SEBI on August 24 has provided for modification in cyber security and cyber resilience framework of Stock Exchanges, Clearing Corporations and Depositories. Market Infrastructure Institutions are mandated to conduct comprehensive cyber audit at least 2 times in a financial year. Along with cyber audit reports, henceforth, MIIs are directed to submit a declaration from the MD/CEO certifying that:
- Comprehensive measures and processes including suitable incentive/disincentive structures, have been put in place for identification/detection and closure of vulnerabilities in the organization’s IT systems.
- Adequate resources have been hired for staffing their Security Operations Center(SOC).
- There is compliance by the MII with all SEBI circulars and advisories related to cyber security.
MIIs, whose systems have been identified as Critical Information Infrastructure (CII) by National Critical Information Infrastructure Protection Centre (NCIIPC), are mandated to send regular updates/closure status of the vulnerabilities found in their respective “protected systems” to NCIIPC.
MIIs are required to take necessary steps to put in place systems for implementation of the circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any. MIIs are directed to communicate the status of the implementation of the provisions of this circular to SEBI within 30 days from the date of this Circular.