SUMMARY
KRAs are now mandated to conduct a comprehensive cyber audit at least twice every financial year
SEBI has asked the KRAs to carry out periodic vulnerability assessment and penetration tests (VAPT), ranging from once to twice every financial year
All KRAs are directed to communicate the status of the implementation of the provisions related to the latest circular to SEBI within 10 days from the date of its issue
The Securities and Exchange Board of India (SEBI) has modified the cyber security and cyber resilience framework of the KYC Registration Agencies (KRAs).
In a statement issued on Monday (May 30), SEBI said that the KRAs are now mandated to conduct a comprehensive cyber audit at least twice every financial year.
Besides, the KRAs would now have to submit a declaration from the managing director/ the chief executive officer, periodically, certifying their compliance with all the SEBI circulars and advisories related to cyber security.
The KRAs are SEBI-registered agencies for centrally maintaining KYC records in the securities market. These agencies are largely responsible for storing, safeguarding and retrieving the KYC documents of the investors that the SEBI intermediaries submit.
In the latest modification of the cyber security and cyber resilience framework for the KRAs, SEBI has also asked the agencies to maintain an up-to-date inventory of their hardware and systems, software and information assets, details of its network resources, connections to its network and data flows.
SEBI has asked the KRAs to carry out periodic vulnerability assessment and penetration tests (VAPT) which includes the ‘critical assets’ and infrastructure components like servers, networking systems, security devices, load balancers, and other IT systems pertaining to the activities done.
This step is taken in order to detect security vulnerabilities in the IT environment and for in-depth evaluation of the security posture of the system through simulations of actual attacks on the systems and networks.
The Plan Of Action
Largely, KRAs would conduct this periodic VAPT at least once in a financial year. However, the KRAs, whose systems have been identified as a ‘protected system’ by the National Critical Information Infrastructure Protection Centre (NCIIPC) under the Information Technology (IT) Act, 2000, would conduct the VAPT at least twice in a financial year.
If any gaps or vulnerabilities are detected in the test, they would be immediately remedied. Besides, as per the SEBI’s latest framework, the compliance for closure of the findings from VAPT would be submitted to SEBI within three months post the submission of the final VAPT report.
In the new framework, there are also tweaks around the identification and classification of ‘critical assets’.
“The critical assets shall include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc,” said the SEBI statement.
Even the ancillary systems used for accessing/communicating with the critical systems for both operations and maintenance would now be classified as critical systems.
“All KRAs are directed to communicate the status of the implementation of the provisions of this circular to SEBI within 10 days from the date of this circular,” read the statement further.
The recent tweaks by SEBI come at a time when there is an augmented focus of the Indian government on the internet and cyber security space.
Recently, the government also passed new cyber security directions mandating all public VPN service providers, along with a few other bodies, to collect and hold user data for five years or more.
Meanwhile, the Indian Computer Emergency Response Team (CERT-In) reported over 2.12 Lakh cybersecurity incidents this year, till February.
On the other hand, the total number of reported cyber security-related incidents in the last year stood at more than 14.02 Lakhs.
