“Cyber Security and Resilience Framework for Stock Exchanges and Depositories”
On June 7, 2022, the Securities and Exchange Board of India (SEBI) released a circular amending its
previous one, SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018, which established a framework for cyber
security and resilience.
Talk To a Security Expert
We Will Help You To Choose The Best Plan!
PART - 1
Who all are Involved?
Kratikal is a CERT-In Empanelled Security Auditor
What Constitutes Critical Assets?
Applicable - The circular's provisions shall take effect immediately.
Modification in Paragraphs
Identifying and classifying critical assets according to their significance and sensitivity
to business services, data management, and operations. Up-to-date inventory of hardware, software,
and information assets must be kept, and the Board, Partners, and Proprietor must approve the list
of critical systems.
To identify vulnerabilities in the IT environment and conduct a thorough assessment of
the security posture, In-Depth vulnerability assessment and penetration testing (VAPT)
must be performed on essential assets and infrastructure components such servers, security
devices, and networking systems.
Conducting VAPT at least once per year is mandatory for stockbrokers and depository participants.
All stockbrokers and depository participants may only conduct VAPT transactions through CERT-IN
Empanelled Organizations. After receiving the Technology Committee's approval and within a month
of the VAPT's completion, the final report must be submitted to the stock exchange or depository.
Any gaps or vulnerabilities found during In- Depth VAPT must be closed right
away, and compliance with all findings must be presented within three months
of the final VAPT report's submission.
Comprehensive Cyber Audit
Further, Comprehensive Cyber Audit must be conducted once in a year.
A declaration from the Board/ Partners/ Proprietors certifying compliance
must be submitted to the Stock Exchange/Depository with all the SEBI Circulars
and advisories related to cyber security.
PART - 2
On June 9,2022 the Securities Exchange Board of India (SEBI) released a
circular amending its previous one, SEBI/HO/IMD/DF2/CIR/P/2019/12 dated 10
January 2019 establishing a framework for Cyber Security and resilience for
Mutual Funds/ Asset Management Companies (AMCs).
Who all are Involved?
Mutual Funds All Organisations
Asset Management Company
Board of Trustee of Mutual Funds
Association of Mutual Funds in India
Applicable - The circular's provisions shall be effective as of July 15, 2022.
Modification in Paragraphs
Identifying and classifying critical assets according to their significance and sensitivity to business services,
data management, and operations. Up-to-date inventory of hardware, software, and information assets must be kept,
and the Board, and Trustees of AMCs must approve the list of critical assets.
Mutual funds shall perform routine VAPT at least once a year on critical assets and
infrastructure components, including servers, security devices, and networking systems,
in order to conduct VAPT using the "audit the auditor approach" and to identify security
vulnerabilities in the IT environment and to carry out a comprehensive assessment of security
posture. Mutual funds that have been designated by NCIIPC as "protected systems" must undergo
VAPT at least twice a year.
Any gaps or vulnerabilities identified during VAPT shall be immediately filled, and compliance with
all findings shall be submitted within three months after the submission of the final VAPT report.
Prior to commissioning a new system that is a crucial system, Mutual Funds/AMCs are
required to do vulnerability scanning and penetration testing.
Any cyber risks, incidents, or breaches discovered by Mutual Funds/AMCs must be notified to
SEBI to CERT-IN within six hours. Systems designated as protected systems are required to notify
NCIIPC of these threats. Within 15 days of the end of the quarter, the quarterly reports must be
submitted to SEBI.
Comprehensive Cyber Audit - Further
Comprehensive Cyber Audit must be conducted twice in a year. A declaration from the
Managing Director/ Chief Executive Officer certifying compliance must be submitted to
the Mutual Funds/ AMCs with all the SEBI Circulars and advisories related to cyber security.
Frequently Asked Questions( FAQs)
1. What will happen if a company doesn't follow SEBI guidelines?
Any violation or suspected violation of the SEBI (Prohibition of Insider Trading) Regulations,
2015 must be reported to SEBI by the company or compliance office along with a fine and imposing a penalty.
2. Why were the SEBI guidelines modified?
The Guidelines have been modified in light of SEBI's requirement that organizations
identify their important assets and keep an updated list of those assets.
3. What is the purpose of SEBI guidelines?
The aims of the SEBI System Audit are: to keep an eye on the stock exchange's
operations and make sure the confidentiality and integrity of data are upheld.
in order to protect investors' rights. Strong cyber security and cyber resilience framework.
4. Define the recent SEBI guidelines on Cyber security?
Two guidelines were the major target notified recently. One was - SEBI/HO/MIRSD/CIR/PB/2018/147
dated December 03, 2018, which established a framework for cyber security and resilience
for stockbrokers and depositories and the second one was SEBI/HO/IMD/DF2/CIR/P/2019/12 dated 10
January 2019 establishing a framework for Cyber Security and resilience for Mutual Funds/ Asset
Management Companies (AMCs).
Kratikal Tech. Pvt. Ltd. is the trusted standard for companies and
individuals acquiring services to protect their brands, business and dignity from baffling