SEBI issues advisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practices
In view of the increasing cybersecurity threat to the securities market, the Securities and Exchange Board of India (“SEBI”) has advised all the SEBI regulated entities (“REs”) to implement the following:
i. REs are advised to define roles and responsibilities of Chief Information Security Officer (CISO) and other senior personnel and clearly mention the reporting and compliance requirements in the security policy;
ii. The cyberspace needs to proactively monitored and in case any phishing website with regard to the RE’s domain is identified, report the same to CSIRT-Fin/CERT-In for taking appropriate action;
iii. Update the latest patches regularly on all operating systems and applications and conduct Security audit / Vulnerability Assessment and Penetration Testing (VAPT) of the application on a regular basis in sync with the Cyber Security and Cyber Resilience circulars of SEBI;
iv. For Data Protection and Data Breach, REs are required to undertake measures such as preparing a detailed action response plan, identifying and classifying sensitive and Personally Identifiable Information (“PII”) data, encrypting PII Data in transit and at rest, etc.;
v. A strong log retention policy must be implemented and all the logs need to be audited and monitored to identify unusual patterns and behaviours;
vi. REs must implement a strong password policy and adopt multi-factor authentication or virtual private networks, webmail and accounts that access critical systems;
vii. The “least-privilege” approach must be adopted and “zero-trust models” must be implemented for mitigating the insider threat problems;
viii. The REs are also advised to implement cybersecurity controls, ensure implementation of CERT-IN advisories and security of Cloud services, maintain due diligence with respect to audit process and tools used for such audit needs;
ix. Further, the REs are advised to go for ISO certification as the same provides a reasonable assurance on the preparedness with regard to cybersecurity.
A Copy of the Notification is linked below for your ease of reference.
