Sebi: Sebi tweaks cyber security, cyber resilience framework of KYC registration agencies
Along with the cyber audit report, all KRAs have been instructed to submit a statement from the CEO and CEO certifying compliance with all Sebi cybersecurity guidelines and notices issued periodically, according to a circular .
Under the revised framework, KRAs should identify and classify critical assets based on their sensitivity and criticality for business operations, services, and data management.
Critical assets should include enterprise-critical systems, Internet-oriented applications / systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, personally identifiable information, and more. All auxiliary systems used to access or communicate with critical systems, whether for operations or maintenance, must also be classified as critical systems.
In addition, the KRA board will have to approve the list of critical systems.
“To do this, KRA must maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” he said. Sebi.
According to Sebi, KRAs should conduct periodic vulnerability assessments and penetration tests (VAPTs) that include all critical infrastructure components and assets such as servers, network systems, security devices, and other computer systems to detect vulnerabilities. security in the computer environment and an in-depth study. assessment of system security stance by simulating real attacks on your systems and networks.
In addition, the regulator said KRAs should perform VAPT at least once in one exercise.
However, for KRAs whose systems have been identified as a “protected system” by the National Center for Critical Information Infrastructure Protection (NCIIPC), Sebi said, VAPT should be performed at least twice a year. fiscal.
In addition, all KRAs are required to involve only CERT-In integrated organizations to conduct VAPT.
The final report on the VAPT must be submitted to Sebi after approval by the Standing Technology Committee of the respective KRA, within one month of the completion of the VAPT activity.
“Any gaps / vulnerabilities detected must be fixed immediately and compliance with the closure of the findings identified during the VAPT will be sent to Sebi within 3 months after the final VAPT report has been sent to Sebi.” , said the regulator.
In addition, KRAs must also conduct vulnerability scans and penetration testing prior to launching a new system that is a critical system or part of an existing critical system.
The new framework will take effect immediately, Sebi said, adding that all KRAs must report the status of implementation of the circular to the regulator within 10 days.