BSE Notice: Cyber Security Disclosure Format for Listed Companies

Introduction: The Bombay Stock Exchange (BSE) is at the forefront of ensuring transparency and accountability in the Indian financial markets. In line with this commitment, BSE has issued Notice No. 20230929-26 dated September 29, 2023, pertaining to the format of Cyber Security Incidence Disclosure under the Corporate Governance Report. This notice is of significant importance for all listed entities and aims to enhance cyber security reporting and compliance.

SEBI’s Regulatory Framework: The Securities and Exchange Board of India (SEBI) has been proactive in strengthening the regulatory framework for listed entities. In this context, SEBI issued Notification No. SEBI/LAD-NRO/GN/2023/131 on June 14, 2023, which introduced the SEBI (Listing Obligations and Disclosure Requirements) (Second Amendment) Regulations, 2023. Notably, sub clause 27(2)(ba) was inserted, which mandates the disclosure of Cyber Security incidents, breaches, loss of data, or documents in the Corporate Governance Report.

Quarterly Reporting Requirement: The new regulation requires listed entities to disclose such cyber security incidents on a quarterly basis. This regulatory change became effective from July 14, 2023, onwards. Therefore, it is imperative for all listed entities to understand and comply with this reporting requirement.

Key Reporting Fields: To facilitate the reporting process, BSE has introduced new fields in the existing Corporate Governance Report utility. These fields include:

• Whether as per Regulation 27(2)(ba) of SEBI (LODR) Regulations, 2015 there has been cyber security incidents or breaches or loss of data or documents during the quarter: Listed entities must indicate whether any such incidents occurred during the quarter, and they can respond with “Yes” or “No.”
• Date of the event: This field requires specifying the date when the cyber security incident occurred.
• Brief details of the event: Listed entities are expected to provide a concise description of the incident or breach.

Effective Date: These changes in the XBRL utility will come into effect for the quarter ending on September 30, 2023, and for all subsequent quarters. It is essential for listed entities to prepare for these changes and ensure compliance with the reporting requirements.

Conclusion: In an increasingly digitized world, cyber security is a paramount concern for businesses and financial markets. SEBI’s introduction of sub clause 27(2)(ba) and BSE’s subsequent notice regarding Cyber Security Incidence Disclosure are crucial steps toward enhancing transparency and safeguarding the interests of investors and stakeholders. Listed entities must promptly adapt to these changes, embrace robust cyber security practices, and diligently report any incidents in compliance with the regulatory framework. The BSE’s commitment to these standards reflects its dedication to maintaining the integrity and credibility of India’s financial markets.

*****