The existing regulations lack clear definitions and broad roles for the MD and certain KMPs viz. CTO and CISO, says the SEBI consultation paper.
The Securities and Exchange Board of India (SEBI) recently made some important moves which may result in changing the way decisions are taken at the Market Infrastructure Institutions (MIIs) empowering them to be the first-line-regulators
The Securities and Exchange Board of India (SEBI) recently made some important moves which may result in changing the way decisions are taken at the Market Infrastructure Institutions (MIIs) empowering them to be the first-line-regulators. These decisions and proposals are directed at regulating and ensuring smooth functioning of the capital market ecosystem in the face of the increasing investor participation, intended at securing the public interest over commercial considerations.
In a series of decisions, the market regulator through a circular (dated May 26) mandated the key managerial personnel (KMP) including the CIO, CTO, CRO, CISO, etc, in the MIIs (stock exchanges, depositories and clearing corporations), should be appointed by an external agency; moreover their appointment procedure was also changed; thirdly changes were announced on the cooling-off period of the KMPs. To continue with bringing about an overhaul, SEBI released a consultation paper with proposals about appointing Executive Directors; directorships and reporting lines of the KMPs.
What SEBI is trying to correct?
The objective of SEBI is to clearly define the roles and responsibilities of the KMPs, MD as per the regulations, “The existing regulations lack clear definitions and broad roles for the MD and certain KMPs viz. CTO and CISO. It is imperative to embed these definitions and roles within the regulations to ensure the management's unwavering focus on its core public interest mandate, such as prioritizing technological resilience, market integrity, risk management, and compliance over commercial considerations,” says the SEBI consultation paper released on June 24, 2025.
Repositioning reporting lines of KMPs, no more conflict of interest?
The SEBI paper has proposed changes in the business functions to be governed by the Executive Directors (EDs). Departing from the previous practice of having dual roles, for e.g. in some MII organisations the CISO and CRO are the same person, SEBI has proposed the CISO and the CTO will report to ED of vertical one (critical functions) and the CRO and Compliance Officer (CO) will report to ED of vertical 2 (regulatory, compliance and risk management).
“They have segregated the top of technology, risk and compliance. That is where conflict of interest could come up,” says an Ex-CISO of a large MII. For. e.g, in organizations where one individual is assigned multiple critical roles, such as both Chief CTO and CRO, a significant challenge arises: dual reporting lines. This situation can require the individual to report to two different director-level executives, each with distinct priorities and expectations.
CISO’s role undermined?
The former CISO raised concern that SEBI’s new governance structure positions the CISO too far down in the chain of command within Market Infrastructure Institutions (MIIs).
“They have pushed the role of a CISO to the fourth level — there is a governing board, then MD, then ED, and then the CISO.”
The new reporting setup could result in security being compromised in favor of business convenience. The ex-CISO says, “If the CISO wants to implement multi-factor authentication, and the operational head cites the challenge of convincing his customers, then that ED will have to take a neutral view.” unless the CISO has direct and independent access to the board.
Currently, board access for CISOs and CROs is discretionary. They attend meetings when convenient or when specifically asked for. The ex-CISO believes this undermines their ability to provide timely alerts or push for important security measures.
“As a CISO, I could be invited where it is convenient. I could be asked not to attend a meeting where it is not convenient… Until the chairman and the board says, ‘Oh, where is the CISO today?.”
He recommended that SEBI should have mandated a permanent seat or at least a quarterly board interaction for the CISO and CRO, to allow for unfiltered risk communication.
There is no ambiguity
While the consultation paper claims to address ambiguity in the roles and responsibilities of key managerial personnel (KMPs) such as CTO, CIO, and CISO in market infrastructure institutions, a former CTO of an exchange, drawing from direct industry experience, strongly believes otherwise.
“I am not sure what the paper is supposed to correct. There are only so many MIIs. In my experience, these MIIs do have well-defined CTO and CISO roles,” he says.
Regulation has a cost
Examining the need to release new regulations on Board structure in the consultation paper, the ex-CTO says “The justification given is that it is in the public interest -- the regulator should then give examples where some exchange has not behaved in public interest, and how this step will prevent it. Otherwise, why add new rules?”
On the regulatory side in the United States, the former CTO says, “Rule making is backed by justification, typically a regulatory impact analysis that considers the needs and costs of the new rule. That is not available here. Here it does not say why the new rule is necessary; it just says what it is supposed to achieve,” further adding on the essentials in any rulemaking, “One is, is the regulation necessary? Secondly, how is the regulation expected to achieve the goals? Therefore, it (the SEBI paper) does not say what harm is being corrected, and why the appointment of two directors corrects that harm. How do you justify the rulemaking if you do not know what the harm is in the first place,” he concludes.
By continuing you agree to our Privacy Policy & Terms & Conditions
