SEBI tightens rules around technology set-up at stock exchanges, impacting changes in technology providers

Market regulator SEBI has tightened scrutiny around setting up the technology on the exchanges and placed the burden of ensuring accuracy on the Standing Committee on Technology (SCOT) of the respective exchanges. The tightening of the rules by SEBI will mainly affect exchanges that want to change their technology providers.

In a recent bulletin, SEBI said that SCOT will be responsible for approving system testing methodology, functional testing, system performance under stress conditions, and application security testing. Major issues that could have a negative impact must be reported to SCOT and addressed prior to deployment to a production environment. SEBI has made it clear that the exchanges perform extensive testing, validation and documentation whenever new systems/applications are introduced or changes to existing systems/applications are introduced prior to deployment in a production/live environment. These documents must be comprehensive.

All Market Infrastructure Institutions (MIIs), i.e. stock exchanges, are now required to formulate policies and procedures on the use of third party software systems/applications/codes to ensure that these systems are subject to review and testing before they are integrated with the systems. from MIIs.

SEBI said that the scope of testing should include business logic, system functionality, security controls, and system performance under load and stress conditions. Any reliance on existing systems must be properly tested. The test environment should replicate the production environment, and the test methods should be provided in fine detail. The documents must now be verified by the system audit auditor taking into account key aspects such as time value and manpower cost. Also, auditors will be responsible for all test results, including User Acceptance Test (UAT) results, performed and documented in the test report.

All health insurance organizations must ensure that the components of the underlying code work as intended and do not lead to unintended consequences. Furthermore, any new code must be appropriate for the existing job. All MIIs must ensure that API testing is done so that the application in question can interact with other applications without causing disruptions. Test code coverage tool is mandatory. Information industry organizations need to develop expertise as well as purchase tools.

According to SEBI, all MII must periodically perform non-functional tests such as volume testing, resilience testing, scalability testing, performance testing, stress testing, application security testing, BCP testing, passive/destructive testing etc., for all systems/applications IT throughout their lifecycle (pre-implementation, post-implementation, and post-changes). All HIOs are required to perform white box testing or structural testing, which should include analysis of data flow, control flow, information flow, coding practices, exception and error handling within the system.