What is an Exchange Traded Fund ...
Exchange Traded Fund is similar to a stock and can be referred to as basket of securities that...
On 7th June 2022, vide circular number SEBI/HO/MIRSD/TPD/P/CIR/2022/80, a Circular was issued by the Securities and Exchange Board of India (SEBI) wherein SEBI modified the cyber resilience and cyber security framework for Stock Brokers/ Depository Participants. SEBI has mandated these entities to conduct a cyber security audit at least once in a financial year. Along with the audit report, the stock brokers and depository participants have also been mandated to submit to stock exchanges and depositories respectively a declaration from their MD and CEO certifying compliance by them with all the SEBI guidelines and advisories related to cyber security issued by SEBI from time to time.
Who are the players to whom the circular on modified cyber security framework for Stock brokers and depository participants is applicable?
The Circular titled “Modification in Cyber resilience and Cyber Security framework for Stock Brokers / Depository Participants” is applicable to the following entities:
Highlights of the Circular on modified cyber security framework for Stock brokers and depository participants
Identification of critical assets
The stock brokers and depository participants need to identify and classify critical assets based on the sensitivity and criticality of the services, business operations and data management. Other critical assets include business critical systems, internet facing applications, systems containing sensitive data, sensitive financial data, sensitive personal data, personally identifiable information etc.
All the other auxiliary systems that connect to or communicate with the critical systems, be it operations or maintenance, are all considered critical assets.
Responsibilities of the Board of Stock Brokers/ Depository Participants
It is the responsibility of the board of the stock brokers/ depository participants to approve the list of critical assets.
The stock brokers and depository participants are supposed to prepare an up-to-date inventory of its hardware and systems, details of its network issues, software and information assets, connections to its network and data flow for this purpose.
The stock brokers and depository participants also need to conduct a Vulnerability Assessment and Penetration Tests (VAPT) which include critical assets and infrastructure components with a view to detect security vulnerabilities in the IT environment and an in-depth assessment of the security infrastructure of the systems through simulations of real attacks on the systems and networks.
All the stock brokers and depository participants are supposed to carry out VAPT at least once in a financial year. Here, they can only engage CERT-In empanelled organizations to conduct VAPT.
Within a month of the conclusion of the VAPT, a report has to be submitted to SEBI after approval of the technology committee of the respective stock brokers and depository participants.
The gaps and vulnerabilities identified as a result of VAPT are supposed to be remedied on an immediate basis, and compliance of closure of findings identified during the VAPT have to be submitted to the Stock Exchanges/ Depositories within a period of three months after the submission of final VAPT report.
Stock brokers/ depositories to conduct cyber audit once in a financial year
SEBI has mandates that all the stock brokers and depository participants are supposed to conduct a comprehensive cyber security audit at least once in a financial year, and the audit report so generated shall be submitted to the Stock Exchanges and Depositories, respectively.
Apart from the audit report, the all the stock brokers and depository participants are also supposed to submit to the Stock Exchanges and Depositories a declaration from the MD/ CEO/ Proprietors/ Partners certifying compliance with all the SEBI Circulars and advisories related to cyber security from time to time.
Both the stock brokers and depository participants are also supposed to take necessary steps to put in place systems for the implementation of the particulars of this Circular.
Communication of status of implementation
All the stock brokers and depository participants are also required to communicate the status of implementation of the particulars of this Circular to the Stock Exchanges and Depositories respectively within a period of 10 days from the date of this circular.
This means the communication of the status of implementation of the provisions of this Circular has to be made till 17th June 2022 to the Stock Exchanges and Depositories.
Further steps to be taken by Stock Exchanges and Depositories
All the stock exchanges and depositories need to take the following steps:
Date of coming into effect
The mandate of this Circular shall come into effect immediately i.e. from 7th June 2022 itself and all the stock brokers and depository participants need to comply with modified cyber security framework with immediate effect.
This Circular on extension modification in the cyber security framework for Stock Brokers and Depository Participants has been issued after exercising the powers conferred on the SEBI under section 11(1) of the SEBI Act, 1992 with a view to protect the interests of the investors in the securities and also to promote the development and regulate the securities market.
Read our Article: Stock Broker License Registration