SEBI Imposes Rs1 Lakh Penalty on Link Intime for Cybersecurity Lapses

Moneylife Digital Team 12 February 2025

Investor Interest

Market regulator Securities and Exchange Board of India (SEBI) has imposed a penalty of Rs1 lakh on Link Intime India Pvt Ltd for cybersecurity violations committed by TSR Consultants Pvt Ltd (TSR) before their amalgamation. The violations were linked to delayed reporting of the closure of cybersecurity vulnerabilities identified during a vulnerability assessment and penetration testing (VAPT) audit.

In his 35-page order, N Hariharan, chief general manager (CGM), noted that as a registered intermediary, TSR Consultants was legally required to comply with SEBI circulars fully. However, TSR Consultants failed to do so, as detailed earlier. It was also established that Link Intime is liable for violations committed by TSR before the amalgamation.

TSR was registered with SEBI as a registrar to an issue and share transfer agent (RTA). It was amalgamated with Link Intime India following approval by the national company law tribunal (NCLT).

SEBI inspected TSR Consultants from 1 September 2022 to 30 November 2023, from 12th to 16 February 2024. The findings were shared on 22 March 2024, and TSR responded on 4 April 2024, leading to a post inspection analysis.

One of the key allegations against TSR was its failure to close 62 cybersecurity vulnerabilities identified during the VAPT audit, which included nine critical and seventeen high-risk issues. SEBI's circulars require such vulnerabilities to be addressed and compliance reports to be submitted within three months.

While TSR Consultants confirmed that it had resolved the vulnerabilities, it admitted to not submitting the closure reports to SEBI within the stipulated timeframe. The closure reports were eventually submitted in June 2024, more than a year after the initial findings from February to April 2023. SEBI observed that this delay violated the timelines outlined in its circulars.

Another significant issue in the case was whether Link Intime, as the successor entity following the amalgamation, could be held responsible for TSR's non-compliance before the merger. Link Intime argued that it should not be liable for actions or violations that occurred prior to the amalgamation, as TSR Consultants was dissolved after the merger.

However, SEBI referred to Clause 7 of the NCLT-approved scheme of amalgamation, which explicitly stated that all liabilities, obligations, and debts of TSR were transferred to Link Intime. Consequently, SEBI held Link Intime accountable for TSR's cybersecurity lapses.

SEBI concluded that TSR had violated Clause 41 of Annexure A to its Circular dated 8 September 2017, and Clause 2 of the Circular dated 27 May 2022, due to the delayed submission of VAPT closure reports.

Considering that TSR eventually submitted the VAPT closure reports on 7 June 2024, SEBI imposed a penalty of Rs1 lakh on Link Intime.

SEBI also noted that TSR had previously faced penalties for similar violations under the SEBI (Registrar to an Issue and Share Transfer Agents) Regulations, 1993.

You may also want to read:

Link Intime India Fined Rs1 Lakh for Cybersecurity Lapses

Comments