Del. HC: If Accused Discharged/Acquitted under PMLA, Properties Attached Shall be Released  ||  Bom. HC: For Issuing Reopening Notice After Three Years, Sanctioning Authority has to be PCCIT  ||  Del. HC: Delhi Govt. to Frame Policy for Compensation to Victims of Chinese Manjha  ||  Del HC: Stay on Delhi Govt’s Circular Asking Private Unaided Schools to Get Sanction Before Fee Hike  ||  SC: Stamp Duty Can be Imposed by State on Insurance Policies Executed Within State  ||  SC: IO to Make Clear & Complete Entries in Chargesheet, Role Played by Each Accused to be Mentioned  ||  Madras High Court: Guidelines Issued to Eradicate Manual Scavenging  ||  Ker. HC: Payment of Interest Can’t be Reviewed or Added While Enforcing Foreign Award  ||  Del. HC: ED Cannot Invoke Section 50 of PMLA Against Citizens Who Aren’t Suspects  ||  SC: Without Examining Lawfulness of 'Minutes of Order' Filed by Advocates, Orders Cannot be Passed    

Modification in Cyber Security and Cyber resilience framework for Stock Brokers/Depository Participants- (Securities and Exchange Board of India) (07 Jun 2022)

MANU/SSMD/0025/2022

Capital Market

1. SEBI vide circular SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 prescribed framework for Cyber Security and Cyber Resilience for Stock Brokers/Depository Participants.

2. In partial modification to Annexure-1 of SEBI circular dated December 03, 2018, the paragraph-11, 41, 42 and 44 shall be read as under:

11. Stock Brokers/Depository Participants shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets shall include business critical systems, internet facing applications/systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance shall also be classified as critical system. The Board/Partners/Proprietor of the Stock Brokers/Depository Participants shall approve the list of critical systems.

To this end, Stock Brokers/Depository Participants shall maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows.

41. Stock Brokers/Depository Participants shall carry out periodic Vulnerability Assessment and Penetration Tests (VAPT) which inter-alia include critical assets and infrastructure components like Servers, Networking systems, Security devices, load balancers, other IT systems pertaining to the activities done as Stock Brokers/Depository Participants etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.

42. Stock Brokers/Depository Participants shall conduct VAPT at least once in a financial year. All Stock Brokers/Depository Participants are required to engage only CERT-In empaneled organizations for conducting VAPT. The final report on said VAPT shall be submitted to the Stock Exchanges/Depositories after approval from Technology Committee of respective Stock Brokers/Depository Participants, within 1 month of completion of VAPT activity.

In addition, Stock Brokers/Depository Participants shall perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system.

44. Any gaps/vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the Stock Exchanges/Depositories within 3 months post the submission of final VAPT report.

3. Further, the Stock Brokers/Depository Participants are mandated to conduct comprehensive cyber audit at least once in a financial year. All Stock Brokers/Depository Participants shall submit with Stock Exchange/Depository a declaration from the MD/CEO/Partners/Proprietors certifying compliance by the Stock Brokers/Depository Participants with all SEBI Circulars and advisories related to Cyber security from time to time, along with the Cyber audit report.

4. Stock Brokers/Depository Participants shall take necessary steps to put in place systems for implementation of the circular.

5. All Stock Brokers/Depository Participants are directed to communicate the status of the implementation of the provisions of this circular to Stock Exchanges/Depositories within 10 days from the date of this Circular.

6. Stock Exchanges and Depositories shall;

a) make necessary amendments to the relevant byelaws, rules and regulations for the implementation of the above direction; and

b) bring the provisions of this circular to the notice of their members/participants and also disseminate the same on their websites.

7. The provisions of the Circular shall come into force with immediate effect.

8. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.

Tags : MODIFICATION   CYBER SECURITY   STOCK BROKERS  

Share :        

Disclaimer | Copyright 2024 - All Rights Reserved