Capital markets regulator Securities and Exchange Board of India (Sebi) on Friday mandated a compulsory comprehensive cyber audit of market infrastructure institutions (stock exchanges, depositories, clearing corporations) at least twice during the financial year. Further, along with the audit reports, the regulator has directed all MIIs to submit a declaration from MDs/CEOs “certifying compliance by the MII with all Sebi Circulars and advisories related to Cyber security issued from time to time.”
To detect security vulnerabilities in the IT (information technology) environment and for in-depth evaluation of security posture of the system, the regulator on Friday has asked authorities concerned to carry out periodic vulnerability assessment and penetration testing (VAPT), inter-alia including all critical assets and infrastructure components like servers, networking systems, security devices, load balancers, and other IT systems pertaining to the activities done as a role of MII.
The VAPT is to be conducted at least once in a financial year. However, for MIIs, whose systems have been identified as “protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC), VAPT shall be conducted at least twice in a financial year, Sebi said.
Post conducting the same, the final report on VAPT should be submitted to Sebi after approval from the Standing Committee on Technology (SCOT) of respective MIIs within a month of completion of VAPT activity. “Any gaps/vulnerabilities detected have to be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to Sebi within three months post the submission of final VAPT report to Sebi,” said Sebi in the circular on Friday.
Additionally, exchanges and other MIIs are required to perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system, which is a critical system or part of an existing critical system.
Sebi said the new framework for cyber security and cyber resilience will come into force with immediate effect and all MIIs are directed to communicate the status of the implementation of the circular to the regulator within 10 days.