In sync with MeitY’s Cert-In guidelines, SEBI mandates Stock Brokers and DPs to report cyber-attacks/threats/cyber-incidents/breaches within 6 hours of noticing/detecting/ being informed of such incidents
In partial modification of its earlier circular on framework for Cyber Security and Cyber Resilience for Stock Brokers / Depository Participants, the Securities and Exchange Board of India (“SEBI”) has, in a recent Circular dated 30th June, 2022, modified para 52 of Annexure 1 of the December 03, 2018 Circular on “Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants” to read as follows:
“All Cyber-attacks, threats, cyber-incidents and breaches experienced by Stock Brokers / Depositories Participants shall be reported to Stock Exchanges / Depositories & SEBI within 6 hours of noticing / detecting such incidents or being brought to notice about such incidents. This information shall be shared to SEBI through the dedicated e-mail id: sbdp-cyberincidents@sebi.gov.in.
The incident shall also be reported to Indian Computer Emergency Response team (CERT-In) in accordance with the guidelines / directions issued by CERT-In from time to time. Additionally, the Stock Brokers / Depository Participants, whose systems have been identified as “Protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC) shall also report the incident to NCIIPC.
The quarterly reports containing information on cyber-attacks, threats, cyber-incidents and breaches experienced by Stock Brokers / Depository Participants and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs / vulnerabilities, threats that may be useful for other Stock Brokers / Depository Participants / Exchanges /Depositories and SEBI, shall be submitted to Stock Exchanges / Depositories within 15 days from the quarter ended June, September, December and March of every year.”
Prior to this, Para 52 read as follows:
“Quarterly reports containing information on cyber-attacks and threats experienced by Stock Brokers / Depository Participants and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs / vulnerabilities / threats that may be useful for other Stock Brokers / Depository Participants should be submitted to Stock Exchanges / Depositories.”
While the requirement to file quarterly reports remains intact and only the quarters have been specifically prescribed, a new requirement in sync with the recent CERT-in Guidelines rolled out by MeitY dated 28th April, 2022 prescribing mandatory reporting of cyber incidents within 6 hours of noticing or being intimated of such incidents has been inserted.
Effectively, going forward Stock Brokers and Depositories Participants will have to report cyber-attacks, threats, cyber-incidents and breaches within 6 hours of noticing, detecting or being informed of such incidents to SEBI through the dedicated e-mail id: sbdp-cyberincidents@sebi.gov.in.
