A few modifications have been made to the existing framework for cyber security and cyber resilience by the Securities and Exchange Board of India (SEBI), which has essentially tightened the rules surrounding the security of market infrastructure institutions (MIIs).
In a recent move, SEBI tweaked the cybersecurity and resilience framework of stock exchanges and other market infrastructures and mandated that comprehensive cyber audits be conducted at least twice a year.
According to the circular, an accompanying declaration from the CEO and MD of the market infrastructure institutions (MIIs) stock exchange, clearing corporation and depositories must also be submitted to confirm compliance with SEBI guidelines and advisories related to cyber security issued from time to time.
As part of the new framework, MIIs are required to identify and classify critical assets as per their sensitivity and criticality to operations, services, and data management. These assets include business-critical systems, web-facing applications and systems, as well as systems that contain sensitive data, sensitive personal and financial information, among others.
In addition, all ancillary systems used to access or communicate with critical systems, whether for operational or maintenance purposes, should also be classified as critical systems. Furthermore, the MII board is responsible for approving the list of critical systems.
The SEBI advises MIIs to conduct periodic vulnerability assessments and penetration tests (VAPT) at least once a year.
SEBI said, however, that for MIIs whose systems have been designated as “protected systems” by the National Critical Information Infrastructure Protection Center (NCIIPC), the VAPT must be conducted at least twice in a fiscal year. Furthermore, MIIs must engage only CERT-In empanelled organizations to conduct the VAPT.
After the VAPT activity is completed, a final approved report from the respective MII’s Standing Committee on Technology should be submitted to SEBI. MIIs must also perform vulnerability scanning and penetration testing before commissioning a system that is a critical system or a part of an existing critical system.
The new framework will take effect immediately. The MIIs must inform the regulator of their progress within 10 days of their implementation.
Written by: Sahid K P
Edited by: Adv. Sabrina Bath