India’s market regulator has issued two stern warnings to the National Securities Depository Limited (NSDL), flagging critical lapses in investor transparency and cyber-risk oversight. As the depository inches closer to its IPO, SEBI has demanded stronger internal controls and heightened accountability to safeguard market integrity.
In a development that has raised questions about the operational robustness of India’s premier securities depository, the Securities and Exchange Board of India (SEBI) has issued two warning letters to the National Securities Depository Limited (NSDL). The reprimands, made public by NSDL on June 3, highlight lapses in compliance, investor visibility, and cybersecurity protocols. These come at a critical juncture as the depository prepares for its initial public offering (IPO).
According to the disclosures, the first warning letter pertains to a glaring issue during IPO allotments, specifically, the non-visibility of securities in demat accounts on the day of IPO allocation. This, compounded by the premature launch of standardized file formats without adequate testing, compromised investor trust and system reliability. In the world of high-frequency trading and real-time retail participation, such a failure is considered a red flag.
IPO Allotment Day Visibility: Investor Trust at Stake
SEBI’s letter draws attention to the erosion of investor confidence when allotted shares fail to appear in demat accounts as expected. Market observers say this can lead to unnecessary panic and legal complications, especially for first-time retail investors.
NSDL, which, along with Central Depository Services Limited (CDSL), plays a pivotal role in handling India’s dematerialised securities, had standardised file formats without fully validating the rollout, a move SEBI called premature and potentially destabilising.
Compliance analysts have stated that the issue could have caused substantial reputational harm in a sensitive market environment. IPO days see heightened investor activity, and visibility issues in demat accounts undermine market transparency.
FCRF x CERT-In Roll Out National Cyber Crisis Management Course to Prepare India’s Digital Defenders
Cybersecurity Flaws and Incomplete Asset Monitoring
The second warning letter dealt with more systemic concerns: NSDL’s inability to fully track and resolve cybersecurity alerts within required timelines, as well as incomplete documentation and monitoring of critical IT infrastructure assets. SEBI noted that several cyber alerts were not acted upon in time, and asset records lacked comprehensiveness, exposing the organization to potential threats.
Additionally, SEBI flagged inadequate reviews of critical systems and gaps in ensuring active monitoring of high-risk digital infrastructure. With the growing digitization of Indian capital markets and rising threat vectors, this breach of cyber hygiene invited serious concern from regulators.
Former SEBI Officials have stated that such lapses can no longer be dismissed as technical glitches. They must be treated as governance failures. With rising cyberattacks on financial infrastructure, accountability has to be non-negotiable.
SEBI’s Cautionary Tone: Stronger Systems or Stricter Action
While NSDL has maintained that there is no financial or operational impact due to these warnings, SEBI’s language leaves little room for doubt. The regulator has emphasized the need for the depository to exercise greater caution, strengthen internal systems, and adhere more strictly to compliance standards to avoid recurrence.
The letters reportedly state, hinting at possible penalties or structural restrictions if corrective measures are not enforced promptly. NSDL’s warning comes at a time when investor scrutiny is high, and trust in India’s financial ecosystem is crucial to attracting global capital. Its upcoming IPO adds urgency to the situation, placing the depository’s operational credibility under the spotlight.
In an increasingly digital and interconnected financial landscape, oversight over cyber and compliance functions is no longer just a backend responsibility. It is a frontline defence for investor confidence and national financial security.
About the author – Prakriti Jha is a student at National Forensic Sciences University, Gandhinagar, currently pursuing B.Sc. LL.B (Hons.) with a keen interest in the intersection of law and data science. She is passionate about exploring how legal frameworks adapt to the evolving challenges of technology and justice.