The Securities and Exchange Board of India on 30th May 2022, has amended the framework for Cyber Security and Cyber Resilience for KYC Registration Agencies (KRA). The KRAs are mandated to conduct a comprehensive cyber audit at least twice a financial year. All KRAs shall submit a declaration from the MD/ CEO certifying compliance by the KRAs with all SEBI Circulars and advisories related to Cyber security from time to time, along with the cyber audit report.
As per the amendment, KRAs shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. KRAs shall maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows
KRAs shall carry out periodic vulnerability assessment and penetration tests (VAPT) which inter-alia include critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as KRAs etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.
KRAs must also undertake VAPT at least once a financial year, However, for the KRAs, whose systems have been identified as “protected system” by NCIIPC under the Information Technology (IT) Act, 2000, VAPT shall be conducted at least twice in a financial year
Any gaps/vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 months post the submission of final VAPT report.
Further, KRAs shall perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system.
