Sebi changes KYC registration agencies’ cyber security and cyber resilience frameworks

According to PTI, the Securities and Exchange Board of India (Sebi) modified the cyber security and cyber resilience framework of KYC Registration Agencies (KRAs) on Monday. They must also undertake a complete cyber audit at least twice a year, according to the capital markets regulator.

According to a circular, along with the cyber audit report, all KRAs must submit a declaration from the MD and CEO certifying compliance with all of Sebi’s cybersecurity-related recommendations and notices are given on a regular basis.

Under the new paradigm, KRAs must identify and classify key assets based on their sensitivity and criticality to company operations, services, and data management.

According to PTI, key assets include business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data. All auxiliary systems that connect to or interface with critical systems must be recognised as critical systems as well, whether for operations or maintenance.

The KRAs board will also have to endorse the list of vital systems.

“To that purpose, KRA must keep an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, network connections, and data flows,” Sebi added.

According to PTI, KRAs must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include all infrastructure components and critical assets such as servers, network systems, security devices, and other IT systems to detect security vulnerabilities in the IT environment and an in-depth evaluation of the system’s security posture through simulations of real attacks on your systems and networks.

According to the regulation, KRAs must also undertake VAPT at least once a financial year.

According to Sebi, KRAs whose systems have been designated as a “protected system” by the National Critical Information Infrastructure Protection Center (NCIIPC) must conduct VAPT at least twice every fiscal year.

Furthermore, all KRAs must undergo VAPT with only CERT-In integrated organisations, according to PTI.

The final report on the VAPT must be submitted to Sebi within a month of the end of the VAPT activity, with clearance from the technology standing committee of the appropriate KRA.

“Any gaps/vulnerabilities discovered must be addressed immediately,” the regulator said, adding that “closure compliance of the findings made during VAPT will be sent to Sebi within 3 months after VAPT’s final report is submitted to Sebi.”

Prior to the roll-out of a new critical system or component of an existing critical system, KRAs must also conduct vulnerability scans and penetration testing, according to PTI.

According to Sebi, the new framework will take effect immediately, and all KRAs must tell the regulator of their progress in implementing the circular within 10 days.