Cyber Security Audit Mandatory To All KYC Registration Agencies – SEBI
On Monday, the Securities and Exchange Board of India (Sebi) announced that it had changed the cyber security and the cyber resilience framework for KYC Registration Agencies (KRAs), as reported by PTI. As part of the mandate, the capital markets regulator requires them to conduct comprehensive cyber audits at least twice a year.
All KRAs must submit a statement from the MD and CEO, along with the cyber audit report, that certifies compliance with all cyber security-related recommendations and notices issued periodically by Sebi, said PTI.
As part of the updated framework, KRAs must identify and classify key assets based on their sensitivity and criticality to company operations, services, and data management.
“To this end, KRA must maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.
The PTI identifies business-critical systems, internet-facing applications/systems, those containing sensitive data, sensitive personal data, sensitive financial data, as well as those containing personally identifiable information as critical assets. Critical systems must be designated as well for all auxiliary systems connected or communicating with critical systems, whether in operation or maintenance.
In addition, the KRAs board will need to approve the list of critical systems.
In response to PTI, KRAs need to conduct regular Vulnerability Assessments and Penetrating Tests (VAPTs) that include all infrastructure components and critical assets, such as servers, network systems, security devices, and other IT systems in order to detect security vulnerabilities within the IT environment, as well as an evaluation of the security posture of your systems and networks based on simulations of cyber attacks.
“Any gaps/vulnerabilities detected must be remedied immediately and the closure compliance of the findings identified during VAPT will be sent to Sebi within 3 months after VAPT’s final report is submitted to Sebi,” the regulator said.
