On 24-8-2023, the Securities and Exchange Board of India (‘SEBI') made modifications in Cyber Security and Cyber Resilience frame for Stock Exchanges, Clearing Corporations and Depositories. The provisions came into effect on 24-8-2023.
The Market Infrastructure Institutions (‘MIIs') are now mandated to:
-
Conduct comprehensive cyber audit at least 2 times per financial year.
-
They have to submit cyber audit reports and a declaration from the MD/ CEO certifying that-
-
Comprehensive measures and processes including suitable incentive/disincentive structures, have been put in place for identification/detection and closure of vulnerabilities in the organization's IT systems.
-
Adequate resources have been hired for staffing their Security Operations Center.
-
They have complied with all the SEBI circulars and advisories related to cyber security.
-
-
For the systems identified as Critical Information Infrastructure by the National Critical Information Protection Centre, the MIIs are mandated to send the regular updates/closure status of the vulnerabilities found in their “protected systems”.
-
They have to communicate the status of the implementation of the provisions of this circular within 30 days.
Note: Earlier, the framework was laid down vide SEBI circular dated 6-7-2015 and SEBI circular dated 20-5-2022.