SEBI Penalises Reliance Securities ₹5 Lakh For Cyber Security Lapses Found During Investigation

The Securities and Exchange Board of India (SEBI) on Wednesday imposed a penalty of Rs 5 lakh on Reliance Securities Limited after the regulator found several violations of cyber security and cyber resilience norms during an inspection covering April 01, 2023 to October 31, 2024.

The order, passed by Adjudicating Officer Amit Kapoor, said the brokerage failed to comply with critical safeguards, including capacity planning, automated software testing, log preservation, disaster recovery arrangements, data classification and protection of personal data.

The market regulator noted that the firm had not submitted documentary evidence of capacity planning for critical systems or peak-load calculations during the inspection period. It also recorded that the brokerage had admitted it did not set the 70 percent utilisation threshold required under SEBI's monitoring framework.

The proceedings began after SEBI conducted a thematic inspection into the brokerage's compliance with cyber security, cyber resilience and technical-glitch frameworks. The regulator later issued a show cause notice in June 2025 alleging seven counts of non-compliance.

Reliance Securities argued that the inspection period overlapped with the insolvency of its parent, Reliance Capital Limited, which disrupted its operations, technology support and staffing. It said it regularly monitored peak load, demonstrated its monitoring systems to officials, and later reset utilisation thresholds on their advice.

It said automated testing was eventually put in place and that it maintained logs and implemented LAMA, an automated monitoring system, across critical systems. It denied gaps in data leakage prevention or data classification, saying evidence was submitted when requested.

The regulator rejected most of these explanations. It found no verifiable evidence that the brokerage maintained the required 1.5 times peak-load capacity during the inspection period. It also said the firm failed to show that automated testing existed at the time and noted that the VAPT (Vulnerability Assessment and Penetration Testing) report it relied upon was dated after the inspection.

It found that key LAMA parameters were not provided, logs were not preserved as required, and the firm implemented LAMA with a delay of 453 days. The regulator further held that disaster recovery arrangements were not in place and noted that a test email containing personal data was able to reach an external domain without triggering any alert during inspection.

The regulator accepted the brokerage's defence only on one point, that all endpoints were covered under its Data Leakage Prevention system.

It held that the penalty was 'commensurate with the lapse or omission' and directed the brokerage to pay the amount within 45 days.

Click Here To Read/Download Order