Capital markets regulator Sebi on Friday tweaked the framework pertaining to cyber security and cyber resilience for Qualified Registrars to an Issue and Share Transfer Agents (QRTAs).
QRTAs have been mandated to conduct comprehensive cyber audit at least twice in a financial year, Sebi said in a circular.
Also, QTRAs need to submit a declaration from their respective MD/CEO certifying compliance by them with all Sebi guidelines related to cyber security, along with the cyber audit reports.
Under the modified rules, QRTAs are required to identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management.
The critical assets should include business critical systems, internet facing applications, systems that contain sensitive data, sensitive personal data, sensitive financial data and personally identifiable information data.
According to Sebi, all the ancillary systems used for accessing or communicating with critical systems either for operations or maintenance should also be classified as critical systems.
The boards of QRTAs need to approve the list of critical systems. In this regard, they should maintain up-to-date inventory of its hardware and systems, software and information assets, details of its network resources, connections to its network and data flows.
QRTAs will have to carry out periodic Vulnerability Assessment and Penetration Tests (VAPT), including on critical assets and infrastructure components like servers, networking systems and security devices, in order to detect security vulnerabilities in the IT environment. It will also help in having an in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.
Further, QRTAs need to conduct VAPT at least once in a financial year.
However, QRTAs, whose systems have been identified as "protected system" by National Critical Information Infrastructure Protection Centre (NCIIPC), need to conduct VAPT at least twice in a fiscal.
Further, Sebi said that all QRTAs are required to engage only CERT-In empaneled organisations for conducting VAPT and the final report on VAPT will be submitted to Sebi after approval from technology committee of respective QRTAs, within one month of completion of VAPT activity.
"Any gaps/vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to Sebi within three months post the submission of final VAPT report," Sebi said.
In addition, QRTAs are required to perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system which is a critical system or part of an existing critical system.
The new rules will come into force with immediate effect, the Securities and Exchange Board of India (Sebi) said.
