SEBI Modifies Cyber Resilience and Cyber Security Framework of KRAs

Prabhat Nigam

13 Sep, 2022

Recently, a circular was released by the Securities and Exchange Board of India (SEBI), which has modified the cyber security framework and cyber resilience framework of all the registered Know Your Customer (KYC) Registration Agencies (KRAs). The modified cyber security framework of KRAs released by SEBI mandates the KRAs to conduct a comprehensive cyber audit at least twice in a financial year. Apart from the cyber audit report, the KRAs have also been instructed to submit a statement signed by the Managing Director (MD) and Chief Executive Officer (CEO) certifying that the all the compliances have been undertaken by the KRA, which SEBI has recommended in its guidelines and notices issued periodically.     

Who are the entities to whom the circular on the cyber security framework of KRAs is applicable?

The circular titled “Modification in Cyber Security and Cyber Resilience framework of Know Your Customer^[1] (KYC) Registration Agencies (KRAs)” is applicable to all the KYC Registration Agencies only.

Highlights of the Circular on Cyber Security Framework of KRAs  

On 30^st May 2022, SEBI came out with a circular titled “Modification in Cyber Security and Cyber Resilience framework of Know Your Customer (KYC) Registration Agencies (KRAs)”, wherein SEBI laid down a revised cyber security framework of KRAs. Under the revised cyber security framework of KRAs, SEBI has laid down the following guidelines:  

Identification and Classification of Critical Assets

The KRAs are supposed to identify and classify critical assets based on their sensitivity and criticality of services, business operations and data management. The critical assets to be identified include business critical systems, systems containing sensitive data, internet facing applications/ systems, sensitive financial data, sensitive personal data, Personally Identifiable Information (PII) data, etc. All the ancillary systems that are used for communicating/ accessing the critical systems either for maintenance or operations are also classified as critical systems. The list of these critical systems is approved by the Board of the KRAs.  

For the above purposes, KRAs are supposed to maintain an up-to-date inventory list of the software and information assets (internal and external), hardware and systems, connections to its networks, details of the network resources and data flows.

KRAs to Carry Out Periodic VAPT

The circular on cyber security framework of KRAs mandate the KRAs to carry out periodic vulnerability assessment and penetration tests (VAPT) which include the critical assets and other infrastructure components such as security devices, servers, networking systems, load balancers and other IT systems which pertain to the activities carried out by KRAs etc. These periodic assessments have to be carried out with a view to detect security vulnerabilities that exist in the IT environment and also to carry out in-depth evaluation of the security posture of the systems by carrying out simulations of actual attacks on their systems and networks.

The cyber security framework on KRAs also expects the KRAs to conduct VAPT at least once in a financial year. However, for the KRAs, whose systems have been identified as “protected system” by NCIIPC under the Information Technology (IT) Act of 2000, VAPT shall be carried out at least twice in a financial year. The framework also makes it mandatory for all the KRAs to engage the services of only CERT-In empanelled organisations for conducting VAPT.

Once the final approval has been given from the Technology Committee of respective KRAs, the result of the VAPT shall be submitted to SEBI. Such submission has to be made within a period of one month from the date of completion of the VAPT activity.   

Remedial Action on the Vulnerabilities Detected

The gaps or vulnerabilities that have been identified during the VAPT are supposed to be remedied on an immediate basis, and the compliance of completion of closure of findings identified during the VAPT has to be submitted to SEBI within a period of three months after the submission of final VAPT report.  

Perform Vulnerability Scanning and Penetration Testing  

The cyber security framework of KRAs also makes it mandatory on the part of the KRAs to perform vulnerability scanning and to conduct penetration testing before a new system is commissioned, which is a critical system or part of an existing critical system.

Conduct Comprehensive Cyber Security Audit

The revised version of cyber security framework of KRAs also makes it mandatory on the part of the KRAs to conduct a comprehensive cyber audit at least twice in a financial year. A declaration shall also be submitted to the Managing Director or Chief Executive Officer certifying compliance by the KRAs with all the SEBI circulars and advisories related to cyber security from time to time. A cyber audit report shall also be attached along.  

Date of Coming into Effect

All the KRAs have been directed to communicate the implementation of the provisions of this circular within a period of ten days from the date of coming into force of this circular.

The framework released by SEBI shall come into effect from 30^th May, 2022 onwards and will be applicable to all the existing SEBI registered KRAs.

Read Our Article: SEBI guidelines amend SEBI KRA Regulations, 2011