Capital markets regulator Sebi on Tuesday tweaked the cyber security and cyber resilience framework for stock brokers as well as depository participants and mandated them to conduct a comprehensive cyber audit at least once in a financial year.
Along with the cyber audit reports, stock brokers and depository participants have been asked to submit to stock exchanges and depositories a declaration from the MD and CEO certifying compliance by them with all Sebi guidelines and advisories related to cyber security issued from time to time, according to a circular.
Under the modified framework, they should identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management.
Further, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets.
All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well.
The board of the stock broker or depository participant is required to approve the list of critical systems.
"To this end, stock brokers/ depository participants shall maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows," Sebi said.
According to Sebi, stock brokers and depository participants must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include critical assets and infrastructure components in order to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on its systems and networks.
Stock brokers and depository participants are required to conduct VAPT at least once in a financial year. Further, they are required to engage only CERT-In empanelled organisations for conducting VAPT.
Within a month from the completion of the VAPT, the final report must be submitted to Sebi with the approval of the technology committee of respective stock brokers and depository participants.
"Any gaps/vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the stock exchanges/depositories within 3 months post the submission of final VAPT report," the regulator said.
Last month, the regulator came out with a modified cyber security and cyber resilience framework for market infrastructure institutions-- stock exchanges, depository and clearing corporations-- and KYC registration agencies (KRAs).