Sebi tweaks cyber security, cyber resilience framework for QRTAs


PTI | New Delhi | Updated: 27-05-2022 18:36 IST | Created: 27-05-2022 18:23 IST
Sebi tweaks cyber security, cyber resilience framework for QRTAs
Representative Image Image Credit: ANI
  • Country:
  • India

Capital markets regulator Sebi on Friday tweaked the framework about cyber security and cyber resilience for Qualified Registrars to an Issue and Share Transfer Agents (QRTAs).

Qantas has been mandated to conduct comprehensive cyber audits at least twice in a financial year, Sebi said in a circular.

Also, QTRAs need to submit a declaration from their respective MD/CEO certifying compliance by them with all Sebi guidelines related to cyber security, along with the cyber audit reports.

Under the modified rules, QRTAs are required to identify and classify critical assets based on their sensitivity and criticality for business operations, services, and data management.

The critical assets should include business-critical systems, internet-facing applications, systems that contain sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data.

According to Sebi, all the ancillary systems used for accessing or communicating with critical systems either for operations or maintenance should also be classified as critical systems.

The boards of QRTAs need to approve the list of critical systems. In this regard, they should maintain an up-to-date inventory of its hardware and systems, software and information assets, details of its network resources, connections to its network, and data flows.

Qantas will have to carry out periodic Vulnerability Assessment and Penetration Tests (VAPT), including on critical assets and infrastructure components like servers, networking systems, and security devices, to detect security vulnerabilities in the IT environment. It will also help in having an in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.

Further, QRTAs need to conduct VAPT at least once in a financial year.

However, Qantas, whose systems have been identified as ''protected systems'' by National Critical Information Infrastructure Protection Centre (NCIIPC), needs to conduct VAPT at least twice in a fiscal.

Further, Sebi said that all QRTAs are required to engage only CERT-In empaneled organizations for conducting VAPT and the final report on VAPT will be submitted to Sebi after approval from the technology committee of respective QRTAs, within one month of completion of VAPT activity.

''Any gaps/vulnerabilities detected shall be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to Sebi within three months post the submission of final VAPT report,'' Sebi said.

In addition, QRTAs are required to perform vulnerability scanning and conduct penetration testing before the commissioning of a new system which is a critical system or part of an existing critical system.

The new rules will come into force with immediate effect, the Securities and Exchange Board of India (Sebi) said.

(This story has not been edited by Devdiscourse staff and is auto-generated from a syndicated feed.)

Give Feedback