SEBI lays down guidelines on cybersecurity for regulated entities

By Shivani Bazaz  Feb 22, 2023 8:24:30 PM IST (Updated)

The circular put out by SEBI noted that cyber incidents have been rapidly growing in frequency and sophistication.

The Securities and Exchange Board of India has put out an advisory for SEBI Regulated Entities (REs) regarding cybersecurity best practices to limit cyber threats and phishing attacks. SEBI has asked all REs, including financial sector organisations, stock exchanges, depositories, mutual funds and other financial entities, to provide compliance of the advisory along with their cybersecurity audit report.

The circular put out by SEBI noted that cyber incidents have been rapidly growing in frequency and sophistication. The market regulator has told the regulated entities to implement 12 practices as recommended by the CSIRT-Fin.
SEBI has asked the REs to define roles and responsibilities of the Chief Information Security Officer (CISO) and other senior personnel. The REs have also been told to proactively monitor the cyberspace to identify phishing websites, considering that majority of the cyber infections are primarily introduced via phishing emails, malicious adverts on websites and third-party apps and programs.
The entities have also been asked to carry out security awareness campaigns to create awareness about the need to avoid opening links and attachments in email.
SEBI has also directed the REs to carry out security audit or Vulnerability Assessment and Penetration Testing (VAPT) at regular intervals. The gaps of VAPT have been directed to be resolved as per the timelines prescribed by SEBI. The regulator has also told the REs to follow these five steps as measures for data protection:
  • Prepare detailed incident response plan
  • Enforce effective data protection, backup, and recovery measures
  • Encryption of the data at rest should be implemented to prevent the attacker from accessing the unencrypted data
  • Identify and classify sensitive and Personally Identifiable Information (PII) data and apply measures for encrypting such data in transit and at rest.
  • Deploy data leakage prevention (DLP) solutions / processes.
    • The regulated entities have also been directed to maintain a strong log retention policy and password policy in all digital assets and also enable multi factor authentication (MFA) for all users. The advisories issued by CERT-In should be implemented in letter and spirit by the regulated entities, SEBI said in the circular. The REs are also advised to go for ISO certification and due diligence with respect to audit process and tools used for such audit needs to be undertaken.
    Also Read: SEBI levies Rs 11 lakh penalty on 7 entities for violating market norms
    First Published: Feb 22, 2023 7:38 PM IST
      X