The Securities and Exchange Board of India (SEBI), the regulator of capital markets, on Friday made a mandatory comprehensive cyber audit of market infrastructure firms (stock exchanges, depositories, clearing corporations) at least twice in a financial year. Further, with the audit report, the regulator instructed all MIIs to submit a declaration from MDs / CEOs “confirming compliance with all SEBI circulars and cybersecurity advice issued by MII from time to time.”
In order to identify security vulnerabilities in the IT (information technology) environment and in-depth assessment of system security, regulators on Friday asked the relevant authorities to conduct periodic vulnerability assessments and penetration tests (VAPT), among other things, servers, networking systems, security devices, load balancers and MII. All important resources and infrastructure components like other IT systems related to the activities performed as a role of.
VAPT should be conducted at least once in a financial year. However, for MIIs whose systems have been identified as “protected systems” by the National Critical Information Infrastructure Protection Center (NCIIPC), VAPT will operate at least twice a fiscal year, SEBI said.
After conducting this, the final report of VAPT should be submitted to Sebi within one month after completion of VAPT activities, after the approval of the relevant MII Standing Committee on Technology (SCOT). SEBI said in a circular on Friday that “any gaps / weaknesses identified should be addressed immediately and consent to close the results identified during VAPT should be submitted to Sebi within three months after the submission of the final VAPT report.”
Additionally, exchanges and other MIIs are required to conduct vulnerability scanning and penetration testing before launching a new system, which is part of a critical system or existing critical system.
SEBI said the new framework for cyber security and cyber resilience would be effective immediately and all MIIs have been directed to inform the regulator within 10 days about the status of implementation of the notification.