MANU/SSMD/0036/2023
Ministry : Securities and Exchange Board of India
Department/Board : Market Regulation Department
Circular No. : SEBI/HO/MRD/TPD/P/CIR/2023/146
Date : 29.08.2023
Subject: Capital Market
Industry: Trading
To,
All Stock Exchanges,
All Clearing Corporations,
All Depositories
Guidelines for Miis Regarding Cyber Security and Cyber Resilience
1. Market Infrastructure Institutions (i.e. Stock Exchanges, Clearing Corporations and Depositories) are systemically important institutions as they, inter-alia, provide infrastructure necessary for the smooth and uninterrupted functioning of the securities market. As part of the operational risk management, these Market Infrastructure Institutions (MIIs) need to have robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in securities market. It is also important that MIIs establish and continuously improve their Information Technology(IT) processes and controls to preserve confidentiality, integrity and availability of data and IT systems.
2. With the change in market dynamics in the Indian Securities markets, the
interdependence among the MIIs has seen significant increase. Considering the
interconnectedness and interdependency of the MIIs to carry out their functions,
the cyber risk of any given MII is no longer limited to the Mil's owned or
controlled systems, networks and assets.
3. In view of the above, based on the recommendations of the High Powered Steering Committee on Cyber Security of SEBI and in consultation with MIIs, it has been decided to issue guidelines for strengthening the existing cyber security and cyber resilience framework of MIIs. The said guidelines are placed at Annexure-A and MIIs are required to comply with the same.
4. These guidelines should be read in conjunction with the applicable SEBI
circulars (including but not limited to that relating to Cybersecurity and Cyber
Resilience framework, System and Network Audit framework, etc.) and subsequent
updates issued by SEBI from time to time.
5. The compliance of the guidelines shall be provided by the MIIs along with their cybersecurity audit report (conducted as per the applicable SEBI Cybersecurity and Cyber Resilience framework). The compliance shall be submitted as per the existing reporting mechanism.
6. The provisions of the Circular shall come into force with immediate
effect.
7. MIIs are required to take necessary steps to put in place systems for implementation of the circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any, within 120 days from the date of the circular.
8. This circular is being issued in exercise of powers conferred under
Section 11 (1) of the Securities and Exchange Board of India Act, 1992 , read
with Regulation 51 of the Securities Contracts (Regulation) (Stock Exchanges and
Clearing Corporations) Regulations, 2018 and Section 19 of the Depositories Act,
1996 read with Regulation 97 of Securities and Exchange Board of India
(Depositories and Participants) Regulations, 2018 to protect the interests of
investors in securities and to promote the development of, and to regulate the
securities market.
9. The circular is issued with the approval of Competent Authority.
10. This circular is available on SEBI website at www.sebi.gov.in under the category "Legal" and dropdown "Circulars".
Sd/-
Ansuman Dev Pradhan
Deputy General Manager