NGX VAPT Requirements: What Listed Companies Need to Know

If your organisation holds a Trading License from the Nigerian Exchange Group (NGX) and operates an online trading portal, there is a compliance requirement you cannot afford to overlook. NGX Regulation mandates that all Trading License Holders with online trading portals must complete a Vulnerability Assessment and Penetration Test (VAPT) at least twice per year. This is not a recommendation. It is a regulatory obligation, and non-compliance can have serious consequences for your licence and your reputation.

Capital markets are a high-value target for cybercriminals. Online trading portals handle sensitive financial data, process transactions worth millions of naira daily, and provide direct access to client accounts. A single vulnerability in these systems could lead to unauthorised trades, data theft, or financial losses that ripple across the market. NGX introduced the VAPT requirement to ensure that organisations operating these portals are proactively identifying and addressing security weaknesses before attackers can exploit them.

Who Needs to Comply?

The requirement applies specifically to Trading License Holders (TLHs) that operate online trading portals. In practical terms, this includes stockbroking firms, dealing member firms, and other licensed entities on the NGX that provide clients with web-based or mobile platforms for executing trades, viewing portfolios, or managing investment accounts online.

If your organisation falls into this category, the VAPT requirement is mandatory. It does not matter whether your portal is built in-house or managed by a third-party vendor. The responsibility to ensure the platform is tested and secure rests with the licence holder.

Organisations that do not operate an online trading portal may not be directly affected by this specific requirement, but the broader principle still applies. NGX expects all market participants to maintain robust cybersecurity practices, and VAPT is widely regarded as a baseline measure for any organisation handling sensitive financial data.

What Should the Assessment Cover?

A proper VAPT for an NGX-regulated online trading portal is not a simple automated scan. It is a structured, multi-layered assessment that examines the platform from the perspective of both an external attacker and an insider threat. The key areas that should be covered include:

• Authentication and session management. How does the portal verify user identity? Are login mechanisms resistant to brute force attacks, credential stuffing, and session hijacking? Are password policies enforced, and is multi-factor authentication available and properly implemented?
• Access control. Can users access only the data and functions they are authorised to use? Are there weaknesses that would allow a regular user to escalate privileges, view another client's portfolio, or perform administrative actions?
• Business logic testing. This is where the assessment goes beyond technical vulnerabilities. Testers examine the application's workflows for flaws that could be exploited. For example, can a user manipulate trade parameters, bypass transaction limits, or exploit timing issues in order processing?
• API security. Modern trading portals rely heavily on APIs to communicate between the front end, back end, and third-party services. These APIs must be tested for injection attacks, broken authentication, excessive data exposure, and rate limiting weaknesses.
• Data protection. Is sensitive data (client details, financial records, transaction histories) encrypted in transit and at rest? Are there any pathways through which data could be leaked, whether through error messages, insecure storage, or misconfigured servers?
• Mobile application security. If the trading portal includes a mobile app, it must be tested separately. Mobile-specific risks include insecure local storage, weak certificate pinning, reverse engineering vulnerabilities, and insecure communication channels.

How Often and When?

The NGX requirement is clear: at least twice per year. Many organisations schedule their assessments to align with the first and third quarters, ensuring that any vulnerabilities introduced by platform updates or infrastructure changes are caught within a reasonable window. However, the timing is flexible as long as two full assessments are completed within each calendar year.

It is also worth noting that VAPT should not be treated as a once-and-done activity. If your organisation makes significant changes to the trading portal, such as deploying a new feature, migrating to a new hosting provider, or integrating a new payment gateway, an additional assessment is strongly recommended. The regulatory minimum is twice per year, but best practice is to test whenever the risk profile changes.

What Deliverables Should You Expect from Us?

A credible VAPT engagement produces more than a list of vulnerabilities. Our deliverables give both technical and non-technical stakeholders a clear picture of your organisation's security posture and a practical path forward. Here is what our assessment includes:

• Executive summary. A high-level overview written for management and board members. It should explain the scope of the assessment, the overall risk level, and the most critical findings in plain language.
• Technical report with CVSS scoring. Each identified vulnerability should be documented with a clear description, proof of concept (where applicable), and a severity rating using the Common Vulnerability Scoring System (CVSS). This standardised scoring allows your team to prioritise remediation based on actual risk.
• Remediation roadmap. A prioritised list of recommendations, organised by severity and effort. The roadmap should be practical, telling your development and IT teams exactly what to fix and in what order.
• Re-testing. After your team addresses the identified vulnerabilities, the assessor should conduct a re-test to verify that the fixes are effective and have not introduced new issues. This step is essential for demonstrating due diligence.
• NGX compliance report. A formal report structured to meet NGX's specific requirements. This is the document you will submit to demonstrate compliance, and it should be clear, well-organised, and aligned with the regulator's expectations.

Choosing the Right Assessor

The quality of a VAPT engagement depends almost entirely on the assessor. Not all cybersecurity firms have the expertise, methodology, or regulatory understanding needed to deliver an assessment that meets NGX standards. Here are the factors that matter most when selecting a VAPT partner:

• Recognition by NGX. Work with an assessor that is recognised by the Nigerian Exchange Group. This ensures the assessor understands the specific regulatory context and reporting requirements, and that the resulting report will be accepted by the regulator.
• Relevant experience. Look for a firm with demonstrated experience in testing financial platforms, trading systems, and applications that handle high-value transactions. The threat landscape for capital markets is different from general web application testing.
• Tailored testing approach. Avoid assessors who apply a one-size-fits-all methodology. Every trading platform is different, and the testing approach should be adapted to your specific architecture, workflows, and risk profile. Ask how they plan to scope your engagement.
• Clear communication. The best assessors produce reports that are useful, not just impressive. Technical findings should be paired with clear, actionable recommendations. The executive summary should be genuinely readable by non-technical stakeholders.
• Confidentiality and professionalism. Your assessor will have deep access to your systems and data during the engagement. Ensure they have strong confidentiality agreements in place and a track record of professional conduct.

ClarenSec is a recognised NGX VAPT assessor with experience supporting Trading License Holders through the compliance process. Our approach combines thorough technical testing with clear reporting and hands-on remediation support.

Preparing for Your VAPT

Getting the most value from a VAPT engagement requires some preparation on your side. Here are practical steps to take before the assessment begins:

• Define the scope clearly. Identify all components of your online trading portal, including web applications, mobile apps, APIs, and any supporting infrastructure. Make sure the assessor knows exactly what needs to be tested.
• Provide access and documentation. Share relevant architecture diagrams, user roles, and API documentation with the assessor. The more context they have, the more thorough and efficient the assessment will be.
• Coordinate with your development team. Ensure that your developers are available to support the engagement, especially during the remediation and re-testing phases. Delays in fixing identified issues can extend the timeline and increase costs.
• Plan for remediation time. A VAPT will almost certainly uncover issues that need fixing. Build remediation time into your schedule so that you can address findings promptly and complete the re-test before your compliance deadline.
• Keep records. Document every engagement, including scope agreements, reports, remediation actions, and re-test results. These records demonstrate a pattern of due diligence and will be valuable during regulatory reviews.

The Bigger Picture

A compromised trading portal does not just affect one firm. It can erode investor confidence and damage the credibility of the broader market. The organisations that treat VAPT as a real security exercise, not a compliance checkbox, are the ones that build the most resilient platforms.

Security is not a one-time exercise. Test often, fix fast, and keep your platform worthy of your clients' trust.