--- title: "Fortifying the Digital Frontier: Decoding NCDEX’s 2026 Master Circular on Cyber Security Compliance" date: 2026-04-20 author: "Tanvi Dalvi" url: https://www.indialaw.in/blog/cyber-law/ncdex-cyber-security-circular-2026/ --- # Fortifying the Digital Frontier: Decoding NCDEX’s 2026 Master Circular on Cyber Security Compliance Posted On - 20 April, 2026 • By - [Tanvi Dalvi](https://www.indialaw.in/author/tanvi-dalvi/ "Posts by Tanvi Dalvi") [![person in black long sleeve shirt using macbook pro](https://www.indialaw.in/wp-content/uploads/em5w9_xj3uu-1.jpg)](https://www.indialaw.in/wp-content/uploads/em5w9_xj3uu-1.jpg) *Circular No. NCDEX/Member Tech Compliance-007/2026 – April 13, 2026* ## Introduction On April 13, 2026, the National Commodity & Derivatives Exchange Limited (NCDEX) issued Master Circular No. NCDEX/Member Tech Compliance-007/2026, consolidating all operational cyber security compliance directives applicable to its members as of March 31, 2026. This Master Circular consolidates and operationalises the cyber security compliance obligations already issued by NCDEX and SEBI up to March 31, 2026, providing a unified reference framework. ## Mandatory Cyber Incident Reporting The circular reaffirms the obligation of all members to formally record and submit quarterly reports detailing cyber-attacks, threats, and mitigation measures experienced during each financial quarter. Such reports must be transmitted to the Exchange via the prescribed email address or the NSE Common Submission Portal within stipulated deadlines specifically, by the 15th day following the conclusion of each quarter. This framework, rooted in SEBI’s circular of October 2019, serves the dual purpose of enabling institutional learning and ensuring regulatory visibility into the sector’s evolving threat landscape. ## Cyber Security and Resilience Audit Obligations Members are further mandated to commission and submit digitally signed Cyber Security and Cyber Resilience Audit Reports at defined intervals. Type I and Type II Trading Members are subject to annual audits, whereas Type III Trading Members utilising NNF facilities, algorithmic trading, or Qualified Stock Broker (QSB) status must undergo half-yearly audits. The audit report is considered complete only when accompanied by management comments, and each non-compliance identified by the auditor must be remedied through a Corrective Action Taken Report (ATR) submitted within prescribed timelines. Non-submission or delayed submission attracts penal charges, reinforcing the binding nature of this obligation. ## Vulnerability Assessment and Penetration Testing The circular prescribes that Vulnerability Assessment and Penetration Testing (VAPT) be conducted annually during the period September to November, exclusively by agencies empanelled under CERT-In. The final VAPT report must be submitted to the Exchange within one month from the date of completion, following approval by the member’s Technology Committee. Members are additionally required to conduct VAPT prior to the commissioning of any new internet-accessible system, thereby embedding security review as an integral component of system deployment governance. ## SaaS Compliance and Cloud Governance In recognition of the increasing adoption of cloud-based and Software-as-a-Service (SaaS) solutions, the circular directs members to confirm, on a half-yearly basis, whether specified categories of confidential data are hosted on SaaS platforms, in accordance with CERT-In advisory guidelines. Separately, a dedicated framework governs the adoption of cloud services by SEBI-regulated entities, requiring such entities to remain cognisant of the unique cyber security risks and governance challenges that cloud computing introduces. These provisions collectively reflect a regulatory awareness of the evolving digital infrastructure landscape. ## Technical Glitches: Framework and Reporting A detailed Standard Operating Procedure (SOP), effective January 9, 2026, governs the identification, reporting, and remediation of technical glitches in members’ electronic trading systems. A “technical glitch” is defined as any malfunction in hardware, software, network, or bandwidth that results in a disruption to trading or risk management functions for a continuous period of five minutes or more. The SOP applies to IBT and STWT platform providers with more than 10,000 registered clients. Upon the occurrence of such a glitch, members are obligated to notify the Exchange and affected clients within two hours, file a Preliminary Incident Report by T+1, and submit a Root Cause Analysis within fourteen working days. ## API Security, Authentication, and Vendor Obligations The circular sets forth comprehensive API security standards applicable to Exchange-empanelled vendors and Application Service Providers. These standards mandate the maintenance of an API inventory, the deployment of strong mutual authentication mechanisms, centralised API gateway security, data encryption, input validation, rate limiting, and regular security assessments aligned with the OWASP Top 10 framework. Vendors are further required to conduct annual software audits in accordance with ISO 12207:2017 standards. The inclusion of vendor obligations within this master circular signals the Exchange’s intent to extend compliance responsibility across the technology supply chain. ## Two-Factor Authentication and Session Management All members offering IBT and STWT platforms are required to implement Two-Factor Authentication (2FA) for every client login attempt. Of particular note is the requirement that active login sessions be mandatorily terminated at the end of each trading day, with subsequent access permitted only upon successful re-authentication. This provision addresses a systemic vulnerability whereby client sessions remained active across multiple trading days, thereby exposing investor accounts to unauthorised access. ## Geo-Political Preparedness, CSK Onboarding, and the CSCRF In response to heightened geo-political risks, the circular advises members to strengthen their Security Operations Centre (SOC) monitoring capabilities, act promptly on CERT-In and NCIIPC advisories, and remain vigilant against DDoS and ransomware threats. Additionally, stockbrokers with more than 50,000 active traded clients are required to register with the CERT-In Cyber Swachhta Kendra (CSK) platform. The circular also clarifies key provisions of SEBI’s Cybersecurity and Cyber Resilience Framework (CSCRF), including the methodology for computing registered client counts and the categorisation of proprietary stockbrokers for compliance applicability purposes. ## Conclusion The NCDEX Master Circular of 2026 constitutes a consolidated and enforceable compliance framework derived from existing regulatory mandates for cyber security governance in the commodity derivatives market. Its provisions touch every dimension of a member’s technology operations from incident reporting and penetration testing to vendor management and client authentication. [Statutory And Regulatory Compliance](https://www.indialaw.in/expertise/statutory-and-regulatory-compliance/)[Cybersecurity and Incident Response](https://www.indialaw.in/expertise/technology-law/cybersecurity-and-incident-response/) --- # IndiaLaw LLP — Offices & Contact Details --- ## General Contact | | | |---|---| | **Website** | https://www.indialaw.in | | **Primary email** | contact@indialaw.in | | **Primary phone** | +91 836-9995919 | | **Contact form** | https://www.indialaw.in/connect/ | | **Careers (separate channel)** | https://www.indialaw.in/careers/ | --- ## All Offices (9 locations across 8 cities) ### 1. Mumbai — Registered Office & Head Office (Apeejay Chambers) | | | |---|---| | **Address** | Apeejay Chambers, Ground Floor, Wallace Street, Fort, Mumbai – 400 001 | | **Phone** | [022-6924-7400](tel:02269247400) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/mumbai/ | | **Practice focus** | Litigation · Arbitration · Insolvency & Bankruptcy · Corporate · Banking · Real Estate · IP | | **Notes** | The HQ. 5 partners based here. Handles PAN-India litigation, arbitration, corporate, banking, IP and real estate practice. Largest team across all offices. | ### 2. Mumbai — Non-Litigation Office (Excelsior, Fort) | | | |---|---| | **Address** | 4th Floor, New Excelsior Theatre Pvt. Ltd., Amrit Keshav Nayak Marg, Fort, Mumbai – 400 001 | | **Phone** | [022-697-40500](tel:022-697-40500) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/mumbai/ | | **Practice focus** | Non-litigation only — consultations, negotiations, transactional work | | **Notes** | Opened 2024. Litigation and arbitration remain at the Apeejay Chambers head office. | ### 3. Delhi | | | |---|---| | **Address** | Flat No. 1107 & 1108, Prakashdeep Building, Tolstoy Marg, Connaught Place, New Delhi – 110 001 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/delhi/ | | **Practice focus** | Litigation · Arbitration · Insolvency & Bankruptcy · Corporate · Banking · Real Estate | | **Notes** | 3 partners based here. Located near the Supreme Court of India, Delhi High Court and other appellate bodies. | ### 4. Kolkata | | | |---|---| | **Address** | Centre Point Building, Room No. 214, 2nd Floor, Premises No. 21, Hemanta Basu Sarani, Opp. Great Eastern Hotel, P.S. Hare Street, Kolkata – 700 001, West Bengal | | **Phone** | [+91 33 4813 1001](tel:+913348131001) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/kolkata/ | | **Practice focus** | Insolvency & Bankruptcy · Commercial & Civil Litigation · Arbitration · Banking Litigation · Real Estate · Labour & Employment · Consumer | | **Notes** | Advises banks, NBFCs, MSMEs and corporates on transactions and dispute resolution. Works in close coordination with the Mumbai HO. | ### 5. Chennai | | | |---|---| | **Address** | GF-A, 19 Casa Major Road, Egmore, Chennai – 600 008 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/chennai/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate | | **Notes** | Full-fledged office with experienced legal team. Supported by Mumbai HO. | ### 6. Bengaluru (Bangalore) | | | |---|---| | **Address** | INDIALAW LLP, No. 7 Chinnaswamy Mudaliar Road, Shivaji Nagar, Bangalore – 560 051 | | **Phone** | [080-4167-2444](tel:08041672444) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/bengaluru/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate · Family Laws · Labour | | **Notes** | Located near Bangalore High Court. Handles corporate, commercial, banking and matrimonial disputes. | ### 7. Hyderabad | | | |---|---| | **Address** | 403, 4th Floor, Sanatana Ecstasy Building, beside Tanishq Show Room, Himayathnagar, Hyderabad – 500 029, Telangana | | **Phone** | [040-6666-5166](tel:04066665166) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/hyderabad/ | | **Practice focus** | Litigation · Banking · Insolvency & Bankruptcy · Real Estate | | **Notes** | Particularly well known for complex banking matters and real estate transactions. | ### 8. Cochin (Kochi) | | | |---|---| | **Address** | Second Floor, Pulikkal Building, K.K. Padmanabhan Road, Ernakulam North – 682 018, Kerala | | **Phone** | [0484-3583961](tel:04843583961) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/cochin/ | | **Practice focus** | Litigation · Insolvency & Bankruptcy · Real Estate | | **Notes** | Commercial disputes, property litigation, financial-claim arbitrations and real estate transactions. | ### 9. Noida (NCR) | | | |---|---| | **Address** | No. 16 & 17, Silver Offices, 17th Floor, Wave One, Sector 18, Noida – 201 301 | | **Phone** | (general line: +91 836-9995919) | | **Email** | contact@indialaw.in | | **Page** | https://www.indialaw.in/noida/ | | **Practice focus** | Aviation · Insurance · Mergers & Acquisitions · Corporate | | **Office head** | **Mr. Dinesh Gupta** (joined August 2025 to lead and expand the corporate practice) | | **Notes** | Newest office. Sector-focused on highly regulated industries serving NCR-based clients. | --- ## Quick-Dial Phone List | Office | Phone | |---|---| | Mumbai HO (Apeejay) | 022-6924-7400 | | Mumbai Excelsior | 022-697-40500 | | Kolkata | +91 33 4813 1001 | | Bengaluru | 080-4167-2444 | | Hyderabad | 040-6666-5166 | | Cochin | 0484-3583961 | | **General / Marketing line** | **+91 836-9995919** | Delhi, Chennai and Noida route through the general number. --- ## Social Channels - LinkedIn: https://www.linkedin.com/company/indialaw - X / Twitter: https://twitter.com/Indialawmumbai - Facebook: https://www.facebook.com/indialawllp/ - Instagram: https://www.instagram.com/indialawllp ---