The Securities and Exchange Board of India on 7th June 2022, has modified the cyber security and cyber resilience framework for stock brokers/depository participants by mandating them to conduct comprehensive cyber audit at least once in a financial year.
All Stock Brokers / Depository Participants shall submit with Stock Exchange/Depository a declaration from the MD/ CEO/ Partners/ Proprietors certifying compliance by the Stock Brokers / Depository Participants with all SEBI Circulars and advisories related to Cyber security from time to time, along with the Cyber audit report.
Further the Stock Brokers / Depository Participants shall carry out periodic Vulnerability Assessment and Penetration Tests (VAPT) which inter-alia include critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as Stock Brokers / Depository Participants etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks. Stock Brokers / Depository Participants shall conduct VAPT at least once in a financial year.
The critical assets shall include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance shall also be classified as critical system.
