HDFC Securities Ltd (HDFC Sec) recently settled a case with the Securities and Exchange Board of India (SEBI) by paying Rs 65 lakh for multiple regulatory lapses in its IT infrastructure, disaster recovery framework, and cybersecurity measures. SEBI had issued a show cause notice (SCN) on 8 August 2024, highlighting several non-compliances within the brokerage firm’s operations.  

1. IT Infrastructure and Monitoring Deficiencies  
One of the key concerns raised by SEBI was HDFC Sec’s failure to set up proper monitoring mechanisms for its IT systems. The company's IT policies did not trigger alerts when the utilisation of critical assets exceeded 70%. Additionally, during an inspection, it was discovered that only five out of 52 servers had the log analytics and monitoring application (LAMA) installed, leaving 47 servers without this essential security measure.  

2. Gaps in Disaster Recovery Mechanisms  
Another violation involved HDFC Sec's failure to conduct a full trading day disaster recovery (DR) drill every quarter, as required by regulatory guidelines. Regular DR drills are crucial for ensuring operational resilience in the event of a system failure, but the company was found to be lacking in this regard.  

3. Inadequate Cybersecurity Measures  
SEBI also found significant shortcomings in HDFC Sec’s cybersecurity policies. The company did not have a well-defined cyber resilience framework, and it failed to properly classify its applications and servers based on their criticality. Proper categorisation is essential for safeguarding sensitive systems and mitigating cyber risks effectively.  

4. Settlement Process with SEBI  
Following the SCN, HDFC Sec submitted a settlement application on the same date, 8 August 2024, seeking to resolve the matter. SEBI’s internal committee (IC) reviewed the application and recommended a settlement amount of Rs 65 lakh. HDFC Sec’s authorised representative was informed about this decision. The company later submitted revised settlement terms in alignment with the IC’s recommendations.  

5. Final Approval and Payment of Settlement Amount  
The high-powered advisory committee (HPAC) assessed the settlement application on 24 December 2024, and the panel of whole-time members (WTMs) gave their approval on 5 February 2025. On 4 March 2025, HDFC Sec officially notified SEBI about the payment of the settlement amount.  

6. SEBI Retains the Right for Further Action  
Despite the settlement, SEBI has clarified that this agreement does not prevent further regulatory action if HDFC Sec is later found to have provided incomplete or misleading information, failed to uphold settlement commitments, or violated any undertakings. The regulator retains the authority to pursue additional measures if discrepancies arise.