SEBI Fines Reliance Securities ₹5 Lakh Over Major Cyber Security & Resilience Lapses During Investigation
Sangeetha Prathap
The Securities and Exchange Board of India (SEBI) has imposed a monetary penalty of ₹5 lakh on Reliance Securities Limited after finding multiple violations of cyber security and cyber resilience norms during an inspection covering the period from April 1, 2023 to October 31, 2024. The order was passed by Adjudicating Officer Amit Kapoor, who noted that the brokerage failed to comply with key obligations relating to the safety, monitoring and integrity of critical systems that support trading and investor data protection.
The market regulator recorded that Reliance Securities did not produce documentary evidence demonstrating capacity planning for critical systems or calculations of peak-load handling during the period under inspection. SEBI further noted that the brokerage had admitted that it did not implement the 70 percent utilisation threshold mandated under SEBI’s monitoring framework for preventing system overload. According to the inspection findings, the lapses extended to areas such as automated software testing, protection of personal data, log preservation, disaster recovery readiness and data classification.
SEBI initiated the proceedings following a thematic inspection into the brokerage’s compliance with cyber security, cyber resilience and technical glitch frameworks. After identifying deficiencies, the regulator issued a show cause notice in June 2025 specifying seven counts of non-compliance. In response, Reliance Securities attributed the shortcomings to operational disruption triggered by the insolvency of its parent company, Reliance Capital Limited, asserting that staffing, technology functions and vendor support were impacted during the period. It argued that peak-load monitoring did take place, that its monitoring systems were demonstrated to SEBI officials, and that utilisation thresholds were subsequently configured based on the regulator’s guidance. The brokerage further submitted that automated testing was implemented, logs were maintained, and a cyber monitoring tool (LAMA) had been rolled out across critical systems. It also highlighted that it had a Data Leakage Prevention mechanism covering all endpoints.
The regulator, however, rejected most of these explanations for lack of verifiable evidence. SEBI held that the brokerage failed to demonstrate the availability of 1.5 times peak-load capacity, which is mandatory to ensure uninterrupted system functioning during high transaction volumes. The regulator also observed that Reliance Securities could not prove that automated testing existed during the inspection period and pointed out that the Vulnerability Assessment and Penetration Testing (VAPT) report relied upon by the company was generated after the inspection ended. SEBI further stated that the brokerage failed to preserve logs in the manner prescribed under the cyber guidelines, that LAMA was implemented with a delay of 453 days and that key monitoring parameters had not been provided. It also recorded that disaster recovery measures were inadequate and that a test email containing personal client data was allowed to reach an external domain without triggering any alert—an incident that revealed a significant gap in data protection controls.
Only one argument advanced by the brokerage was accepted. SEBI acknowledged that all endpoints were covered under the Data Leakage Prevention system, and therefore no violation was made out under that specific requirement. Nevertheless, SEBI held that the remaining breaches constituted serious non-compliance and had the potential to adversely affect investor interest and cyber resilience of market infrastructure. It concluded that the penalty of ₹5 lakh was proportionate to the lapses and directed Reliance Securities Limited to deposit the amount within 45 days of receipt of the order.
