[Yash Agarwal and Bhavishya Goswami are second year law students at Dr. Ram Manohar Lohiya National Law University, Lucknow]

Introduction

The Securities and Exchange Board of India (SEBI) gazetted the Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) (Fourth Amendment) Regulations, 2025 (Securities Contracts Regulations) on November 21, 2025. It is aimed at improving and expanding governance and management requirements for recognised Stock Exchanges (SEs) and Clearing Corporations (CC). It clarifies the managing director’s roles and brings executive directors under the regulatory arena. Further, the amendments add Regulation 30B and Regulation 30C that introduce Chief Technology Officer (CTO) and Chief Information Security Officer (CISO), respectively.

Strengthening digital governance in recognized SEs and recognized CC is a welcome move and essential to avoid cybersecurity and information technology (IT) risks associated with SEs and CC. They lay out a wide range of powers but offer no operational checks, reporting requirements, or accountability framework. This article examines that gap through a comparative lens and proposes a framework that prevents opaque and unmonitored decision-making while maintaining the goals of the reforms.

Beyond the Mandate: Unchecked Authority and the Absence of Operational Standards

Regulations 30B and 30C of the Securities Contracts Regulations give a framework for the appointment, role, and responsibilities of the CTO and the CISO, respectively. The Securities Contracts Regulations create a mandatory requirement for the SEs and CC to appoint these officers. As we are ushering in a more automated era, such digital governance was the need of the hour. Driven by the continuous digital transformation, tomorrow’s SEs will open up new revenue streams, function more effectively, and flourish as a part of an interconnected network of partners. The framework for CTOs and CISOs suffers from the same deficiency – unchecked accountability.

The Securities Contracts Regulations provide for the roles and responsibilities of the officers. A CTO is tasked with the formulation of an IT policy and IT risk management framework. CTP also has to take necessary measures for the resolution and mitigation of observations arising from technology audits. On similar lines, CISO is mandated to implement and establish a cybersecurity policy approved by the governing board of the SE or CC. Furthermore, he is also responsible for establishing standards and controls and taking cybersecurity initiatives. However, the responsibilities of both officers are framed in exhaustive terms – “shall include the following.” This creates a rigid arena of roles that are not amenable as the situation demands.

Apart from rigidity, the provisions create a one-sided obligation without any scope of scrutiny and reporting requirements. The Securities Contracts Regulations grant discretion to SEs and CC to appoint a CTO and CISO without prescribing any specific standards for appointment. Further, the CTO and CISO are not obligated to report any findings. SEs serve as a barometer of economic growth and health, mobilising financial resources; therefore, any findings regarding their operations should be made available to the general public as a transparency measure. Moreover, the discretionary appointment of the CTO and CISO creates room for manipulation of findings, leaving no provision for an external independent audit of the SEs and CC. A comparative look at major jurisdictions can help identify the benchmarks, safeguards and oversight mechanisms that India needs to adopt.

International Precedents: Mandating Transparency and Enforcing Digital Accountability

Every time a SE or CC encounters a significant cybersecurity issue, such as a system failure or data breach, they should be required to notify the regulator immediately. The faster the disclosure, preferably within 24 hours of learning about the problem, the faster the redressal. In order to keep investors and market participants informed, the institution should also make the issue public, irrespective of its seriousness.

SEBI’s reforms aim to introduce multiple key governance roles, such as CTO and CISO, to achieve a positive outcome; however, they fall short of defining the accountability, competency standards, and required reporting mechanisms for these roles. Other nations and jurisdictions have already bridged this gap and achieved peace by mandating roles to establish strict behavioural aspects and operational frameworks that directly address the conflict between SEs and CC and the rising challenge of digital risk.

The European Union

The European Union (EU) has a dual framework through which it address both structural conflicts and digital governance. The European Market Infrastructure Regulation (EMIR) mandates a robust operational ring-fencing mechanism that manages any conflicts that arise from integrated exchange/CCP ownership. CCPs must establish proper, documented procedures to manage conflicts, and these procedures are strictly necessary to prevent the misuse of confidential information held in their systems for other business activities without prior client consent.

Additionally, the Digital Operational Resilience Act (DORA) ensures compliance with operational and procedural requirements and standards. This act shifts the complete accountability for Information and Communication Technologies (ICT) risk from the technical department to the board and senior management, requiring them to have digital competence to effectively oversee cyber risks. DORA avoids any kind of operational conflicts of interest through an independent control function, which is enforced through strict, rapid reporting lines. For example, ICT-related incidents are reported to the authorities and sometimes, within a few hours.

The United States (US)

The US framework heavily relies on independent technology validation under the Commodity Futures Trading Commission (CFTC), which regulates derivatives markets, including futures, options, and swaps, and to reduce systemic risk, prevent market abuse, and protect customer funds, whereas the Indian amendments lack an external validation factor. In the US, Derivatives Clearing Organizations (DCOs) are required to conduct an Enterprise Technology Risk Assessment at least annually. The CFTC permits this assessment to be performed by independent contractors or internal employees who are not responsible for the system’s development or operation. This ensures that the audit is independent of the terms being reviewed, thereby providing unbiased results.

United Kingdom (UK)

The UK has a risk of ‘diluted accountability’, and resolves this through personalised responsibility. The UK’s Senior Managers and Certification Regime (SMCR), which is planned for application to Financial Market Infrastructure (FMI) firms, make senior executives individually accountable. Thus, managers must hold specific, detailed Statements of Responsibilities, especially in technology and operations. This structure eliminates any ambiguity regarding who is solely responsible for ensuring that the exact CTO, CISO, or Executive Director responsible for oversight can be immediately identified and sanctioned, thereby enforcing behavioural change.

Curing the Deficiency: Prescriptive Reforms for Digital Governance

The current framework is fraught with numerous problems and needs various reforms to cure the deficiencies. The cure should start with setting strict eligibility norms for the appointment of CTO and CISO. These positions hold importance to the economic health of the country, and any compliance should be known to the ultimate stakeholders, i.e., the public. The reports may be submitted to a dedicated Technology and Risk Committee established by the SEBI. As already pointed out, the appointments are discretionary; however, they should not act as a disadvantage, facilitating partisan appointments. Deciding the prerequisites for such roles is a must.

SEBI needs to go beyond role-based compliance and implement a mandatory incident reporting and disclosure system based on the EU’s DORA framework. A time-bound public disclosure obligation to SEBI should follow any major technological malfunction, cyber incident, or data breach that affects a recognised SE or CC. It is more about institutionalising accountability as a governance norm rather than punishing failures. The CISO and the CTO function in informational silos in the absence of timely reporting requirements, protecting systemic risks from both market participants and regulators. Instead of being hidden under internal compliance reports, a uniform disclosure threshold and set timelines would guarantee that digital risks are identified early and addressed collectively. Bombay SE has a total all-India market capitalisation of more than Rs. 47 lakh crores and is reaching new highs. Mandating compliance disclosures will reinforce investor trust and reinforce India as a potential market for foreign investors, which is crucial for economic growth.

Furthermore, SEBI should inculcate framework for individualised accountability and independent technological oversight, taking inspiration from the US and UK models. Technology and cybersecurity audits of the entire company should be required every year. These audits should be carried out by internal teams that are structurally separate from system development and operation or by independent external auditors. In addition, SEBI should mandate that CTOs, CISOs and relevant executive directors submit explicit Statements of Responsibility that link digital risk oversight to specific individuals taking a cue from the UK’s SMCR. In case of governance failures this would eliminate the diffusion of responsibility and allow targeted regulatory action. In the absence of independent validation and individual liability digital governance remains symbolical, turning crucial offices into procedural stand-ins rather than agents of market resilience. A mandatory external independent audit of the functioning of the CTO and the CISO of SEs and CCs is essential to have a non-partisan vigil.

Conclusion

The recognition of digital systemic risk by introducing of CTO and CISO roles by SEBI is not enough, as the true success of these amendments lies in the ultimate defence of market integrity, and it will not be done by just defining the roles but by having a binding operational infrastructure built around them. The comparative analysis confirms that the parallel jurisdictions have succeeded by implementing digital governance, which holds specialised officers accountable for executive liability, rather than merely a compliance task. To fortify India’s market infrastructure, the next amendment or regulatory phase must transform this structural foundation into a binding framework of proven competence, independent scrutiny, and, above all, clear individual liability. And all of this vis-à-vis the future of market resilience rests on the capacity of SEBI to enforce behavioural transparency.