SEBI modifies cyber security and cyber resilience framework of stock exchange, clearing corporation and depositories.


The Securities and Exchange Board of India on 20th May 2022, has modified the framework for Cyber Security and Cyber Resilience for stock exchanges, clearing corporations and depositories. Cyber  security framework  include  measures,  tools  and processes  that  are  intended  to  prevent  cyber-attacks  and  improve  cyber  resilience.  Cyber Resilience is  an organization’s ability  to prepare  and  respond to  a  cyber  attack  and to continue operation during, and recover from, a cyber attack.

 In partial modification to Annexure A of SEBI’s earlier circular dated July 06, 2015, the paragraph-11, 40, 41 and 42 has been substituted as follows.

The Market Infrastructure Institutions (MII) should identify and classify/designate critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets should include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance should also be classified as critical system. The Board of the MII shall approve the list of critical systems.

MIIs should carry out periodic vulnerability assessment and penetration testing (VAPT) which inter-alia includes all critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as a role of MII etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.

Any gaps/vulnerabilities detected have to be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 months post the submission of final VAPT report to SEBI.

Further, the MIIs are mandated to conduct comprehensive cyber audit at least 2 times in a financial year. Along with the Cyber audit reports, henceforth, all MIIs are directed to submit a declaration from the MD/ CEO certifying compliance by the MII with all SEBI Circulars and advisories related to Cyber security issued from time to time.

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill in the form

    Labour LawsEnvironment, Health and SafetyDirect Tax lawsIndirect tax laws (GST/ Customs / VAT)Corporate Laws (Company Law, SEBI & FEMA)Food Safety LawsFinancial Service sectorInsurance SectorHealthcare SectorOther ancillary laws

    Do you want GST Refund ?

      Get In Touch

        Get Bulk Subscription