SEBI Modifies Cybersecurity, Cyber Resilience Framework for KRAs, Mandates Cyber Audit Twice a Year - world cultures

SEBI Modifies Cybersecurity, Cyber Resilience Framework for KRAs, Mandates Cyber Audit Twice a Year

Capital markets regulator SEBI on Monday changed the cybersecurity and electronic resilience framework for KYC registration agencies (KRAs), authorizing them to conduct a comprehensive electronic audit at least twice a fiscal year. Along with the cyber audit report, all KRAs have been directed to submit a statement from the MD and CEO certifying their compliance with all SEBI cybersecurity guidelines and notices issued periodically, according to a publication.

Under the revised framework, KRAs are required to identify and classify critical assets based on their sensitivity and importance to business processes, services, and data management.

Critical assets should include sensitive business systems, Internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personal information data, among others. All auxiliary systems used to access or communicate with critical systems, whether for operations or maintenance, should also be classified as critical systems.

In addition, the Board of Directors of KRAs will be required to approve a list of critical regulations.

“To this end, the KRA must maintain an up-to-date inventory of its hardware, systems, software and information assets (internal and external), details of its network resources, network connections, and data flows,” SEBI said.

According to SEBI, KRAs should conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include all critical infrastructure components and assets such as servers, network systems, security devices and other IT systems to discover vulnerabilities in the IT environment and in depth assess the security posture of the system from By simulating real attacks on your systems and networks.

Additionally, the regulator said that KRAs must conduct a VAPT at least once per fiscal year.

However, for KRAs whose systems have been designated a “protected system” by the National Center for Critical Information Infrastructure Protection (NCIIPC), SEBI said, VAPT must be performed at least twice in a fiscal year.

Furthermore, all KRAs are required to engage CERT-In only to conduct a VAPT.

The final report on VAPT must be submitted to SEBI after approval by the respective KRA Standing Committee on Technology, within a month of the end of VAPT activity.

“Any gaps/weaknesses discovered must be addressed immediately and compliance with the closure findings identified during the VAPT will be sent to SEBI within 3 months after the final VAPT report is submitted to Sebi,” the regulator said.

In addition, KRAs must also perform vulnerability scans and penetration tests prior to launching a new system that is a critical system or is part of an existing critical system.

The new framework will come into effect immediately, SEBI said, adding that all KRAs must report the status of implementation of the circular to the regulator within 10 days.

Leave a Reply

%d bloggers like this: