SEBI has caused quite a stir in the cyber world recently with the release of its new guidelines and regulations for Stock Brokers, Depositories, and AMCs.
The regulations modify the previous Annexures, SEBI/HO/MIRSD/CIR/PB/2018/147 (dated December 03, 2018), and SEBI/HO/IMD/DF2/CIR/P/2019/12 (dated January 10, 2019), released by the Board with the intention of protecting the investors’ interests in the securities market.
The guidelines mandate many regulations, including mandatory in-depth VAPT evaluation once a year, identification and classification of critical assets, regular comprehensive cyber audit, and many more.
What is SEBI?
The counterpart of the United States Securities and Exchange Commission (SEC), the Securities and Exchange Board of India (SEBI) is the leading Indian regulator of the securities market with a goal “to protect the interests of investors in securities and to promote the development of, and to regulate, the security market”. SEBI was established in April 1992 after the parliament passed the Securities and Exchange Board of India Act.
With wide-ranging regulatory, investigative, and enforcement powers, which also include the authority to impose fines on violators, SEBI is mainly responsible for three groups:
- Security Enforcers
What do the New SEBI Guidelines talk about
On June 07, 2022, SEBI released an exclusive circular modifying the Cyber Security and Cyber Resilience Framework for –
- Stock Brokers
The partially revised Annexure -1 (dated December 03, 2018) released by SEBI altered paragraphs 11, 41, 42 and 44.
SEBI soon released a second circular on June 09, 2022, an adjusted version of Annexure-1 (dated January 10, 2019), which specifically targeted –
- Mutual Funds
- Asset Management Companies (AMCs)
- Trustee Companies/ Boards of Trustees of Mutual Funds
- Association of Mutual Funds in India (AMFI)
The modifications in paragraphs 11, 41, and 42 were similar to the changes made in the previous one, with paragraphs 40 and 51 bringing in new guidelines for these specific organizations.
The modifications in Circular 1 (no. SEBI/HO/MIRSD/TPD/CIR/2022/80) –
The alters in this paragraph require Stock Brokers/ Depository participants to –
- Identify and classify their critical assets, based on their sensitivity and criticality, for business operations, services, and data management. The critical assets include:
- Business Critical Systems
- Internet Facing Applications/Systems
- Systems Containing Sensitive Data
- Sensitive Personal/Financial Data
- Personally Identifiable Information (PII)
- Ancillary systems used for accessing/communicating with critical systems, either for operations or maintenance are to be classified as critical systems.
- The list of the critical systems is required to be approved by the Board/Partners/Proprietors of the Stock Brokers/Depository candidates.
- The participants shall maintain an up-to-date inventory of all its hardware and software systems, information assets (External and Internal), details of its network resources, and connection to its networks/data flows.
In order to detect security vulnerabilities in the IT infrastructure, the changes in this paragraph deem it necessary for Stock Brokers/Depositories to conduct periodic, in-depth Vulnerability Assessment and Penetration Testing (VAPT) for all their critical assets and infrastructure components like –
- Networking Systems
- Security Devices
- Load Balancers, etc.
- In-depth VAPT shall be conducted at least once in a financial year, and only CERT-In empanelled organizations are to be approached for the evaluation.
- The final report should be submitted to the Stock Exchange/Depositories after approval of the Technology Committee of the respective participants within 1 month of VAPT evaluation.
- Vulnerability scanning and penetration testing is also to be conducted prior to the commissioning of a new system which is a critical system or part of an existing system.
Any gaps or vulnerabilities detected during the VAPT shall be submitted to the Stock Exchanges/Depositories within 3 months post the submission of the final VAPT report.
Some additional guidelines in the first circular –
- The participants are mandated to conduct a comprehensive cyber audit at least once in a financial year and are required to submit a declaration from the MD/CEO/Partners/Proprietors certifying compliance by the Stock Brokers/Depositories regularly, along with the cyber audit report, with the Stock Exchange/Depository.
- The participants shall take the required steps to adhere to the new regulations and shall communicate their status of implementation to the Stock Exchange/Depositories within 10 days from the release of the Circular.
- The candidates are required to make necessary amendments for the implementation of the guidelines and make provisions to get these regulations noticed by members/participants.
The provisions of Circular 1 shall come into force with immediate effect.
The modifications in Circular 2 (no. SEBI/HO/IMD/IMD-I/DOF2/COR/2022/81) –
Critical assets, such as Web Application Systems, Servers, PII, etc. shall be identified and classified, and the list shall be approved by the Board of the AMCs and Trustees of the critical assets. The participants shall also maintain an up-to-date inventory of its hardware and software assets.
- Periodic, in-depth VAPT of the critical assets and infrastructure is to be conducted once every financial year, and only CERT-In empanelled organizations are to be approached for the tests.
- For the Mutual Funds/AMCs whose systems have been identified by National Critical Information Infrastructure Protection Center (NCIIPC) as “protected systems” under the IT Act 2000, VAPT should be conducted at least twice in a financial year.
The detection of any gaps or vulnerabilities detected shall be remedied regularly, and the compliance of the closure shall be submitted to SEBI within 3 months post the submission of the final VAPT report.
Mutual Funds/AMCs shall perform vulnerability scanning and conduct penetration testing prior to commissioning a new critical system.
- All cyber-attacks, threats, cyber-incidents, and breaches encountered by Mutual Funds/AMCs are to be reported to SEBI within 6 hours of their detection, or being brought to the participant’s attention.
- This incident is also to be reported to CERT-In in accordance with regulations issued by it periodically. Mutual Funds or AMCs whose systems are identified as “protected systems” by NCIIPC shall also report their findings to NCIIPC.
- The quarterly reports containing information on cyber-attacks shall be submitted to SEBI within 15 days from the quarter ending June, September, December, and March every year.
- The required information can be shared through dedicated email IDs: email@example.com and firstname.lastname@example.org.
The additional modifications in Circular 2 are –
- The AMCs or Mutual Funds are mandated to conduct comprehensive cyber audits at least 2 times in a financial year.
- They are also required to submit the audit reports, along with a declaration from the Managing Director (MD)/ Chief Executive Officer (CEO) certifying compliance by the Mutual Funds/AMCs with all the SEBI advisories and circulars regularly.
- Necessary steps are to be taken for the implementation of the circular.
The provisions of Circular 2 for Mutual Funds/AMCs will come into effect from July 15, 2022.
Comply with the new SEBI Guidelines with Kratikal
The new SEBI guidelines mandate periodic VAPT evaluation from only CERT-In empanelled companies. CERT-In recognized organizations hold a significant position in the field due to their expertise and experience, and are trusted by the government to deal with cybersecurity issues responsibly.
As a CERT-In empanelled cybersecurity solutions firm, Kratikal’s only objective is to make the world free of cybercrime. With our complete suite of VAPT services, such as Web/Application Penetration Testing, Network Penetration Testing, Cloud Penetration Testing, and many more, and security auditing for Compliance, Kratikal serves a diverse range of industries including 600+ SMEs and 150+ enterprises, globally.
Through Kratikal’s in-depth VAPT testing, organizations can successfully detect the vulnerabilities in their critical infrastructure, and keep their critical assets secure.
Do you think SEBI’s new guidelines make things easier for Brokers and Depositories/Mutual Funds? Share your thoughts in the comments below!