SEBI modifies cyber security framework for Stock Brokers/ Depository Participants

Prabhat Nigam

11 Jun, 2022

On 7^th June 2022, vide circular number SEBI/HO/MIRSD/TPD/P/CIR/2022/80, a Circular was issued by the Securities and Exchange Board of India (SEBI) wherein SEBI modified the cyber resilience and cyber security framework for Stock Brokers/ Depository Participants. SEBI has mandated these entities to conduct a cyber security audit at least once in a financial year. Along with the audit report, the stock brokers and depository participants have also been mandated to submit to stock exchanges and depositories respectively a declaration from their MD and CEO certifying compliance by them with all the SEBI guidelines and advisories related to cyber security issued by SEBI from time to time. 

Who are the players to whom the circular on modified cyber security framework for Stock brokers and depository participants is applicable?

The Circular titled “Modification in Cyber resilience and Cyber Security framework for Stock Brokers / Depository Participants” is applicable to the following entities:

1. All the Depositories
2. All the Recognised Stock Exchanges

Highlights of the Circular on modified cyber security framework for Stock brokers and depository participants

Identification of critical assets

The stock brokers^[1] and depository participants need to identify and classify critical assets based on the sensitivity and criticality of the services, business operations and data management. Other critical assets include business critical systems, internet facing applications, systems containing sensitive data, sensitive financial data, sensitive personal data, personally identifiable information etc.

All the other auxiliary systems that connect to or communicate with the critical systems, be it operations or maintenance, are all considered critical assets.

Responsibilities of the Board of Stock Brokers/ Depository Participants

It is the responsibility of the board of the stock brokers/ depository participants to approve the list of critical assets.

The stock brokers and depository participants are supposed to prepare an up-to-date inventory of its hardware and systems, details of its network issues, software and information assets, connections to its network and data flow for this purpose.

Conducting VAPT

The stock brokers and depository participants also need to conduct a Vulnerability Assessment and Penetration Tests (VAPT) which include critical assets and infrastructure components with a view to detect security vulnerabilities in the IT environment and an in-depth assessment of the security infrastructure of the systems through simulations of real attacks on the systems and networks.

All the stock brokers and depository participants are supposed to carry out VAPT at least once in a financial year. Here, they can only engage CERT-In empanelled organizations to conduct VAPT.

Within a month of the conclusion of the VAPT, a report has to be submitted to SEBI after approval of the technology committee of the respective stock brokers and depository participants.

The gaps and vulnerabilities identified as a result of VAPT are supposed to be remedied on an immediate basis, and compliance of closure of findings identified during the VAPT have to be submitted to the Stock Exchanges/ Depositories within a period of three months after the submission of final VAPT report.

Stock brokers/ depositories to conduct cyber audit once in a financial year

SEBI has mandates that all the stock brokers and depository participants are supposed to conduct a comprehensive cyber security audit at least once in a financial year, and the audit report so generated shall be submitted to the Stock Exchanges and Depositories, respectively.

Apart from the audit report, the all the stock brokers and depository participants are also supposed to submit to the Stock Exchanges and Depositories a declaration from the MD/ CEO/ Proprietors/ Partners certifying compliance with all the SEBI Circulars and advisories related to cyber security from time to time.

Both the stock brokers and depository participants are also supposed to take necessary steps to put in place systems for the implementation of the particulars of this Circular.

Communication of status of implementation

All the stock brokers and depository participants are also required to communicate the status of implementation of the particulars of this Circular to the Stock Exchanges and Depositories respectively within a period of 10 days from the date of this circular.

This means the communication of the status of implementation of the provisions of this Circular has to be made till 17^th June 2022 to the Stock Exchanges and Depositories.

Further steps to be taken by Stock Exchanges and Depositories   

All the stock exchanges and depositories need to take the following steps:

1. Necessary amendments have to be made to the bye-laws, rules and regulations for implementing the above criteria; and
2. The provisions of this Circular need to be brought to the notice of their members and participants and also disseminate the particulars of this Circular through their websites.

Date of coming into effect

The mandate of this Circular shall come into effect immediately i.e. from 7^th June 2022 itself and all the stock brokers and depository participants need to comply with modified cyber security framework with immediate effect.   

Conclusion

This Circular on extension modification in the cyber security framework for Stock Brokers and Depository Participants has been issued after exercising the powers conferred on the SEBI under section 11(1) of the SEBI Act, 1992 with a view to protect the interests of the investors in the securities and also to promote the development and regulate the securities market.  

Read our Article: Stock Broker License Registration