SEBI issues framework on Cyber Security & Cyber Resilience for Stock Brokers and Depository Participants, effective April 1, 2019

The Securities and Exchange Board of India (“SEBI”) has, in a circular dated December 3, 2018 specified the Cyber Security & Cyber Resilience framework for Stock Brokers and Depository Participants.

The framework aims at protecting the interests of investors in securities and to promote the development of, and to regulate the securities market. The guidelines will gain effect from April 1,2019.

 

Background:

The recent developments in technology have impacted the securities market. There is a need for maintaining an effective cyber security and cyber resilience framework to protect data

Since stock brokers and depository participants perform significant functions in providing services to holders of securities, they must have in place a comprehensive cyber security and cyber resilience framework to perform effectively.

 

All Stock Brokers and Depository Participants registered with SEBI must comply with the framework. Stock Exchanges and Depositories must;

  • make necessary amendments to the relevant byelaws, rules and regulations for the implementation the framework;
  • bring the provisions of this circular to the notice of their members/participants and also disseminate the same on their websites; and
  • communicate to SEBI, the status of  implementation  of  the  provisions  of  this  circular  in their Monthly Report

The framework specifies guidelines for cyber security on the following heads:

  1. Governance
  2. Identification –of critical assets and the cyber risks that it may face
  3. Protection –of confidential data and restriction on access
  4. Physical Security
  5. Network security management
  6. Data Security- identification and encryption of critical data and restriction on access
  7. Hardening of Hardware and Software
  8. Application Security in Customer Facing Applications
  9. Certification of off-the-shelf products
  10. Patch Management Procedures
  11. Disposal of data, systems and storage devices
  12. Conduction of Vulnerability Assessment and Penetration Testing (VAPT)
  13. Security Monitoring and Detection systems
  14. Response and Recovery upon alerts
  15. Sharing of Information
  16. Training and Education of staff
  17. Systems managed by vendors
  18. Systems managed by MIIs (Market Infrastructure Institutions)
  19. Periodic Audit

 

Source: Securities and Exchange Board of India

Share this:

Sign up for our

Newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

Lexplosion will use the information you provide on this form to be in touch with you and to provide updates and marketing.