SEBI Issued Guidelines for Business Continuity Plan and Disaster Recovery
The Securities and Exchange Board of India, on 22.03.2021, has issued a Circular No SEBI/HO/MRD1/DTCS/CIR/P/2021/33 regarding the guidelines for Business Continuity Plan and Disaster Recovery. It was issued by SEBI under the ambit of powers conferred under section 11 subsection (1) of the SEBI Act 1992.
Further, it shall be noted that the said circular will supersede SEBI Circular No SEBI/HO/MRD/DMS1/CIR/P/2019/43, dated 26.03.2019, issued regarding the Business Continuity Plan and Disaster Recovery (BCP-DR) Policy of MIIs.
In this learning blog, we will talk about the revised guidelines for the Business Continuity Plan and Disaster Recovery of MIIs (Market Infrastructure Institutions).
Entities Eligible for Revised Guidelines
The entities eligible for the Revised Guidelines for Business Continuity Plan and Disaster Recovery are as follows:
- All Stock Exchanges;
- All Depositories;
- All Clearing Corporations;
Need for Modifying the Existing BCP-DR Plan
It shall be noted that SEBI, by way of circular SEBI/HO/MRD/DMS1/CIR/P/2019/43, dated 26.03.20219, had prescribed a framework for the Business Continuity Plan and Disaster Recovery Site (BCP-DR) for Stock Exchanges, Depositories, and Clearing Corporations.
However, with the advancement in technology and enhanced automation of procedures, it was felt that there is a need to re-examine the extant framework. The same was done with a view to reduce the time period prescribed for moving from Primary Data Centre(PDC) to Disaster Recovery Site (DRS).
Revised Guidelines for Business Continuity Plan and Disaster Recovery
After examination and consultation with Market Infrastructure Institutions (MIIs) and Technical Advisory Committee (TAC) of the SEBI, the revised framework for BCP-DR shall be as under:
- Stock Exchanges, Clearing Corporations, and Depositories (together referred as MIIs or Market Infrastructure Institutions) will have in place BCP and DRS so as to maintain and preserve data and transaction integrity;
- Besides DRS, all MIIs comprising Depositories will also have a Near Siteto ensure zero data loss;
- The Disaster Recovery Site must preferably be established in different seismic zones and in the case of certain reasons, such as operational constraints, change of the seismic zones, etc., the minimum distance of 500 km will be ensured between PDC and DRS, so that both are not affected by the same disaster;
- The total manpower deployed at DRS/ NS will have the same expertise and know-how as available at PDC in terms of awareness/ knowledge of several technological and procedural systems concerning all operations, such that DRS/NS can function at short notice, independently. Further, MIIs will need to have a sufficient number of trained staff at their Disaster Recovery Site so as to have the ability to run live operations and processes from DRS without engaging staff of the PDC;
- All the Market Infrastructure Institutions will constitute an IRT (Incident and Response Team)/ CMT (Crisis Management Team), which shall be headed by the Managing Director (MD) of the respective MII or by the CTO(Chief Technology Officer), in case of the non-availability of MD. Further, IRT or CMT will be responsible for the actual announcement of disaster, raising the BCP and shifting of operations from the PDC to DRS, whenever required. Also, it shall be noted that details of roles and responsibilities, actions to be completed by employees, IRT/CMT, and support/outsourced staff on the occasion of any Disaster will be defined and recognised by the MII as a part of the BCP-DR Policy Document;
- The Technology Advisory Committee (TAC) of the MIIs will review the implementation of the BCP-DR policy as approved by the Governing Board of the Market Infrastructure Institutions on a quarterly basis;
- MIIs will need to conduct periodic training programs to improve the level of preparedness and awareness among its employees and outsourced staff, and vendors, etc. to function as per BCP policy;
Guidelines concerning Configuration of DRS/ NS with PDC
The guidelines concerning Configuration of DRS/ NS with PDC can be summarised as:
- All the Hardware, Application Environment, System Software, Network and Security Devices, and Associated Application Environments of the Disaster Recovery Site or New Site and PDC will have one to one communication between them;
- MIIs must develop systems and mechanisms that do not require configuration modifications at the end of trading members/ depository participants/ clearing members forswitchover from the existing PDC to DRS. Further, it shall be noted that MIIs should test the functionality of such switchover by conducting unannounced live trading from its Disaster Recovery Site for at least one day in the period of every six months. Also, the unannounced live trading from DRS of Market Infrastructure Institutions will be done at a short notice period of 45 minutes after the expiry of 90 days, starting from the date of this circular;
- In the event of disturbance of any one or more of the “Critical Systems”, the MIIs shall, within a period of 30 minutes of the incident, need to declare that incident as “Disaster” and take measures to restore functions and operations comprising from DRS within 45 minutes of the declaration of the “Disaster”. Consequently, the Recovery Time Objective (RTO) – the maximum time taken to restore functions and operations of “Critical Systems” from DRS after the declaration of Disaster shall be 45 minutes, which is to be implemented within a period of 90 days, starting from the date of the circular. Also, it shall be noted that the “Critical Systems” for an Exchange or Clearing Corporation will include Trading, Collateral Management, Risk Management, Clearing and Settlement, and Index computation. Further, “Critical Systems” for a Depository will include systems and mechanisms supporting settlement processes and inter-depository transfers system as well;
- MIIs also need to ensure that the RPO (Recovery Point Objective) shall be 15 minutes;
- Solution architecture of the PDC and DRS / NS must ensure fault tolerance, high availability, no single point of failure, data and transaction integrity, and zero data loss;
- Any updates made at the PDC must be reflected at Disaster Recovery Site or New Site immediately (prior to the end of the day) with head room flexibility and without compromising with any of the performance metrics;
- Replication architecture, bandwidth, and load consideration between the DRS/ NS and PDC need to be within the prescribed Recovery Time Objective and ensure right sizing, high availability, and no single point of failure;
- Replication between PDC and NS must be synchronous to confirm zero data loss whereas, the one which is between PDC and DRS and between DRS and NS may be asynchronous;
- Adequate resources (withappropriate training and experience) must be available at all times to carry out operations at PDC, NS, or DRS, as the case may be, on a normal basis as well as during disasters;
Guidelines concerning Disaster Recovery Drills/ Testing
The guidelines concerning Disaster Recovery Drills/ Testing can be summarised as:
- Disaster Recovery drills must be conducted regularly on a quarterly basis. However, in the case of Exchanges and Clearing Corporations, these recovery drills should be closer to the real life situation (trading days) with minimal notice to DRS staff engaged;
- During the DR drills, the staff based at PDC must not be engaged in supporting operations in any manner;
- The drill must include running all operations from the Disaster Recovery Site for at least one full trading day;
- It shall be noted that prior to DR drills, the timing diagrams must clearly identify that resources at both ends (DRS and PDC) are in place;
- The results and conclusions of these drills must be properly documented and placed before the Governing Board of Stock Exchanges/Clearing Corporations/ Depositories. Afterwards, the same together with the comments of the Board will be forwarded to SEBI that, too, within a period of one month of the DR drill;
- The System Auditor while covering the Business Continuity Plan and Disaster Recovery as a part of the mandated annual System Audit must check the preparedness of the Market Infrastructure Intermediaries to shift its operations and functions from PDC to DRS unannounced, and alsocomment on documented results and conclusions of DR drills;
- “Live” trading sessions from the Disaster Recovery Site will be scheduled for a minimum of two consecutive days in the period of every six months. Further, such live trading sessions from the Disaster Recovery Site will be organised on the normal working days (i.e., not on weekends and trading holidays). Further, the Stock Exchange/ Depository/ Clearing Corporation shall ensure that the working staff members at DRS have the abilities, knowledge, and skills to carry out live trading session, which is independent of the PDC staff;
- Stock Exchanges, Clearing Corporations, and Depositories need to include a scenario of intraday shifting from the existing PDC to DRS during the “mock” trading sessions. The same is done to demonstrate its readiness to meet RTO or RPO as stipulated above;
- MIIs must undertake and document the Root Cause Analysis (RCA) of their technical and system related issues, to identify the causes and to prevent re-occurrence of similar problems;
Policy Document for Business Continuity Plan and Disaster Recovery
The key provisions of the Policy Document for Business Continuity Plan and Disaster Recovery can be summarised as:
- Broad situations that would be termed as a Disaster for a Market Infrastructure Institution (in addition to the definition provided in paragraph 4 (c) of the said circular);
- Standard Operating Procedure to be trailed in the event of Disaster;
- Escalation hierarchy within the Market Infrastructure Institution to handle the Disaster;
- Clear and comprehensive Communication Procedures and Protocols for both internal and external communications, starting from the time of incident till the resumption of operations of the said MII;
- The record keeping of the Documentation policy pertaining to DR drills;
- Scenarios showcasing the preparedness and readiness of the MIIs to handle problems in Critical Systems that may arise as a consequence of Disaster;
- Preparedness and readiness of the Depositories to carry out any issue or problem which may arise due to the trading halts in Stock Exchanges;
- Framework to constantly monitor and supervise health and performance of the Critical Systems in the normal course of business;
Further, the Business Continuity Plan and Disaster Recovery policy document of an MII must be approved by the Governing Board of the MIIs. However, the same will done only after being vetted by the Technology Committee. Also, after the approval of the Governing Board the details of same will be thereafter be communicated to SEBI.
Also, it shall be noted that the Business Continuity Plan and Disaster Recovery policy document needs to be periodically reviewed at least once in a period of six months and even after every occurrence of disaster.
In case a Market Infrastructure Institution desires to lease out its premise at the Disaster Recovery Site to other entities comprising of its subsidiaries in which it owns a stake. Also, the MII must ensure that such an arrangement do not compromise in terms of confidentiality, availability, integrity, targeted performance, and service levels of the MII’s mechanisms at the DRS.
Further, it shall be noted that theright of first use of all the resources at Disaster Recovery Site including the network resources must be with the MII. Furthermore, MII must deploy necessary access and controls to restrict the access (inclusive of physical access) of such entities to its critical mechanisms and networks.
Time Period to Submit Revised Business Continuity Plan and Disaster Recovery Policy
All the Stock Exchanges, Clearing Corporations, and Depositories are advised to furnish or submit their revised Business Continuity Plan and Disaster Recovery Policy to SEBI within a period of 3 months, starting from the date of this said circular. Also, they should ensure that clause 5(f) and 6(a)(v) as mentioned above are included in the ambit of the System Audit.
In a nutshell, SEBI, on 22.03.2021, has issued a Circular regarding the guidelines for Business Continuity Plan and Disaster Recovery. The same was issued with a view to reduce the time period prescribed for moving from Primary Data Centre (PDC) to Disaster Recovery Site (DRS).
Also, Read: Delivery Default Norms Amended by SEBISEBI-Issued-Guidelines-for-Business-Continuity-Plan-and-Disaster-Recovery