The Securities and Exchange Board of India (“SEBI”) has, in a circular dated December 3, 2018 specified the Cyber Security & Cyber Resilience framework for Stock Brokers and Depository Participants.

The framework aims at protecting the interests of investors in securities and to promote the development of, and to regulate the securities market. The guidelines will gain effect from April 1,2019.

Background:

The recent developments in technology have impacted the securities market. There is a need for maintaining an effective cyber security and cyber resilience framework to protect data

Since stock brokers and depository participants perform significant functions in providing services to holders of securities, they must have in place a comprehensive cyber security and cyber resilience framework to perform effectively.

All Stock Brokers and Depository Participants registered with SEBI must comply with the framework. Stock Exchanges and Depositories must;

• make necessary amendments to the relevant byelaws, rules and regulations for the implementation the framework;
• bring the provisions of this circular to the notice of their members/participants and also disseminate the same on their websites; and
• communicate to SEBI, the status of  implementation  of  the  provisions  of  this  circular  in their Monthly Report

The framework specifies guidelines for cyber security on the following heads:

1. Governance
2. Identification –of critical assets and the cyber risks that it may face
3. Protection –of confidential data and restriction on access
4. Physical Security
5. Network security management
6. Data Security- identification and encryption of critical data and restriction on access
7. Hardening of Hardware and Software
8. Application Security in Customer Facing Applications
9. Certification of off-the-shelf products
10. Patch Management Procedures
11. Disposal of data, systems and storage devices
12. Conduction of Vulnerability Assessment and Penetration Testing (VAPT)
13. Security Monitoring and Detection systems
14. Response and Recovery upon alerts
15. Sharing of Information
16. Training and Education of staff
17. Systems managed by vendors
18. Systems managed by MIIs (Market Infrastructure Institutions)
19. Periodic Audit

Source: Securities and Exchange Board of India

Share this: