Securities and Exchange Board of India
December 14, 2018
All Stock Exchanges, Clearing Corporations and Depositories (except Commodities Derivatives Exchanges and their Clearing Corporations).
Dear Sir / Madam,
Cyber Security Operations Center for the SEBI registered intermediaries
1. Recognizing the need for a robust Cyber Security and Cyber Resilience framework at Market Infrastructure Institutions (MIIs), i.e. Stock Exchanges, Clearing Corporations and Depositories, SEBI vide Circular CIR/MRD/DP/13/2015 dated July 06, 2015, prescribed a detailed regulatory framework on cyber security and cyber resilience.
2. With the view to further strengthening cyber security in securities market the Cyber Security and Cyber Resilience framework has been extended to Stock Brokers/ Depository Participants vide circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018.
3. During the discussions held with the market participants, it was gathered that compliance with the cyber security guidelines may be onerous for smaller intermediaries because of the lack of knowledge in cyber security and also the cost factor involved in setting up own Security Operations Center (SOC). These intermediaries may utilize the services of Market SOC which is proposed to be set up by MIIs with the objective of providing cyber security solution to such intermediaries. The intermediaries’ membership in Market SOC is non mandatory.
4. The particulars of the Market SOC will be as follows:
4.1. The Market SOC shall be set up as a separate entity and MIIs shall have at least 51% stake in the new entity.
4.2. Intermediaries who don’t have capability to set up a SOC on their own can opt for the Market SOC.
4.3. The Market SOC should be in accordance to the circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 and should ensure that participating intermediaries are in compliance to the said circular, should they opt for the market SOC. Market SOC would provide only the technology perspective for the abovementioned cyber security guidelines and the people & process perspectives of cyber security as mandated by the aforementioned circular would still be have to be managed by the intermediaries.
4.4. The Market SOC should be evolving continuously in order to be able to manage new security controls and guidelines that may issue by SEBI from time to time.
4.5. The Market SOC to ensure that intermediaries participating in their SOC should adhere to the minimum IT guidelines and security protocols all the time.
4.6. MII will carry out audit of their Market SOC activity annually and submit the report to SEBI.
4.7. The Market SOC will issue an audit report as prescribed in the circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018, to the participating intermediary.
4.8. If an intermediary is subscribed to Market SOC, audit report submitted by intermediary through the Market SOC would be deemed compliant.
4.9. Approval for the Market SOC which is to be set up as a separate entity would be in terms of Regulation 38 of Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2018.
5. MIIs are directed to take necessary steps to put in place appropriate systems and processes for implementation of the circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any, within six months from the date of the circular.
6. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 and Section 19 of the Depositories Act, 1996 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
Deputy General Manager
Cyber Security Cell
Market Regulation Department