SEBI Imposes ₹10 Lakh Penalty On Anand Rathi Share And Stock Brokers For Cyber Security And Compliance Lapses

The Securities and Exchange Board of India (SEBI) on Friday imposed a penalty of Rs 10 lakh on Anand Rathi Share and Stock Brokers Limited for violations of cybersecurity and cyber resilience requirements under the SEBI (Stock Brokers) Regulations, 1992, and applicable SEBI and exchange circulars.

SEBI Adjudicating Officer Amit Kapoor passed the order after holding that the broker had failed to comply with provisions of the Stock Brokers Regulations and the Cyber Security and Cyber Resilience Framework prescribed for stock brokers.

SEBI had conducted a thematic inspection of Anand Rathi Share and Stock Brokers Limited from January 6 to January 10, 2025, to examine the broker's compliance with the Cyber Security and Cyber Resilience Framework, the SEBI (Stock Brokers) Regulations, 1992, and relevant SEBI circulars.

Based on the inspection findings, certain alleged violations of regulatory provisions were observed, following which a show cause notice was issued. The broker filed its reply and was granted a personal hearing before the regulator.

After examining the material on record, the Adjudicating Officer found that some of the alleged violations were established. The officer found that the broker had failed to deploy adequate monitoring mechanisms to generate alerts when system capacity utilisation exceeded the prescribed limits. It was also found that the Business Continuity Planning and Disaster Recovery (BCP-DR) policy had not received formal approval during the inspection period.

The market regulator further noted a mismatch between the documented password policy and the policy actually implemented in the system. The broker was also found to have failed to demonstrate the implementation of data leakage prevention mechanisms during the inspection period. In addition, multi-factor authentication had not been implemented for certain users, and the vulnerability assessment and penetration testing of certain critical assets were incomplete.

At the same time, the regulator accepted the broker's explanation in respect of certain other observations. The allegations relating to PowerShell execution and internet access through file-sharing websites were not held to be violations after the broker produced material showing that the access had been temporarily enabled for testing purposes with approvals and was later disabled.

In some other instances, including delay in submission of a root cause analysis report and absence of formal approval of certain policies during the inspection period, the regulator took a lenient view after noting the broker's subsequent corrective steps.

Holding that the established violations attracted penalty under Section 15HB of the SEBI Act, the Adjudicating Officer imposed a monetary penalty of Rs 10 lakh on Anand Rathi Share and Stock Brokers Limited for failure to comply with the applicable regulatory requirements relating to cybersecurity, system controls, and internal policy approvals prescribed under the SEBI (Stock Brokers) Regulations, 1992, and relevant SEBI and exchange circulars.