Amid Govt’s Growing Concerns, SEBI Tweaks Cyber Security Framework For KYC Registration Firms

Amid Govt’s Growing Concerns, SEBI Tweaks Cyber Security Framework For KYC Registration Firms

SUMMARY

KRAs are now mandated to conduct a comprehensive cyber audit at least twice every financial year

SEBI has asked the KRAs to carry out periodic vulnerability assessment and penetration tests (VAPT), ranging from once to twice every financial year

All KRAs are directed to communicate the status of the implementation of the provisions related to the latest circular to SEBI within 10 days from the date of its issue

The Securities and Exchange Board of India (SEBI) has modified the cyber security and cyber resilience framework of the KYC Registration Agencies (KRAs).

In a statement issued on Monday (May 30), SEBI said that the KRAs are now mandated to conduct a comprehensive cyber audit at least twice every financial year. 

Besides, the KRAs would now have to submit a declaration from the managing director/ the chief executive officer, periodically, certifying their compliance with all the SEBI circulars and advisories related to cyber security.

The KRAs are SEBI-registered agencies for centrally maintaining KYC records in the securities market. These agencies are largely responsible for storing, safeguarding and retrieving the KYC documents of the investors that the SEBI intermediaries submit.

In the latest modification of the cyber security and cyber resilience framework for the KRAs, SEBI has also asked the agencies to maintain an up-to-date inventory of their hardware and systems, software and information assets, details of its network resources, connections to its network and data flows.

SEBI has asked the KRAs to carry out periodic vulnerability assessment and penetration tests (VAPT) which includes the ‘critical assets’ and infrastructure components like servers, networking systems, security devices, load balancers, and other IT systems pertaining to the activities done. 

This step is taken in order to detect security vulnerabilities in the IT environment and for in-depth evaluation of the security posture of the system through simulations of actual attacks on the systems and networks.

The Plan Of Action

Largely, KRAs would conduct this periodic VAPT at least once in a financial year. However, the KRAs, whose systems have been identified as a ‘protected system’ by the National Critical Information Infrastructure Protection Centre (NCIIPC) under the Information Technology (IT) Act, 2000, would conduct the VAPT at least twice in a financial year.

If any gaps or vulnerabilities are detected in the test, they would be immediately remedied. Besides, as per the SEBI’s latest framework, the compliance for closure of the findings from VAPT would be submitted to SEBI within three months post the submission of the final VAPT report.

In the new framework, there are also tweaks around the identification and classification of ‘critical assets’.

“The critical assets shall include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc,” said the SEBI statement.

Even the ancillary systems used for accessing/communicating with the critical systems for both operations and maintenance would now be classified as critical systems. 

“All KRAs are directed to communicate the status of the implementation of the provisions of this circular to SEBI within 10 days from the date of this circular,” read the statement further.

The recent tweaks by SEBI come at a time when there is an augmented focus of the Indian government on the internet and cyber security space. 

Recently, the government also passed new cyber security directions mandating all public VPN service providers, along with a few other bodies, to collect and hold user data for five years or more.

Meanwhile, the Indian Computer Emergency Response Team (CERT-In) reported over 2.12 Lakh cybersecurity incidents this year, till February.

On the other hand, the total number of reported cyber security-related incidents in the last year stood at more than 14.02 Lakhs.

Step up your startup journey with BHASKAR! From resources to networking, BHASKAR connects Indian innovators with everything they need to succeed. Join today to access a platform built for innovation, growth, and community.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Amid Govt’s Growing Concerns, SEBI Tweaks Cyber Security Framework For KYC Registration Firms-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Amid Govt’s Growing Concerns, SEBI Tweaks Cyber Security Framework For KYC Registration Firms-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Amid Govt’s Growing Concerns, SEBI Tweaks Cyber Security Framework For KYC Registration Firms-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Amid Govt’s Growing Concerns, SEBI Tweaks Cyber Security Framework For KYC Registration Firms-Inc42 Media
Amid Govt’s Growing Concerns, SEBI Tweaks Cyber Security Framework For KYC Registration Firms-Inc42 Media
You’re in Good company