SEBI Modified Cyber Security and Cyber Resilience Framework of Qualified RTAs

In order to protect the interests of investors in securities and to promote the development of, and to regulate the securities market, Securities and Exchange Board of India (SEBI) vide Circular No. SEBI/HO/MIRSD/MIRSD_RTAMB/P/CIR/2022/73dated 27^th May,2022 has issued notification related to Modification in Cyber Security and Cyber resilience framework of Qualified Registrars to an Issue and Share Transfer Agents ("QRTAs") in exercise of the powers conferred under Section 11(1) of the Securities and Exchange Board of India Act, 1992 read with Regulation 101 of the Listing Regulations.

Applicability

The provisions of the Circular shall come into force with immediate effect i.e. 27^th day of May, 2022.

Key Highlights

• QRTAs have been mandated to conduct comprehensive cyber audits at least twice in a financial year.
• All QRTAs shall submit a declaration from the MD/ CEOcertifying compliance by the QRTAs with all SEBI Circulars and advisories related to cyber security from time to time, along with the Cyber audit reports.
• All QRTAs are directed to communicate the status of the implementation of the provisions of this circular to SEBI within 10 days from the date of this Circular.
• QRTAs are required to take the necessary steps to put in place systems for the implementation of the circular.
• The critical assets should include business-critical systems, internet-facing applications, systems that contain sensitive data, sensitive personal data, sensitive financial data and personally identifiable information data.
• All the ancillary systems used for accessing or communicating with critical systems either for operations or maintenance should also be classified as critical systems.
• QRTAs will have to carry out periodic Vulnerability Assessment and Penetration Tests (VAPT), including on critical assets and infrastructure components like servers, networking systems and security devices, in order to detect security vulnerabilities in the IT environment.
• QRTAs need to conduct VAPT at least once in a financial year. However, QRTAs, whose systems have been identified as "protected systems" by National Critical Information Infrastructure Protection Centre (NCIIPC), need to conduct VAPT at least twice in a fiscal.
• Sebi said that all QRTAs are required to engage only CERT-In empanelled organisations for conducting VAPT and the final report on VAPT will be submitted to Sebi after approval from the technology committee of respective QRTAs, within one month of completion of VAPT activity.
• Any gaps/vulnerabilities detected shall be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 months post the submission of the final VAPT report.
• Previous Circular: SEBI vide circular SEBI/HO/MIRSD/CIR/P/2017/100 dated September 08, 2017prescribed framework for Cyber Security and Cyber Resilience for Qualified Registrars to an Issue and Share Transfer Agents ("QRTAs")

Disclaimer: Every effort has been made to avoid errors or omissions in this material. In spite of this, errors may creep in. Any mistake, error or discrepancy noted may be brought to our notice which shall be taken care of in the next edition. In no event, the author shall be liable for any direct, indirect, special or incidental damage resulting from or arising out of or in connection with the use of this information.