Securities and Exchange of India
October 15, 2019
All Recognised Stock Exchanges
Depositories – NSDL and CDSL
Dear Sir / Madam,
Subject: Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants – Clarifications
1. SEBI, vide circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018, prescribed the framework for Cyber Security & Cyber Resilience for Stock Brokers / Depository Participants.
2. Paragraph 52 of Annexure 1 of the SEBI circular dated December 03, 2018 specifies the following regarding sharing of information:
Quarterly reports containing information on cyber-attacks and threats experienced by Stock Brokers / Depository Participants and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs / vulnerabilities / threats that may be useful for other Stock Brokers / Depository Participants should be submitted to Stock Exchanges / Depositories.
3. In this regard, following guidelines are being issued for submission of report / information and the timelines:
3.1. A format for submitting the reports is attached as Annexure.
3.2. For the quarter ended on September 30, 2019, quarterly reports shall be submitted by stock brokers / depository participants not later than November 30, 2019 as per the format specified.
3.3. Effective from quarter ending on December 31, 2019, the time period for submission of the report shall be 15 days after the end of the quarter.
3.4. The mode of submission of such reports by the stock brokers / depository participants may be prescribed by Stock Exchanges / Depositories.
4. With regard to periodic audit as specified in paragraph 58 of Annexure 1 of the SEBI circular dated December 03, 2018, it has been decided that auditors qualified in following certifications can audit the systems of depository participants and stock brokers to check the compliance of Cyber Security and Cyber Resilience provisions:
CERT-IN empanelled auditor, an independent DISA (ICAI) Qualification, CISA (Certified Information System Auditor) from ISACA, CISM (Certified Information Securities Manager) from ISACA, CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium (commonly known as (ISC)2).
5. The periodicity of audit for the purpose of compliance with Cyber Security and Cyber Resilience provisions for depository participants shall be annual. The periodicity of audit for the compliance with the provisions of Cyber Security and Cyber Resilience provisions for stock brokers, irrespective of number of terminals and location presence, shall be as under:
|Type of stock broker as specified in SEBI circular CIR/MRD/DMS/34/2013 dated November 06, 2013||Periodicity|
Paragraph 58 of Annexure 1 of the SEBI circular dated December 03, 2018 stands modified accordingly.
6. Stock Exchanges and Depositories shall
a) make necessary amendments to the relevant byelaws, rules and regulations for the implementation of the above direction;
b) bring the provisions of this circular to the notice of their members and depository participants respectively and also disseminate the same on their websites; and
c) communicate to SEBI, the status of implementation of the provisions of this circular in their Monthly Report.
7. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 and Section 19 of the Depositories Act to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
D Rajesh Kumar
Market Intermediaries Regulation and Supervision Department