May 20, 2022
To
All Stock Exchanges,
All Clearing Corporations,
All Depositories
Dear Sir / Madam,
1. SEBI vide circular no. SEBI/CIR/MRD/DP/13/2015 dated July 06, 2015 prescribed framework for Cyber Security and Cyber Resilience for stock exchanges, clearing corporations and depositories.
- 2. In partial modification to Annexure A of SEBI circular dated July 06, 2015, the paragraph-11, 40, 41 and 42 shall be read as under :
- 1.1 MII should identify and classify/designate critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets should include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance should also be classified as critical system. The Board of the MII shall approve the list of critical systems.
- To this end, MII should maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows.
- 40. MIIs should carry out periodic vulnerability assessment and penetration testing (VAPT) which inter-alia includes all critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as a role of MII etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.
- MIIs should conduct VAPT at least once in a financial year. However, for the MIIs, whose systems have been identified as “protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC), VAPT shall be conducted at least twice in a financial year. Further, all MIIs are required to engage only CERT-In empaneled organizations for conducting VAPT. The final report on said VAPT should be submitted to SEBI after approval from Standing Committee on Technology (SCOT) of respective MIIs, within 1 month of completion of VAPT activity.
- 4.1 Any gaps/vulnerabilities detected have to be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 months post the submission of final VAPT report to SEBI.
- 4.2 In addition, MIIs should also perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system.
3. Further, the MIIs are mandated to conduct comprehensive cyber audit at least 2 times in a financial year. Along with the Cyber audit reports, henceforth, all MIIs are directed to submit a declaration from the MD/ CEO certifying compliance by the MII with all SEBI Circulars and advisories related to Cyber security issued from time to time.
4. MIIs are required to take necessary steps to put in place systems for implementation of the circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any.
5. All MIIs are directed to communicate the status of the implementation of the provisions of this circular to SEBI within 10 days from the date of this Circular.
6. The provisions of the Circular shall come into force with immediate effect.
7. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.
8. The circular is issued with the approval of the competent authority.
9. This circular is available on SEBI website at www.sebi.gov.in under the categories “Legal Framework” and “Circulars”.
Yours faithfully,
Ansuman Dev Pradhan
Deputy General Manager