The Securities and Exchange Board of India (SEBI) Vide circular dated 15th October 2019, has issued a circular on cyber security & cyber resilience framework for KYC Registration Agencies (KRAs).
Key Highlights from the Notification:
SEBI had stated that rapid technological developments in securities market have highlighted the need for maintaining robust cyber security and cyber resilience framework to protect the integrity of data and guard against breaches of privacy.
Since KRAs perform an important function of maintaining KYC records of the clients in the securities market, it shall have robust Cyber Security and Cyber Resilience framework to provide essential facilities and perform systemically critical functions relating to securities market.
Thus, the framework on Cyber Security and Cyber Resilience is made applicable for KRAs and the framework provided in Annexure A of the Circular is to be complied by the KRAs. KRAs are directed to take necessary steps to put in place systems for implementation of this circular by January 01, 2020.
The KRA’s should adopt a Cyber security policy which should encompass the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC), which should be approved by Board of KRA’s and also incorporate best practices from standards such as ISO 27001, ISO 27002, COBIT 5, etc. They should appoint a Chief Information Security Officer (CISO) and a Technology commitee.
KYC registration agencies or KRAs would be required to define the responsibilities of its employees, including outsourced staff, who have privileged access to the networks. They should encourage their third-party service providers to follow similar standards of security.
Click here to read the circular
