SEBI Cybersecurity Amendment, Cyber ​​Resilience Framework for KRA, Twice-Year Cyber ​​Audit Task

Capital markets regulator SEBI on Monday changed the cybersecurity and cyber resilience framework of the KYC Registry (KRA) and required it to conduct at least two comprehensive cyber audits. times in a financial year. Along with the cyber audit report, all KRAs were instructed to submit a statement from the MD and the CEO certifying they were in compliance with all SEBI cybersecurity-related instructions and notices. are issued periodically, according to a circular.

Under the revised framework, KRAs are required to identify and categorize critical assets based on their sensitivity and importance to business operations, services, and data management.

Critical content should include business critical systems, applications/systems that use the internet, systems containing sensitive data, sensitive personal data, sensitive financial data, data personally identifiable information, etc. All backend systems used to access or communicate with critical systems, whether for operation or maintenance, must also be classified as critical systems. .

In addition, the KRAs board will be required to approve a list of critical systems.

“To this end, the KRA must maintain an up-to-date inventory of hardware and systems, software and information assets (internal and external), detailed information about network resources, results connected to the network and its data stream,” SEBI speak.

According to SEBI, KRAs are required to conduct regular Vulnerability Assessments and Penetration Tests (VAPTs) covering all infrastructure components and critical assets such as servers, networks, and devices. security and other IT systems to detect vulnerabilities in your IT environment and in-depth assessment of your system’s security by simulating real attacks on your systems and networks.

In addition, the regulator said KRAs must conduct VAPT at least once in a financial year.

However, for KRAs whose systems have been identified by the National Center for Critical Information Infrastructure Protection (NCIIPC) as “protected systems,” SEBI said, VAPT must be performed at least at least twice in a financial year.

Furthermore, all KRAs are required to join only CERT-In integrated organizations to conduct VAPT.

The final report on VAPT must be submitted to SEBI after approval of the respective KRA’s technology standing committee, within one month of the end of VAPT activity.

“Any vulnerabilities/holes discovered must be remedied immediately and closed compliance of the findings identified in the VAPT will be submitted to SEBI within 3 months after the VAPT’s final report. sent to Sebi,” the regulator said.

In addition, KRAs must also perform vulnerability scanning and penetration testing before deploying a new system that is a critical system or part of an existing critical system.

The new framework will take effect immediately, SEBI said, adding that all KRAs must notify the regulator of the status of the circular implementation within 10 days.