Guidelines of SEBI - A complete Overview

“Cyber Security and Resilience Framework for Stock Exchanges and Depositories”

On June 7, 2022, the Securities and Exchange Board of India (SEBI) released a circular amending its previous one, SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018, which established a framework for cyber security and resilience.

Talk To a Security Expert

We Will Help You To Choose The Best Plan!

Message Submitted!

PART - 1

Who all are Involved?

Stockbrokers

Depositories

Wealth Management

Asset Management

CERT-In Certification
CERT-In Logo

Kratikal is a CERT-In Empanelled Security Auditor

What Constitutes Critical Assets?

soc soc soc soc

Applicable - The circular's provisions shall take effect immediately.

Modification in Paragraphs

soc

1

Paragraph 11

Identifying and classifying critical assets according to their significance and sensitivity to business services, data management, and operations. Up-to-date inventory of hardware, software, and information assets must be kept, and the Board, Partners, and Proprietor must approve the list of critical systems.

soc

2

Paragraph 41

To identify vulnerabilities in the IT environment and conduct a thorough assessment of the security posture, In-Depth vulnerability assessment and penetration testing (VAPT) must be performed on essential assets and infrastructure components such servers, security devices, and networking systems.

soc

3

Paragraph 42

Conducting VAPT at least once per year is mandatory for stockbrokers and depository participants. All stockbrokers and depository participants may only conduct VAPT transactions through CERT-IN Empanelled Organizations. After receiving the Technology Committee's approval and within a month of the VAPT's completion, the final report must be submitted to the stock exchange or depository.

soc

4

Paragraph 44

Any gaps or vulnerabilities found during In- Depth VAPT must be closed right away, and compliance with all findings must be presented within three months of the final VAPT report's submission.

soc

5

Comprehensive Cyber Audit

Further, Comprehensive Cyber Audit must be conducted once in a year. A declaration from the Board/ Partners/ Proprietors certifying compliance must be submitted to the Stock Exchange/Depository with all the SEBI Circulars and advisories related to cyber security.

PART - 2

On June 9,2022 the Securities Exchange Board of India (SEBI) released a circular amending its previous one, SEBI/HO/IMD/DF2/CIR/P/2019/12
dated 10 January 2019 establishing a framework for Cyber Security and resilience for Mutual Funds/ Asset Management Companies (AMCs).

Who all are Involved?

Mutual Funds All Organisations

Asset Management Company

Board of Trustee of Mutual Funds

Association of Mutual Funds in India

soc soc soc soc

Applicable - The circular's provisions shall be effective as of July 15, 2022.

Modification in Paragraphs

soc

1

Paragraph 11

Identifying and classifying critical assets according to their significance and sensitivity to business services, data management, and operations. Up-to-date inventory of hardware, software, and information assets must be kept, and the Board, and Trustees of AMCs must approve the list of critical assets.

soc

2

Paragraph 40

Mutual funds shall perform routine VAPT at least once a year on critical assets and infrastructure components, including servers, security devices, and networking systems, in order to conduct VAPT using the "audit the auditor approach" and to identify security vulnerabilities in the IT environment and to carry out a comprehensive assessment of security posture. Mutual funds that have been designated by NCIIPC as "protected systems" must undergo VAPT at least twice a year.

soc

3

Paragraph 41

Any gaps or vulnerabilities identified during VAPT shall be immediately filled, and compliance with all findings shall be submitted within three months after the submission of the final VAPT report.

soc

4

Paragraph 42

Prior to commissioning a new system that is a crucial system, Mutual Funds/AMCs are required to do vulnerability scanning and penetration testing.

soc

5

Paragraph 51

Any cyber risks, incidents, or breaches discovered by Mutual Funds/AMCs must be notified to SEBI to CERT-IN within six hours. Systems designated as protected systems are required to notify NCIIPC of these threats. Within 15 days of the end of the quarter, the quarterly reports must be submitted to SEBI.

soc

6

Comprehensive Cyber Audit - Further

Comprehensive Cyber Audit must be conducted twice in a year. A declaration from the Managing Director/ Chief Executive Officer certifying compliance must be submitted to the Mutual Funds/ AMCs with all the SEBI Circulars and advisories related to cyber security.

Frequently Asked Questions( FAQs)

1. What will happen if a company doesn't follow SEBI guidelines?

Any violation or suspected violation of the SEBI (Prohibition of Insider Trading) Regulations, 2015 must be reported to SEBI by the company or compliance office along with a fine and imposing a penalty.

2. Why were the SEBI guidelines modified?

The Guidelines have been modified in light of SEBI's requirement that organizations identify their important assets and keep an updated list of those assets.

3. What is the purpose of SEBI guidelines?

The aims of the SEBI System Audit are: to keep an eye on the stock exchange's operations and make sure the confidentiality and integrity of data are upheld. in order to protect investors' rights. Strong cyber security and cyber resilience framework.

4. Define the recent SEBI guidelines on Cyber security?

Two guidelines were the major target notified recently. One was - SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018, which established a framework for cyber security and resilience for stockbrokers and depositories and the second one was SEBI/HO/IMD/DF2/CIR/P/2019/12 dated 10 January 2019 establishing a framework for Cyber Security and resilience for Mutual Funds/ Asset Management Companies (AMCs).