The CBI, which registered a case in 2018 in the NSE co-location scam, is probing how an audit company incorporated in 2001 by Sanjay Pandey, who last week retired as Commissioner of Police, Mumbai, did not red flag that the NSE servers were compromised. The compromise had allowed one of the trading companies to get unfair access to the system, resulting in windfall profits.

When the firm iSec Services Pvt Ltd was incorporated in March 2001, Pandey was not in service. He quit the directorship in May 2006, with his mother Santosh and son Armaan becoming directors in the company. Based out of Oshiwara in Andheri, it was one of the IT companies tasked with conducting security audits at NSE during 2010 to 2015 when the co-location scam is believed to have taken place. The CBI has recorded the statement of one of the company employees, a source said.

The CBI’s investigation over the course of the last four years long had led to the arrest of former NSE managing director Chitra Ramkrishna and its former group operating officer Anand Subramanian.

“The security audit company should have been able to detect the breaches in the NSE system during the period when the scam took place. We are looking into the processes followed by the company to test the security of the systems,” a source added, speaking of iSec Services Pvt Ltd.

Pandey refused to talk on the issue, while an e-mail sent by The Sunday Express to iSec company did not receive any response. An e-mail sent to the CBI seeking its response also did not get any reply.

However, sources close to the company said that iSec was merely responsible for conducting audits of the devices used by the brokers who were using the co-location facility provided by the NSE, to check if they had proper Internet connection, firewall facility, among other technical aspects. A source said, “iSec did not have any access to the NSE servers, so there was no way they could detect that the system had been compromised and a co-location scam was underway.”

An expert told The Sunday Express that an IT auditor is responsible for analysing and assessing an organisation’s technological infrastructure to find problems with efficiency, risk management and compliance. An IT auditor also identifies any IT issues that fall under the audit, specifically those related to security and risk management. The audit process can extend to networks, software, programmes, communication systems, security systems and any other services that rely on the company’s technological infrastructure.

IT audits are important for evaluating internal control and processes in an effort to keep the organisation and its data secure from external or internal threats.

“Audits are meant to examine controls on client-connected servers and networks. An audit examines current technology in the organisation and future technologies that will need to be adopted. Any step against regulation and compliance must be red flagged by IT auditors as they are the watchdogs of internal and external information flows,” the expert said.

Some BJP leaders had accused Pandey of going after its leaders at the behest of the then MVA government, a charge denied by the officer. BJP leader Mohit Kamboj against whom an FIR was registered in connection with a bank fraud had hinted that Pandey could face action after his retirement on June 30. Soon after recording his statement with police last month, Kamboj had said: “While the 1st (June 1) belongs to the person who registered this case against me, the 30th (June 30) will belong to us.”

As per iSec’s financial records, the company was incorporated by Pandey and one Pankaj Chandra, with 5,000 shares each. Pandey quit the directorship in May 2006, with his mother Santosh and son Armaan becoming directors in the company. Currently Santosh is the whole-time director while one Anand Narayan is the other director. As per the shareholding pattern provided by the company as on March 31, 2021, Santosh and Armaan each hold 50% each in the company and Sanjay Pandey is not a shareholder.

iSec Private Security Ltd’s website says it was established in 2001 and is an ISO certified company. “We are engaged in ensuring security of information through a variety of security services, helping detect and prevent theft of information. iSec has been providing information security management services to various clients both in India as well as abroad. iSec’s efforts are supported by professional information security consultants who have requisite certifications in information security.”

It is, however, important to note that Sanjay Pandey had submitted his resignation in 2000 before he incorporated iSec Services in 2001. While his resignation was not accepted by the government then, it was later accepted in 2002, against which he appealed in the court.

The NSE co-location scam relates to the manipulation of the exchange by giving select players access to market information ahead of the rest of the market. Co-location facilities that were rolled out in August 2009 are dedicated spaces in the NSE exchange building, right next to the exchange servers, where generally institutional investors and brokers place their systems or programmes. Owing to the close proximity to stock exchange servers, traders in these facilities have an advantage over others as they get faster access to the price feed distributed by the stock market. The charge for these services is high, and hence only big brokers rent such a space.

The CBI is probing the charge that one of the trading members, Delhi-based OPG Securities, was provided unfair access between 2012 and 2014, that enabled it to log in first and get the data before others in the co-location facility. The broker is believed to have been assisted by certain NSE employees.The scam came to light due to a whistleblower’s complaint to SEBI in 2015, laying out the modus operandi.

The CBI registered a case in May 2018 and arrested Subramaniam and Ramkrishna on February 25 and March 6 this year, respectively. Last month, the CBI filed a chargesheet against the duo, who are currently in judicial custody. Their bail pleas were rejected by a Special CBI Court in May.

Last month, the CBI also arrested Sanjay Gupta, the owner and promoter of OPG Securities Pvt Ltd. CBI officials have accused Gupta of trying to destroy evidence and to bribe SEBI officials investigating the NSE co-location scam case through a ‘syndicate’. The CBI said it was also probing unidentified officials of SEBI and the NSE along with unknown persons.

In a charge-sheet in the case, the CBI has alleged that Ramkrishna abused her official position in key decisions, among other charges. In February, SEBI had charged Ramkrishna and others with governance lapses in the appointment of Subramanian as the chief strategic advisor and his re-designation as group operating officer and advisor to MD.

Ramkrishna had told the regulators that a formless mysterious “yogi” had been guiding her over emails in taking decisions. The CBI, which expanded the scope of its probe after the SEBI report, has told the court that this formless yogi was actually Subramanian, who was the beneficiary of Ramkrishan’s decisions.

Ramkrishna had succeeded former CEO Ravi Narian in 2013 and appointed Subramanian as her advisor. He was later elevated as Group Operating officer with a pay package of Rs 4.21 crore annually. She was MD and CEO from April 2013 to 2016. A probe into her email exchanges during the SEBI-ordered audit had revealed that the appointment and subsequent elevation of Subramanain along with other crucial decisions were taken by Ramkrishna guided by a “formless mysterious yogi residing in the Himalayas”.

In her statement to SEBI, Ramkrishna said that the Yogi having email ID rigyajursama@outlook.com was a ‘sidha-purusha’ or ‘paramhansa’ who did not have a physical form but could appear at will.