Sebi amends cyber security, cyber resilience framework of KYC registration agencies

The Capital Markets regulator, Securities and Exchange board of India (SEBI) amended KYC Registration Agencies’ (KRAs) cyber security and cyber resilience framework on Monday, requiring them to execute a complete cyber audit at least twice a financial year, as per a PTI report.

According to a circular, all KRAs have been ordered to provide a statement from the MD and CEO certifying compliance with all of Sebi’s cyber security-related recommendations and notices issued on a regular basis, along with the cyber report.

Business-critical systems, internet-facing applications/systems, systems containing sensitive data sensitive personal data, and personally identifiable information data, among others should all be considered vital assets. All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well. The list of vital items will also need to be approved by the KRAs board.

Sebi added: “To this end, KRA must maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows.”

KRAs must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include all infrastructure components and critical assets such as servers, network systems, security devices, and other IT systems to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on your systems and networks, according to Sebi.

KRAs must also undertake VAPT at least once a financial year, according to the regulation.

VAPT must be done at least twice in a fiscal year for KRAs whose systems have been recognized as a ‘protected system’ by the National Critical Information Infrastructure Protection Centre (NCIIPC), according to Sebi.

Furthermore, all KRAs are obliged to undergo VAPT with only CERT-in connected organizations. Within a month of the of the VAPT activity, the final report on the VAPT must be submitted to Sebi with the permission of the technology standing committee of the appropriate KRA.

Sebi said: “Any gaps/vulnerabilities detected must be remedied immediately and the closure compliance of the findings identified during VAPT will be sent to Sebi within 3 months after VAPT’s final report is submitted to Sebi. Prior to the deployment of a new critical system or a component of an existing critical system, KRAs must conduct vulnerability scans and penetration tests.

The new framework will take effect immediately, according to Sebi, and all KRAs must inform the regulator within 10 days of their progress in implementing the circular.

(Source:  PTI)