KATHMANDU, March 2: The Nepal Stock Exchange (NEPSE) has made it mandatory for brokering companies to conduct regular audits of their digital infrastructure, aiming to mitigate cyber risks amid growing trading volumes.
Enforcing the 'IT Audit Guidelines 2026,' NEPSE has directed stockbrokers to carry out information technology (IT) audits every two years and submit the report to the regulator within the second quarter of the concerned fiscal year. New brokering companies must conduct their first IT audit within six months of commencing operations. Additionally, brokers are required to undergo another audit if they upgrade their trading platforms or make significant changes to their operating systems.
The IT audit encompasses a comprehensive assessment of brokers' Trading Management System, back office system, network infrastructure, mobile application, web portal, and data management and storage systems.
Softwarica College hosts ‘Capture the Flag Bootcamp 2023’ enhan...
NEPSE first introduced its fully automated Online Trading System on November 6, 2018. Since then, brokering companies have integrated numerous features to facilitate online stock trading for their clients. However, investors have frequently faced disruptions due to technical glitches in these digital platforms. According to NEPSE, the new audit requirement aims to safeguard investors and the market system from such technical faults during secondary market transactions.
The guideline places special emphasis on IT governance and risk management. Under the new rules, stockbrokers must clearly define their IT strategy, policies, and responsibilities. In terms of network security, auditors will test the effectiveness of firewalls, access control systems, physical security of servers, and intrusion detection systems.
For trading systems, the audit will include a detailed review of features such as order entry, order history, various order management functions, and transaction limits. The guidelines also mandate compliance with standards for Customer Identity Verification (KYC), user management, password security, data encryption, and regular backups.
The guideline further sets qualification criteria for third-party entities hired to conduct IT audits. Only firms employing at least three experts will be eligible. The audit team leader must hold recognized certifications such as CISA, CISM, or CISSP and possess at least five years of work experience.
Additionally, the audit firm must be registered with the government authority, have no outstanding tax dues, and not be blacklisted. NEPSE has clarified that action will be taken as per prevailing rules against brokers who fail to comply with the guidelines or submit IT audit reports on time.
-1772436151.webp)
