SEBI has issued new guidelines to enhance their Business Continuity Plan (BCP) and Disaster Recovery (DR) capabilities. These guidelines aim to bolster the overall resiliency of QRTAs, ensure continuous operations, and reduce recovery time in case of a disaster.
Organizational Resilience and Documentation
QRTAs are expected to have robust BCP and DRS systems to maintain data and transaction integrity. To achieve this, they must ensure the following:
Expertise Equality: The staff at DRS/Near Site (NS) should possess the same expertise as those at the Primary Data Center (PDC) to ensure they can operate independently in case of a disaster.
Incident and Response Team: QRTAs must establish an Incident and Response Team (IRT) or Crisis Management Team (CMT), headed by the Managing Director (MD) or Chief Technology Officer (CTO). The team will be responsible for declaring a disaster, implementing the BCP, and shifting operations from PDC to DRS as needed.
Policy Documentation: QRTAs are required to document roles, responsibilities, and actions to be taken by employees, IRT/CMT, and support/outsourced staff in the event of a disaster.
Configuration of DRS/NS with PDC
In addition to maintaining a Disaster Recovery Site (DRS), QRTAs should have a Near Site (NS) to ensure zero data loss. The DRS should ideally be located in different seismic zones, and if this is not feasible, a minimum distance of 500 kilometers between PDC and DRS should be ensured.
Hardware, software, application environments, network and security devices in the DRS should correspond one-to-one with those in the PDC. Any system updates or changes should not be required for the switch from PDC to DRS.
QRTAs are required to ensure a Recovery Time Objective (RTO) of 45 minutes, meaning they must restore critical systems’ operations from DRS within 45 minutes of declaring a disaster. This should be implemented within 90 days from the issuance of the circular.
The “Critical Systems” for QRTAs may include various transaction processes, connectivity with Asset Management Companies (AMCs), NAV calculation-related processes, and others. It is imperative that the RPO (Recovery Point Objective), the maximum tolerable data loss period, is set at 15 minutes.
DR Drills/Testing
QRTAs are expected to conduct regular training programs for employees and outsourced staff to enhance preparedness. DR drills should be held quarterly and closely mimic real trading scenarios. Additionally, unannounced live operations from the DRS should be conducted at least once every three months on normal working days. The results and observations of these drills should be documented and reviewed.
BCP-DR Policy Document
QRTAs are required to have a comprehensive BCP-DR policy document that outlines various aspects of disaster recovery. This document should be approved by the Governing Board, periodically reviewed, and communicated to SEBI.
The BCP-DR policy should also address scenarios of intraday shifting from PDC to DRS, highlighting preparedness in meeting RTO and RPO requirements.