SEBI Issued Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR)

Securities and Exchange Board of India (SEBI) issued Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR). 

SEBI stated that in the event of disaster, the disruption in trading system of stock exchanges / depository system may not only affect the market integrity but also the confidence of investors. In order to address this issue, the current BCP - DR setups of some of the stock exchanges having nation-wide terminals and depositories were examined by the Technical Advisory Committee of SEBI (TAC). Based on the recommendations of TAC, the broad guidelines for BCP - DR are given below:

i. The stock exchanges and depositories should have in place Business Continuity Plan (BCP) and Disaster Recovery Site (DRS) so as to maintain data and transaction integrity.

ii. Apart from DRS, stock exchanges should also have a Near Site (NS) to ensure zero data loss.

iii. The DRS should be set up sufficiently away, i.e. in a different seismic zone, from Primary Data Centre (PDC) to ensure that both DRS and PDC are not affected by the same disasters.

iv. The manpower deployed at DRS / NS should have similar expertise as available at PDC in terms of knowledge / awareness of various technological and procedural systems and processes relating to all operations such that DRS / NS can function at short notice, independently.

v. Configuration of DRS / NS with PDC:

a) Hardware, system software, application environment, network and security devices and associated application environments of DRS / NS and PDC should have one to one correspondence between them.
b) Exchanges / Depositories should have Recovery Time Objective (RTO) and Recovery Point Objective (RPO) not more than 30 minutes and 4 hours, respectively.
c) Solution architecture of PDC and DRS / NS should ensure high availability, fault tolerance, no single point of failure, zero data loss, and data and transaction integrity.
d) Any updates made at the PDC should be reflected at DRS / NS immediately (before end of day) with head room flexibility without compromising any of the performance metrics.
e) Replication architecture, bandwidth and load consideration between the DRS / NS and PDC should be within stipulated RTO and ensure high availability, right sizing, and no single point of failure.
f) Replication between PDC and NS should be synchronous to ensure zero data loss. Whereas the one between PDC and DR and between NS and DR may be asynchronous.
g) Adequate resources (with appropriate training and experience) should be available at all times to handle operations on a regular basis as well as during disasters.

vi. DR Drills / Testing

a) DR drills should be conducted on quarterly basis. In case of exchanges, these drills should be closer to real life scenario (trading days) with minimal notice to DR staff involved.
b) During the drills, the staff based at PDC should not be involved in supporting operations in any manner. To begin with, initial three DR drills from the date of this circular may be conducted with the support of staff based at PDC.
c) The drill should include running all operations from DRS for at least 1 full trading day.
d) Before DR drills, the timing diagrams clearly identifying resources at both ends (DRS as well as PDC) should be in place.
e) The results and observations of these drills should be documented and placed before the Governing Board of Stock Exchange / Depositories. Subsequently, the same along with the comments of the Governing Board should be forwarded to SEBI within a month of the DR drill.
f) The system auditor while covering the BCP – DR as a part of mandated annual system audit should also comment on documented results and observations of DR drills.

vii. BCP – DR Policy Document

a) The BCP – DR policy of stock exchanges and depositories should be well documented covering all areas as mentioned above including disaster escalation hierarchy.
b) The stock exchanges should specifically address their preparedness in terms of proper system and infrastructure in case disaster strikes during business hours.
c) Depositories should also demonstrate their preparedness to handle any issue which may arise due to trading halts in stock exchanges.
d) The policy document and subsequent changes / additions / deletions should be approved by Governing Board of the Stock Exchange / Depositories and thereafter communicated to SEBI.