Sebi tweaks cyber security, cyber resilience framework of KYC registration agencies
Sebi on Monday said that it changed the cyber security and the cyber resilience framework of KYC Registration Agencies (KRAs).
The Securities and Exchange Board of India (Sebi) on Monday said that it changed the cyber security and the cyber resilience framework of KYC Registration Agencies (KRAs), as per PTI reported. The capital markets regulator also mandated them to conduct a comprehensive cyber audit at least twice in a financial year.
According to a circular, all KRAs must submit a statement from the MD and CEO certifying compliance with all of Sebi's cyber security-related recommendations and notices issued periodically, along with the cyber audit report, said PTI.
KRAs are required to identify and classify key assets based on their sensitivity and criticality to company operations, services, and data management under the updated framework.
According to PTI, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets. All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well.
The list of critical systems will also need to be approved by the KRAs board.
"To this end, KRA must maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows," Sebi said.
According to PTI, KRAs must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include all infrastructure components and critical assets such as servers, network systems, security devices, and other IT systems to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on your systems and networks, according to Sebi.
In addition, KRAs must also conduct VAPT at least once a financial year, according to the regulation.
However, VAPT must be done at least twice in a fiscal year for KRAs whose systems have been recognised as a "protected system" by the National Critical Information Infrastructure Protection Center (NCIIPC), according to Sebi.
Furthermore, all KRAs are required to engage only CERT-In integrated organisations to conduct VAPT, said PTI.
Within a month from the end of the VAPT activity, the final report on the VAPT must be submitted to Sebi with the permission of the technology standing committee of the appropriate KRA.
"Any gaps/vulnerabilities detected must be remedied immediately and the closure compliance of the findings identified during VAPT will be sent to Sebi within 3 months after VAPT's final report is submitted to Sebi," the regulator said.
In addition, KRAs must also perform vulnerability scans and penetration tests prior to the roll-out of a new system that is a critical system or part of an existing critical system, PTI said.
The new framework will take effect immediately, according to Sebi, and all KRAs must inform the regulator within 10 days of their progress in implementing the circular.
Get Latest Business News, Stock Market Updates and Videos; Check your tax outgo through Income Tax Calculator and save money through our Personal Finance coverage. Check Business Breaking News Live on Zee Business Twitter and Facebook. Subscribe on YouTube.
RECOMMENDED STORIES
Power of Compounding: How many years will it take to reach Rs 3 crore corpus if your monthly SIP is Rs 4,000, Rs 5,000, or Rs 6,000
Power of Compounding: Salary Rs 25,000 per month; is it possible to create over Rs 2.60 crore corpus; understand it through calculations
Reduce Home Loan EMI vs Reduce Tenure: Rs 75 lakh, 25-year loan; which option can save Rs 25 lakh and 64 months and how? Know here
Top 7 Large and Mid Cap Mutual Funds with Best SIP Returns in 5 Years: No. 1 fund has turned Rs 15,000 monthly SIP investment into Rs 20,54,384; know about others
New Year Pick by Anil Singhvi: This smallcap stock can offer up to 75% return in long term - Check targets
PSU Oil Stocks: Here's what brokerage suggests on these 2 largecap, 1 midcap scrips - Buy, Sell or Hold?
08:26 PM IST