The Securities and Exchange Board of India on 20th May 2022, has modified the framework for Cyber Security and Cyber Resilience for stock exchanges, clearing corporations and depositories. Cyber security framework include measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience. Cyber Resilience is an organization’s ability to prepare and respond to a cyber attack and to continue operation during, and recover from, a cyber attack.
In partial modification to Annexure A of SEBI’s earlier circular dated July 06, 2015, the paragraph-11, 40, 41 and 42 has been substituted as follows.
The Market Infrastructure Institutions (MII) should identify and classify/designate critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets should include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance should also be classified as critical system. The Board of the MII shall approve the list of critical systems.
MIIs should carry out periodic vulnerability assessment and penetration testing (VAPT) which inter-alia includes all critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as a role of MII etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.
Any gaps/vulnerabilities detected have to be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 months post the submission of final VAPT report to SEBI.
Further, the MIIs are mandated to conduct comprehensive cyber audit at least 2 times in a financial year. Along with the Cyber audit reports, henceforth, all MIIs are directed to submit a declaration from the MD/ CEO certifying compliance by the MII with all SEBI Circulars and advisories related to Cyber security issued from time to time.
