Market regulator SEBI has imposed a fine of ₹12 lakh on NSE Data and Analytics Ltd, previously known as DotEx International Ltd, over various irregularities related to its business continuity plan/disaster recovery (BCP/DR) policy, delays in issuing acknowledgment letters, and issues in system audit reports and the cybersecurity audit framework, among others.
NSE Data and Analytics, a KYC Registration Agency (KRA), is a wholly-owned subsidiary of NSE Ltd.
In an order dated September 30, SEBI stated, “The evidence and observations on record indicate irregularities concerning the BCP/DR policy, delayed issuance of acknowledgment letters, and issues in the system audit reports and cybersecurity audit framework. These include the failure to complete the VAPT activity within the stipulated time, non-reflection of this in the cybersecurity audit report, failure to capture ATR from previous SCOT meetings, and missing clauses on reporting cyber-attacks, incidents, and breaches in policy documents.”
SEBI further emphasized that such violations, including the non-validation of KYC records and lack of segregation of operations and infrastructure, “cannot be taken lightly” and deserve appropriate penalties to deter misconduct and encourage ethical practices in the securities market.
The order acknowledged that the company had taken corrective actions but stressed that the irregularities during the investigation period “cannot be overlooked” and that NSE Data and Analytics, as a registered intermediary, must uphold high standards of professionalism. Consequently, the violations justified the penalty imposed.