On June 07, 2022, the Securities Exchange Board of India (SEBI) on June 07, 2022 has issued a circular on modification in Cyber Security and Cyber resilience framework for Stock Brokers / Depository Participants by making amendment in Circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018
Key amendments:
-
Stock Brokers / Depository Participants are mandated to conduct comprehensive cyber audit at least once in a financial year. All Stock Brokers / Depository Participants shall submit with Stock Exchange/Depository a declaration from the MD/ CEO / Partners/ Proprietors certifying compliance by the Stock Brokers / Depository Participants with all SEBI Circulars and advisories related to Cyber security from time to time, a long with the Cyber audit report.
-
Stock Brokers / Depository Participants shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets shall include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc.
-
Stock Brokers / Depository Participants shall maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows.
-
Stock Brokers / Depository Participants shall carry out periodic Vulnerability Assessment and Penetration Tests (VAPT) which inter-alia include critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as Stock Brokers / Depository Participants etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.
-
Stock Brokers / Depository Participants shall conduct VAPT at least once in a financial year.