The Securities and Exchange Board of India (Sebi) has come out with certain modifications in the existing cyber security and cyber resilience framework, which has essentially tightened the rules around cyber security for market infrastructure institutions (MIIs).
Cyber security is a big issue globally. Data breaches, deep fake scams, phone hacks are on an increasing curve globally. Just last year, the Central Depository Services (CSDL) suffered data breaches twice within 10 days, and exposed data of approximately four crore Indians.
What Did Sebi Say?
The Sebi made certain modifications regarding the existing cyber security and cyber resilience framework.
Critical Assets: Sebi said that MIIs should identify and classify or designate critical assets based on their sensitivity and criticality for business operations, services, and data management.
The critical assets should include business-critical systems, Internet-facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information (PII) data, among others.
All the ancillary systems used for accessing or communicating with critical systems either for operations or maintenance should also be classified as critical systems.
“To this end, MII should maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” read the Sebi circular.
Vulnerability Assessment: Sebi has said in the circular that every MII should carry out periodic vulnerability assessment and penetration testing (VAPT), which includes all critical assets and infrastructure components like servers, networking systems, security devices, load balancers, and other IT systems pertaining to the activities done as a role of MII.
This vulnerability testing should be done at least once in a financial year. But for those MIIs whose systems have been identified as protected systems by the National Critical Information Infrastructure Protection Centre (NCIIPC), should conduct VAPT at least twice in a financial year.
Vendors: Sebi has said that the vulnerability tests should only be conducted by Indian Computer Emergency Response Team (CERT-In) empanelled organisations, and the final report of this VAPT test should be submitted to Sebi after approval from Standing Committee on Technology (SCOT) of respective MIIs, within one month of completion of VAPT test.
Cyber Audit: Sebi has also made it mandatory for all MIIs to conduct a comprehensive cyber audit at least two times in a financial year. Along with this cyber audit report, all MIIs are also directed by Sebi to submit a declaration of compliance from their managing director or the CEO with all Sebi circular and advisories related to cyber security issues from time to time.
