowledge/ awareness of various technological and procedural systems and processes relating to all operations such that DRS/NS can function at short notice, independently. QRTAs shall have sufficient number of trained staff at their DRS so as to have the capability of running live operations from DRS without involving staff of the PDC. 3.3. All QRTAs shall constitute an Incident and Response team (IRT) / Crisis Management Team (CMT), which shall be chaired by the Managing Director (MD) of the QRTA or by the Chief Technology Officer (CTO), in case of non-availability of MD. IRT/ CMT shall be responsible for the actual declaration of disaster, invoking the BCP and shifting of operations from PDC to DRS whenever required. Details of roles, responsibilities and actions to be performed by employees, IRT/ CMT and support/outsourced staff in the event of any Disaster shall be defined and documented by the QRTA as part of BCP-DR Policy Document. 3.4. The Technology Committee of the QRTAs shall review the implementation of BCP-DR policy approved by the board of the QRTA on a quarterly basis. 4. Configuration of DRS/NS with PDC 4.1. Apart from DRS, all QRTAs shall also have a Near Site (NS) to ensure zero data loss. The DRS should preferably be set up in different seismic zones and in case due to certain reasons such as operational constraints, change of seismic zones, etc., minimum distance of 500 kilometre shall be ensured between PDC and DRS so that both DRS and PDC are not affected by the same disaster. 4.2. Hardware, system software, application environment, network and security devices and associated application environments of DRS and PDC shall have one to one correspondence between them. 4.3. QRTAs should develop systems that do not require configuration changes at the end of AMCs/other regulatory entities for switchover from the PDC to DRS. 4.4. In the event of disruption of any one or more of the Critical Systems (an indicative list for QRTAs catering to AMCs is given below), the QRTA shall, within 30 minutes of the incident, declare that incident as Disaster and take measures to restore operations including from DRS within 45 minutes of the declaration of Disaster . Accordingly, the Recovery Time Objective(RTO)- the maximum time taken to restore operations of Critical Systems from DRS after declaration of Disaster- shall be 45 minutes, to be implemented within 90 days from the date of the circular. 4.5. The Critical Systems for a QRTA catering to AMCs may include Accepting and Processing of Transactions (end to end, including purchase, redemption, Dividend Payment etc.), Connectivity with AMCs, NAV Calculation related processes. The above list is indicative and not exhaustive in nature. 4.6. QRTAs to also ensure that the Recovery Point Objective (RPO) - the maximum tolerable period for which data might be lost due to a major incident- shall be 15 minutes. 4.7. Solution architecture of PDC and NS should ensure high availability, fault tolerance, no single point of failure, zero data loss, and data and transaction integrity. 4.8. Solution architecture of PDC and DRS should ensure high availability, fault tolerance, no single point of failure and data and transaction integrity. 4.9. Any updates made at the PDC should be reflected at DRS/ NS immediately (before end of day) with head room flexibility without compromising any of the performance metrics. 4.10. Replication architecture, bandwidth and load consideration between the DRS / NS and PDC should be within stipulated RTO and ensure high availability, right sizing, and no single point of failure. 4.11. Replication between PDC and NS should be synchronous to ensure zero data loss whereas, the one between PDC and DRS and between NS and DRS may be asynchronous. 4.12. Adequate resources (with appropriate training and experience) should be available at all times to handle operations at PDC, NS or DRS, as the case may be, on a regular basis as well as during disasters. 5. DR drills/Testing 5.1. QRTAs shall conduct periodic training programs to enhance the preparedness and awareness level among its employees and outsourced staff, vendors, etc. as per BCP policy. 5.2. DR drills should be conducted on a quarterly basis. These drills should be closer to real life scenario (trading days) with minimal notice to DRS staff involved. 5.3. Further, QRTAs should also conduct unannounced live operations from its DRS for at least 1 day in every three months on normal working days (i.e. not on weekends / trading holidays). Unannounced live operations from DRS of QRTAs shall be done at a short notice of 45 minutes. 5.4. During the drills, the staff based at PDC should not be involved in supporting operations in any manner. 5.5. The drill should include running all operations from DRS for at least 1 full trading day. 5.6. Before DR drills, the timing diagrams clearly identifying resources at both ends (DRS as well as PDC) should be in place. 5.7. The results and observations of these drills should be documented and placed before the Governing Board of QRTAs. Subsequently, the same along with the comments of the Governing Board should be forwarded to SEBI within a month of the DR drill. 5.8. The System Auditor while covering the BCP DR as a part of mandated annual System Audit should check the preparedness of the QRTA to shift its operations from PDC to DRS unannounced and also comment on documented results and observations of DR drills. 5.9. Live operation sessions from DR site shall be scheduled for at least two consecutive days in every six months. Such live trading sessions from the DRS shall be organized on normal working days (i.e. not on weekends / trading holidays). The QRTA shall ensure that staff members working at DRS have the abilities and skills to run live operations session independent of the PDC staff. 5.10. QRTAs shall include a scenario of intraday shifting from PDC to DRS during the mock operation sessions in order to demonstrate its preparedness to meet RTO/RPO as stipulated above. 5.11. QRTA should undertake and document Root Cause Analysis (RCA) of their technical/ system related problems in order to identify the causes and to prevent reoccurrence of similar problems. 6. BCP DR Policy Document 6.1. QRTAs shall put in place a comprehensive BCP-DR policy document outlining the following: 6.1.1. Broad scenarios that would be defined as a Disaster for an QRTA (in addition to definition provided in para 4.4/4.5 of this circular). 6.1.2. Standard Operating Procedure to be followed in the event of Disaster. 6.1.3. Escalation hierarchy within the QRTA to handle the Disaster. 6.1.4. Clear and comprehensive Communication Protocols and procedures for both internal and external communications from the time of incident till resumption of operations of the QRTA. 6.1.5. Documentation policy on record keeping pertaining to DR drills. 6.1.6. Scenarios demonstrating the preparedness of QRTAs to handle issues in Critical Systems that may arise as a result of Disaster. 6.1.7. Framework to constantly monitor health and performance of Critical Systems in normal course of business. 6.2. The BCP-DR policy document of QRTA should be approved by Governing Board of the QRTAs after being vetted by Technology Committee and thereafter communicated to SEBI. The BCP-DR policy document should be periodically reviewed at least once in six months and after every occurrence of disaster. 6.3. In case a QRTA desires to lease its premise at the DRS to other entities including to its subsidiaries or entities in which it has stake, the QRTA should ensure that such arrangements do not compromise confidentiality, integrity, availability, targeted performance and service levels of the QRTA s systems at the DRS. The right of first use of all the resources at DRS including network resources should be with the QRTA. Further, QRTA should deploy necessary access controls to restrict access (including physical access) of such entities to its critical systems and networks. 6.4. In case a QRTA desires to lease a DR premise from other entities (MII / Other Regulated Entities / Service Providers) the QRTA should ensure that such arrangements do not compromise confidentiality, integrity, availability, targeted performance and service levels of the QRTA s systems at the DRS. QRTAs should also ensure that proper segregation and monitoring is undertaken so as to isolate cyber events in the systems 6.5. The QRTAs should execute appropriate agreements with the corresponding Service Providers entailing Service Level Agreements, segregation details and obligations of the Service providers during normal operations and during Disaster . 7. Considering the above, QRTAs are advised to submit their revised BCP DR policy to SEBI within 3 months from the date of this circular. Further, they should also ensure that clause 5.8 and 6.1.5 mentioned above is also included in the scope of System Audit. 8. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. 9. This circular is available on SEBI website at www.sebi.gov.in under the categories Legal Framework and Circulars . 10. This circular shall supersede earlier circular no. SEBI/HO/MIRSD/DoP/CIR/P/2018/119 dated August 10, 2018 issued on BCP-DR Policy of QRTAs. Yours faithfully, Rohit Saraf Deputy General Manager Investment Management Department Email: [email protected]