Homemarket News

    Sebi modifies cyber security and resilience framework for Qualified Registrars to an Issue and Share Transfer Agents

    Sebi modifies cyber security and resilience framework for Qualified Registrars to an Issue and Share Transfer Agents

    Sebi modifies cyber security and resilience framework for Qualified Registrars to an Issue and Share Transfer Agents
    Profile image

    By PTI  IST (Published)

    Mini

    QRTAs will have to carry out periodic Vulnerability Assessment and Penetration Tests (VAPT), including on critical assets and infrastructure components like servers, networking systems and security devices, in order to detect security vulnerabilities in the IT environment.

    Capital markets regulator Sebi on Friday tweaked the framework pertaining to cyber security and cyber resilience for Qualified Registrars to an Issue and Share Transfer Agents (QRTAs). QRTAs have been mandated to conduct a comprehensive cyber audits at least twice in a financial year, Sebi said in a circular.
    Also, QTRAs need to submit a declaration from their respective MD/CEO certifying compliance by them with all Sebi guidelines related to cyber security, along with the cyber audit reports. Under the modified rules, QRTAs are required to identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management.
    The critical assets should include business-critical systems, internet-facing applications, systems that contain sensitive data, sensitive personal data, sensitive financial data and personally identifiable information data.
    According to Sebi, all the ancillary systems used for accessing or communicating with critical systems either for operations or maintenance should also be classified as critical systems.
    Also read:
    The boards of QRTAs need to approve the list of critical systems. In this regard, they should maintain an up-to-date inventory of its hardware and systems, software and information assets, details of its network resources, connections to its network and data flows.
    QRTAs will have to carry out periodic Vulnerability Assessment and Penetration Tests (VAPT), including on critical assets and infrastructure components like servers, networking systems and security devices, in order to detect security vulnerabilities in the IT environment.
    It will also help in having an in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.
    Further, QRTAs need to conduct VAPT at least once in a financial year. However, QRTAs, whose systems have been identified as "protected system" by National Critical Information Infrastructure Protection Centre (NCIIPC), need to conduct VAPT at least twice in a fiscal.
    Further, Sebi said that all QRTAs are required to engage only CERT-In empanelled organisations for conducting VAPT and the final report on VAPT will be submitted to Sebi after approval from the technology committee of respective QRTAs, within one month of completion of VAPT activity.
    "Any gaps/vulnerabilities detected shall be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to Sebi within three months post the submission of final VAPT report," Sebi said.
    In addition, QRTAs are required to perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system. The new rules will come into force with immediate effect, the Securities and Exchange Board of India (Sebi) said.
    Check out our in-depth Market Coverage, Business News & get real-time Stock Market Updates on CNBC-TV18. Also, Watch our channels CNBC-TV18, CNBC Awaaz and CNBC Bajar Live on-the-go!
    arrow down

      Most Read

      Market Movers

      View All
      CompanyPriceChng%Chng