Sebi asks exchanges to perform cyber audit at least twice every financial year

Capital markets regulator Sebi on Friday tweaked the cybersecurity and cyber-resilience framework of stock exchanges and other market infrastructure institutions and mandated them to carry out a comprehensive cyber audit at least twice in a fiscal year. .

Along with the cyber audit reports, they were asked to submit a statement from the Managing Director and CEO certifying the compliance of Market Infrastructure Institutions (MIIs) – exchanges, clearing houses and custodians – with all guidelines and notices. from Sebi related to cybersecurity issued from time to time, according to a circular.

Under the amended framework, IRMs must identify and categorize critical assets based on their sensitivity and criticality to business operations, services, and data management. Critical assets should include business-critical systems, internet-connected applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, personally identifiable information data, among others.

Read also :

All ancillary systems used to access or communicate with critical systems, whether for operation or maintenance, should also be classified as a critical system. In addition, the IRM Board will need to approve the list of critical systems.

“To this end, the IRM shall maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data stream,” Sebi said.

According to Sebi, ITNs should conduct periodic vulnerability assessment and penetration testing (VAPT) which includes all critical infrastructure assets and components such as servers, network systems, security devices and hardware. other IT systems to detect security vulnerabilities in the IT environment and in-depth assessment of the system’s security posture through simulations of real attacks on its systems and networks. He further stated that ITNs should perform VAPT at least once per exercise.

However, for IBD whose systems have been identified as a “protected system” by the National Critical Information Infrastructure Protection Center (NCIIPC), Sebi said the VAPT should be performed at least twice during an exercise. Additionally, all ITNs are required to only engage CERT-In approved organizations to conduct VAPT.

The final report on the VAPT must be submitted to Sebi after approval by the respective ITN Technology Standing Committee, within one month after the end of the VAPT activity. “Any deficiencies/vulnerabilities detected must be corrected immediately and the compliance of the closure of the findings identified during the VAPT must be submitted to Sebi within 3 months of the submission of the final VAPT report to Sebi,” the regulator said.

In addition, MIIs must also perform vulnerability scanning and perform penetration testing before commissioning a new system that is a critical system or part of an existing critical system. The new framework will come into effect with immediate effect, Sebi said, adding that all ITNs must report the status of the implementation of the circular to the regulator within 10 days.

(Edited by : Anand Singha)