SEBI modifies cyber resilience framework for Stock Brokers/ Depository Participants

Prabhat Nigam

07 Jul, 2022

On 30^th June 2022, vide circular number SEBI/HO/MIRSD/TPD/P/CIR/2022/93, a Circular was issued by the Securities and Exchange Board of India (SEBI) wherein SEBI modified the cyber security and cyber resilience framework for Stock Brokers and Depository Participants. SEBI has mandated these entities to report incidents of data breaches, cyber-attacks and the like event to the Stock Exchanges/ Depositories Participants within a period of 6 hours from noticing/ detecting such event or being brought to the notice about such an incident. All the recognised stock exchanges and Depositories have been asked under this Circular to take corrective steps and mitigative strategies to prevent such events from taking place in future. 

Who are the players to whom the circular on modified cyber resilience framework for Stock brokers and depository participants is applicable?

The Circular on Modification in Cyber security and Cyber resilience framework for Stock Brokers / Depository Participants” is applicable to the following entities:

1. All the Recognised Stock Exchanges
2. All the Depositories

Highlights of the Circular on modified cyber resilience framework for Stock brokers and depository participants   

Reporting of data breach incidents in 6 hours

The stock brokers and depository participants have been mandated by this Circular to report the incidents of data breach, cyber attacks and cyber threats directed toward the stock brokers and depository participants and SEBI within a period of 6 hours from noticing or detecting the above-mentioned incidents or when such incidents have brought within their notice.

Reporting of Incidents to CERT-In 

Apart from reporting the above-mentioned incidents of data breach and cyber-attacks to Stock exchanges, depositories and SEBI, the stock brokers and depository participants have been instructed to report such incidents to Computer Emergency Response Team (CERT-In) in accordance with the directions/ guidelines issued by the CERT-In^[1] from time to time.

Reporting to NCIIPC   

Further, the depository participants or stock brokers whose systems have been identified as “Protected systems” by the National Critical Information Infrastructure Protection Centre (NCIIPC) are also bound to report such incidents to NCIIPC.

Submission of Quarterly Reports

The stock brokers and depository participants have been directed to submit quarterly reports containing information on cyber-attacks, cyber incidents, and cyber threats, along with the appropriate measures adopted by the stock brokers and depository participants to mitigate the vulnerabilities, attacks and threats, including information on vulnerabilities, threats and bugs which can be become useful for other Depository participants, stock brokers, stock exchanges, depositories and SEBI.

Such reports shall be submitted to the stock exchanges and depositories within a period of 15 days from the quarter ended June, September, December and March every year.

Dedicated e-mail address

All the above-mentioned information shall be shared with SEBI through a dedicated e-mail address: sbdp-cyberincidents@sebi.gov.in. 

Further steps to be taken by Depositories and Stock Exchanges   

All the depositories and stock exchanges need to take the following steps:

1. Necessary amendments have to be made to the bye-laws, rules and regulations for implementing the above criteria; and
2. The directions of this Circular need to be brought to the notice of their members and participants and also disseminated particulars of this Circular through their websites.

Date of coming into effect

The directions in this Circular shall come into effect immediately, i.e. from 30th June 2022 only, and all the stock brokers and depository participants need to comply with the modified cyber resilience framework with immediate effect.   

Conclusion

This Circular on modification in the cyber resilience framework for Stock Brokers or Depository Participants have been brought after exercising the powers conferred on the SEBI under sub-section 1 of section 11 of the SEBI Act, 1992 with an intent to protect the interests of the investors in the securities market and also to promote the development and regulate the securities market. 

Read our Article: SEBI modifies cyber security framework for Stock Brokers/ Depository Participants