SEBI Modifies Cyber Security and Cyber resilience framework of KYC Registration Agencies(KRAs) – 30th May, 2022

  • SEBI, vide circular dated 15th October, 2019 prescribed   framework   for   Cyber   Security   and   Cyber   Resilience   for KYC Registration Agencies.
  • Further, SEBI vide its circular dated 30th May, 2022 modified Annexure A of SEBI Circular dated 15th October, 2019, the paragraph – 11, 40, 41 and 42 which shall be read as under :-

11.KRAs shall identify and classify critical assets based on their sensitivity and criticality for  business  operations, services  and  data  management.  The critical assets shall include business  critical  systems,  internet  facing applications   /systems,   systems   that   contain   sensitive   data,   sensitive personal  data,  sensitive  financial  data,  Personally  Identifiable  Information (PII) data, etc. All the ancillary systems used for accessing/communicating with  critical  systems  either  for  operations  or  maintenance  shall also  be classified as critical system. The Board of the KRAs shall approve the list of critical systems.

To this end, KRAs shall maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows.

40.KRAs shall carry out periodic vulnerability assessment and penetration tests(VAPT)    which    inter-alia    include critical    assets    and    infrastructure components  like  Servers,  Networking  systems,  Security  devices,  load balancers, other IT systems pertaining to the activities done as KRAs etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation  of  the  security  posture  of  the  system  through  simulations  of actual attacks on its systems and networks.

KRAs shall conduct VAPT at least once in a financial year. However, for the KRAs, whose  systems  have  been  identified  as  “protected  system”  by NCIIPC  under  the  Information  Technology  (IT)  Act,  2000,  VAPT  shall  be conducted at least twice in a financial year. Further, all KRAs are required to engage only CERT-In empaneled organizations for conducting VAPT. The final report on said VAPT shall be submitted to SEBI after approval from Technology Committee of respective KRAs, within one month of completion of VAPT activity.

41.Any gaps/vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 months post the submission of final VAPT report.

42.In addition, KRAs shall perform   vulnerability   scanning   and   conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system.

  • Further the Circular said that, the KRAs are mandated to conduct comprehensive  cyber  audit  at  least twice a  financial  year. All KRAs shall submit a declaration  from  the  MD/  CEO certifying compliance by the KRAs with all SEBI Circulars and advisories related to Cyber security from time to time, along with the cyber audit report.
  • Other than that, KRAs shall take necessary steps to put in place systems for implementation of the circular.
  • All KRAs are  directed  to communicate  the  status  of  the  implementation  of  the provisions of this circular to SEBI within 10 days from the date of this Circular.
  • The provisions of the Circular shall come into force with immediate effect.
Link to the Circular:
https://www.sebi.gov.in/legal/circulars/may-2022/modification-in-cyber-security-and-cyber-resilience-framework-of-kyc-registration-agencies-kras-_59318.html

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these

Skip to content