Sebi comes out with testing framework for IT systems of stock exchanges

May 5, 2023

Synopsis
The Securities and Exchange Board of India (SEBI) has announced a new framework for testing the IT systems used by market infrastructure institutions (MIIs), including stock exchanges, clearing corporates and depositories. The MIIs will undertake system testing, functional testing, and application security testing, which need to be approved by the Standing Committee on Technology of the respective institutions. The identified software bugs, issues or defects should be remediated immediately, while policies and procedures on the use of third-party systems or software codes should be established. MIIs will have 30 days to submit the testing framework of all their IT systems.

Capital markets regulator Sebi on Friday put in place a comprehensive testing framework for the information technology (IT) systems of the stock exchanges and other market infrastructure institutions (MIIs). The framework will be for the IT systems of MIIs -- stock exchanges, clearing corporations, and depositories -- throughout their lifecycle, which can assist the MIIs in performing thorough risk assessment before deploying any IT systems in production or live environment.

Under the framework, all MIIs have been asked to do extensive testing, validation, and documentation whenever new systems or changes to existing systems are introduced before the deployment in the production/live environment, according to a circular.

Further, they have to set up a comprehensive methodology for system testing, functional testing, and application security testing, and the same need to be approved by the Standing Committee on Technology (SCOT) of respective MIIs.

The scope of testing includes covering business logic, system function, security controls, and system performance under load and stress conditions. Moreover, any dependency on the existing systems shall be properly tested.

"Testing should be carried out in a separate environment that replicates/mirrors the production environment to minimize any disruption," Sebi said.

According to the regulator, all issues identified from testing, including system defects or software bugs, should be properly tracked and remediated immediately.

Moreover, major issues that could hurt the MII should be reported to their SCOT and addressed before deployment to the production environment.

In addition, MIIs have been asked to establish policies and procedures on the use of third-party systems or software codes to ensure these systems are subject to review and testing before they are integrated with their systems.

MIIs have been directed to perform white box testing or structural testing, which includes analysing data flow, control flow, information flow, coding practices, exception, and error handling within the system.

Further, they have been asked to submit the testing framework of all their IT systems after approval of SCOT within 30 days.

[The Economic Times]