Capital markets regulator Sebi on Tuesday fine-tuned the cybersecurity and cyber-resilience framework for securities dealers as well as depositary participants and mandated them to perform a comprehensive cyber audit at least once every fiscal year.
Along with the cyber audit reports, securities brokers and depositary participants were asked to submit to exchanges and depositories a statement from the Managing Director and CEO certifying their compliance with all Sebi guidelines and notices related to cyber security. issued from time to time, according to a circular.
Under the modified framework, they must identify and categorize critical assets based on their sensitivity and criticality to business operations, services, and data management.
In addition, business-critical systems, Internet-accessible applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, must all be considered critical assets.
All auxiliary systems that connect or communicate with critical systems, whether for operation or maintenance, should also be designated as critical systems.
The board of directors of the investment dealer or custodial participant is required to approve the list of critical systems.
“To this end, securities dealers/custodian participants shall maintain an up-to-date inventory of their hardware and systems, software and information assets (internal and external), details of their network resources, connections to its network and data streams.” said Sebi.
According to Sebi, securities dealers and custodial participants should perform regular Vulnerability Assessments and Penetration Testing (VAPTs) that include critical assets and infrastructure components to detect security vulnerabilities in the IT environment. and an in-depth assessment of the system’s security posture. through simulations of real attacks on its systems and networks.
Participating broker-dealers and custodians are required to perform VAPT at least once per fiscal year. Additionally, they are required to engage only CERT-In incorporated organizations for the conduct of VAPT.
Within one month of the completion of the VAPT, the final report must be submitted to Sebi with the approval of the technology committee of the respective securities dealers and depository participants.
“Any deficiencies/vulnerabilities detected must be corrected immediately and the compliance of the closure of the findings identified during the VAPT must be submitted to the exchanges/depositories within 3 months of the submission of the final report of the VAPT,” the regulator said.
Last month, the regulator released an amended cybersecurity and cyber-resilience framework for market infrastructure institutions – exchanges, depository and clearing houses – and KYC registration agencies (KRAs).