Zebu Share and Wealth Management Penalised Rs5 Lakh by SEBI for Multiple Regulatory Lapses

Moneylife Digital Team 11 August 2025

Investor Interest

Market regulator Securities and Exchange Board of India (SEBI) has imposed a penalty of Rs5 lakh on Zebu Share and Wealth Management Pvt Ltd (Zebu), following a thematic inspection jointly conducted with the Multi-Commodity Exchange of India Ltd (MCX). Zebu, registered with SEBI as a stock broker since 26 February 2014, underwent inspection on 28 and 29 October 2024. The review aimed to verify compliance with the SEBI (Stock Brokers) Regulations, 1992, and applicable circulars.

In an order, Amit Kapoor, adjudicating officer (AO) of SEBI, articulated that "As a SEBI registered intermediary, Zebu is under statutory obligation to comply with the applicable circulars, rules and regulations. Therefore, non-compliances violations by the Zebu deserves and attracts suitable penalty.”

The inspection revealed multiple violations of SEBI and MCX norms. In terms of capacity utilisation monitoring, SEBI’s rules mandate setting alerts when system capacity exceeds 70%. Zebu had configured alerts at 80% for several servers. The company later corrected this to 70% after SEBI’s observation, but the lapse was acknowledged.

In testing before deployment, brokers are required to test software updates or changes before moving them into production. Zebu failed to provide evidence of such testing, admitting the oversight and taking corrective steps later. The inspection also found that the company lacked an incident and crisis management team as mandated by MCX regulations. The team and related policy were put in place only after the inspection.

Further, Zebu had not properly identified all critical assets essential for its operations, omitting its Mynt application and API from the list. Although Mynt was installed on a classified critical system, its listing at the time of inspection could not be confirmed.

In terms of monitoring systems and processes, Zebu did not have mechanisms to continuously monitor security events or detect unauthorised activities during the inspection period. A managed security operations centre was established only later.

The inspection also highlighted gaps in access control to critical systems, as Zebu failed to maintain records of users with access, their purpose and duration. An access management policy was implemented post-inspection.

In relation to server and firewall logs, SEBI requires brokers to retain logs for at least two years. Zebu could not produce logs for its firewall and certain servers, with a log management system being implemented only after the review.

Lastly, Zebu fell short on third-party vendor compliance. Its agreement with vendor Zybisys lacked provisions ensuring adherence to the cybersecurity and cyber resilience framework and even permitted the vendor to share personal data with associates. Compliance instructions were issued to the vendor only after the inspection.

Based on the findings, SEBI concluded that the violations were established and imposed a penalty of Rs5 lakh on Zebu Share and Wealth Management.

Comments