The Securities and Exchange Board of India (SEBI) has released an updated framework concerning Cyber Security and Cyber Resilience for stock exchanges, clearing corporations, and depositories.
Background: Historically, SEBI had laid down guidelines for Cyber Security and Cyber Resilience for the mentioned financial entities through its circulars dated July 06, 2015, and May 20, 2022. The current circular aims to make modifications to the framework.
Key Updates
1. Cyber Audits: Market Infrastructure Institutions (MIIs) are now obligated to carry out comprehensive cyber audits a minimum of two times in a fiscal year. In addition to these audit reports, MIIs must also submit a declaration from their Managing Director (MD) or Chief Executive Officer (CEO) confirming the following:
- Comprehensive strategies and processes have been set up for the identification, detection, and resolution of vulnerabilities within their IT systems.
- Suitable measures have been taken to ensure that the organization’s Security Operations Center (SOC) is adequately staffed.
- The MII has adhered to all SEBI circulars and advisories pertinent to cyber security.
2. Collaboration with National Authorities: MIIs, recognized as holding Critical Information Infrastructure (CII) by the National Critical Information Infrastructure Protection Centre (NCIIPC), are now required to frequently update the NCIIPC on the status or resolution of vulnerabilities observed in their “protected systems.”
3. Implementation Measures: MIIs are expected to implement the measures outlined in the circular, making necessary changes to their bye-laws, rules, or regulations as needed.
4. Reporting: Post-implementation, MIIs must inform SEBI about the status within a 30-day window from the issuance of this circular.
5. Immediate Effect: The stipulations of the circular are to be effective immediately.
Implications: These guidelines have been set in motion by the powers vested under Section 11 (1) of the SEBI Act, 1992, in conjunction with other relevant regulations. The primary objective of these revisions is to safeguard investor interests and maintain the integrity of the securities market by enhancing cyber resilience.
Conclusion: In the face of increasing cyber threats, SEBI’s decision to bolster cyber security norms for stock exchanges, clearing corporations, and depositories is both timely and crucial. Such measures underscore the importance of fortifying cyber infrastructure to shield both market participants and investors from potential risks.
*****
Securities and Exchange Board of India
Circular No. SEBI/HO/MRD/TPD/P/CIR/2023/147 Dated: August 24, 2023
To,
All Stock Exchanges
All Clearing Corporations
All Depositories
Sir/ Madam,
Subject: – Modification in Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories
1. SEBI vide circular nos. SEBI/CIR/MRD/DP/13/2015 dated July 06, 2015 and SEBI/HO/MRD1/MRD1_DTCS/P/CIR/2022/68 dated May 20, 2022 prescribed framework for Cyber Security and Cyber Resilience for stock exchanges, clearing corporations and depositories.
2. In this regard, clause 3 of SEBI circular dated May 20, 2022, shall now be read as under:
3. MIIs are mandated to conduct comprehensive cyber audit at least 2 times in a financial year. Along with cyber audit reports, henceforth, MIIs are directed to submit a declaration from the MD/CEO certifying that:
i. Comprehensive measures and processes including suitable incentive/disincentive structures, have been put in place for identification/detection and closure of vulnerabilities in the organization’s IT systems.
ii. Adequate resources have been hired for staffing their Security Operations Center(SOC).
iii. There is compliance by the MII with all SEBI circulars and advisories related to cyber security.
3. Further, MIIs, whose systems have been identified as Critical Information Infrastructure (CII) by National Critical Information Infrastructure Protection Centre (NCIIPC), are mandated to send regular updates/closure status of the vulnerabilities found in their respective “protected systems” to NCIIPC.
4. MIIs are required to take necessary steps to put in place systems for implementation of the circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any.
5. MIIs are directed to communicate the status of the implementation of the provisions of this circular to SEBI within 30 days from the date of this Circular.
6. The provisions of the Circular shall come into force with immediate effect.
7. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 read with Regulation 51 of Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2018 and Section 19 of the Depositories Act, 1996 read with Regulation 97 of Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
8. The circular is issued with the approval of the competent authority.
9. This circular is available on SEBI website at www.sebi.gov.in under the categories “Legal Framework” and “Circulars”.
Yours faithfully,
Ansuman Dev Pradhan
Deputy General Manager
+91-22-26449622
[email protected]
