Capital markets regulator Securities and Exchange Board of India (Sebi) on Friday mandated a obligatory complete cyber audit of market infrastructure establishments (inventory exchanges, depositories, clearing firms) a minimum of twice in the course of the monetary 12 months. Further, together with the audit stories, the regulator has directed all MIIs to submit a declaration from MDs/CEOs “certifying compliance by the MII with all Sebi Circulars and advisories related to Cyber security issued from time to time.”
To detect safety vulnerabilities within the IT (data expertise) atmosphere and for in-depth analysis of safety posture of the system, the regulator on Friday has requested authorities involved to hold out periodic vulnerability evaluation and penetration testing (VAPT), inter-alia together with all vital belongings and infrastructure parts like servers, networking techniques, safety gadgets, load balancers, and different IT techniques pertaining to the actions carried out as a job of MII.
The VAPT is to be performed a minimum of as soon as in a monetary 12 months. However, for MIIs, whose techniques have been recognized as “protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC), VAPT shall be performed a minimum of twice in a monetary 12 months, Sebi mentioned.
Post conducting the identical, the ultimate report on VAPT must be submitted to Sebi after approval from the Standing Committee on Technology (SCOT) of respective MIIs inside a month of completion of VAPT exercise. “Any gaps/vulnerabilities detected have to be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to Sebi within three months post the submission of final VAPT report to Sebi,” mentioned Sebi within the round on Friday.
Additionally, exchanges and different MIIs are required to carry out vulnerability scanning and conduct penetration testing previous to the commissioning of a brand new system, which is a vital system or a part of an present vital system.
Sebi mentioned the brand new framework for cyber safety and cyber resilience will come into pressure with speedy impact and all MIIs are directed to speak the standing of the implementation of the round to the regulator inside 10 days.
Source: www.financialexpress.com”