SEBI Modifies Cyber Resilience and Cyber Security Framework with VAPT

Posted October 21, 2022 by leotechnosoft

LTS is the best digital software company that began in the year 2008 with an established movement to develop solutions that permit customers with customer experience (GEN-Next).
Immediate Press Release Date: 21.10.2022

SEBI Modifies Cyber Resilience and Cyber Security Framework with VAPT

Sebi, the capital markets regulator, was commissioned on Tuesday to optimize the cyber security and cyber resilience frameworks of its stockbroker and depository participants and conduct a comprehensive cyber audit at least once a financial year.
In addition to the cyber audit report, the brokerage and custodian participants will confirm to exchanges and custodians their compliance with all Sebi cybersecurity policies and notices issued regularly on a regular interval of time by the Managing Director and CEO.

According to Sebi, stockbrokers and custodian participants conduct regular vulnerability assessments and penetration testing(VAPTs), including critical assets and infrastructure components, to detect security gaps in their IT environments. , You should perform a detailed assessment of the system's security posture through simulations of real-world attacks on systems and networks.

Recently, the Securities and Exchange Board of India (SEBI) issued a circular to change the Cyber ​​Security Framework and Cyber ​​Resilience Framework for all registered Know Your Customer (KYC) Registration Agencies (KRA). KRA's revised cybersecurity framework published by SEBI requires KRA to conduct comprehensive cyber audits at least twice a year. In addition to the cyber audit report, KRA was instructed to provide a statement signed by the Managing Director (MD) and CEO confirming that her KRA performed all compliance. SEBI recommends policies that are published regularly.

What are the new SEBI Guidelines? 11, 41, 42, and 44.

SEBI immediately issued its second circular on June 9, 2022. This is an adjusted version of Schedule 1 (dated January 10, 2019) specifically for –

Mutual Fund
Asset Management Company (AMC).
Trustee Companies/Boards of Trustees of Investment Funds
Indian Investment Funds Institute (AMFI)
Amendments to paragraphs 11, 41, and 42 are similar to previous modifications by introducing this new guidance in paragraphs 40 and 51.

Who are the KRAs Cybersecurity Framework Circular? Applies only to

KRA Highlights Cyber ​​Security Framework Circular
On May 30, 2022, SEBI issued a Circular titled "Changes to Know Your Customer (KYC) Registration Agencies (KRA) Cyber ​​Security and Cyber ​​Resilience Framework." In it, SEBI has set a revised framework for KRA cybersecurity. As part of the KRA's revised Cybersecurity Framework, SEBI has established the following policies:

Identification and Classification of Critical Assets

KRA shall identify and classify critical assets based on the sensitivity and criticality of its services, business operations, and data management. Critical assets include business-critical systems containing sensitive data, Internet-connected applications/systems, sensitive financial data, personal data, personally identifiable information (PII), etc. Critical systems for maintenance or operational purposes are also classified as essential systems. The KRA Board has approved a list of these vital systems of Directors.

For the above purposes, the KRA must maintain an up-to-date inventory of software and information resources (internal and external), hardware and systems, connectivity to networks, network resources, and data flow details.

Regular VAPT Implementation by KRAs

The KRA's Cyber ​​Security Framework Circular requires the KRA to inspect security devices, servers, network systems, load balancers, and other IT systems related to the activities carried out by the KRA, etc. You should conduct These periodic assessments to detect security vulnerabilities in the IT environment. In addition, it is necessary to evaluate the system's security status in detail by simulating actual attacks on the design and network.

The KRA's cybersecurity framework also requires the KRA to conduct a VAPT at least once a fiscal year. However, KRAs with systems identified as "protected systems" by the NCIIPC under the Information Technology (IT) Act of 2000 must perform VAPTs at least twice during the financial year. This framework also mandates that every KRA conduct his VAPT using only a CERT-In-empanelled organization's services.

Upon final approval from each KRA's Technical Committee, You will send the VAPT Services results to the SEBI. You must make This submission within one month of completing the VAPT activity.

Conducting Vulnerability Scans and Penetration Tests

The cybersecurity framework requires vulnerability scans and penetration tests to be performed on the part of the KRA before commissioning a new critical system or piece of an existing essential system is also required to be implemented.

-- END ---
Share Facebook Twitter
Print Friendly and PDF DisclaimerReport Abuse
Contact Email [email protected]
Issued By LTS
Phone 13109744005
Business Address 2406 Schumacher Drive, Mishawaka, IN, 46545, CHICAGO / MIDWEST
Country United States
Categories Security , Services , Technology
Tags vapt , vulnerability assessments and penetration testing
Last Updated October 21, 2022