Sebi tweaks cyber security, cyber resilience framework of KYC registration agencies
时间:2024-06-26 08:31:50 阅读(143)
Capital markets regulator Sebi on Monday changed the cyber security and the cyber resilience framework of KYC Registration Agencies (KRAs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year.
Along with the cyber audit report, all KRAs have been instructed to submit a statement from the MD and CEO certifying compliance by them with all of Sebi’s cyber security-related guidelines and notices issued periodically, according to a circular.
Critical assets should include business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, personally identifiable information data, among others. All ancillary systems used to access or communicate with critical systems, whether for operations or maintenance, must also be classified as critical systems.
In addition, the KRAs board will be required to approve the list of critical systems.“To this end, KRA must maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.
According to Sebi, KRAs must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that includes all infrastructure components and critical assets such as servers, network systems, security devices and other IT systems to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on your systems and networks.
In addition, the regulator said that KRAs must conduct VAPT at least once in a financial year.
However, for KRAs whose systems have been identified as a “protected system” by the National Critical Information Infrastructure Protection Center (NCIIPC), Sebi said, VAPT must be performed at least twice in a fiscal year.
Furthermore, all KRAs are required to engage only CERT-In integrated organisations to conduct VAPT.The final report on the VAPT must be submitted to Sebi after the approval of the technology standing committee of the respective KRA, within a month from the end of the VAPT activity.
“Any gaps/vulnerabilities detected must be remedied immediately and the closure compliance of the findings identified during VAPT will be sent to Sebi within 3 months after VAPT’s final report is submitted to Sebi,” the regulator said.
In addition, KRAs must also perform vulnerability scans and penetration tests prior to the roll-out of a new system that is a critical system or part of an existing critical system.
The new framework will come into force with immediate effect, Sebi said, adding that all KRAs must communicate the status of the implementation of the circular to the regulator within 10 days.
上一篇:What 2023 could hold for share markets and investors
下一篇:ZEEL, Adani Total Gas among 163 NSE stocks to touch 52-week lows, 17 stocks hit 52-week highs
猜你喜欢
- NSE Bulk deals, January 5- APOLLO, MANGLMCEM, UMA and other major deals that took place on Thursday
- What is the future of ‘Market Linked Debentures’ industry- Invest in MLD to outperform Nifty50
- NSE F&O ban- Indiabulls Housing Finance and others under ban on Monday, January 16, 2023
- Their dreams are shattered- Challenges and Controversies surrounding recent human trafficking incident on Dubai-Nicaragua flight
- Vishnu Prakash Punglia IPO Listing- Shares have bumper debut on bourses, list at 65% premium
- Wall Street tests June lows on recession worries
- The Future of Insurance- Embracing Technology to Meet Customers’ Needs
- Oil at 6-month low- Petrol at breakeven, losses continue on diesel
- NSE F&O Ban- Manappuram Finance, Delta Corp, Polycab, RBL Bank, other stocks under ban on July 20, Thursday