SEBI modifies cyber security and cyber resilience framework of KYC registration agencies

The Securities and Exchange Board of India (SEBI) has tweaked the cyber security and the cyber resilience framework of know-your-customer (KYC) registration agencies (KRAs). The market regulator has mandated these agencies to conduct a comprehensive cyber audit at least twice in a fiscal year.

As per the new framework, KRAs are mandated to identify and classify critical assets based on their sensitivity and criticality to business operations, services and data management.

Meanwhile, apart from the audit report, all KRAs have been directed to submit a statement from the managing director (MD) and chief executive officer (CEO) certifying compliance by them with all of SEBI’s cybersecurity-related guidelines and notices issued periodically.

Further, SEBI asserted that critical assets should include business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, personally identifiable information data, among others. In addition it also informed that all ancillary systems utilised to access or communicate with critical systems, must also be classified as critical systems. The KRAs’ board are now also required to approve the list of critical systems.

According to the public notice released by SEBI, KRAs must conduct regular vulnerability assessments and penetration tests (VAPT) that includes all infrastructure components and critical assets such as servers, network systems, security devices and other IT systems to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on your systems and networks.

Moreover, SEBI mandated KRAs to conduct VAPT at least once in a financial year. However, for KRAs whose systems have been identified as a protected system by the National Critical Information Infrastructure Protection Center (NCIIPC), SEBI said, VAPT must be performed at least twice in a fiscal year.

Furthermore, all KRAs are required to engage only CERT-In integrated organisations to conduct VAPT. Meanwhile, the final report on the VAPT must be submitted to SEBI after the approval of the technology standing committee of the respective KRA, within a month from the end of the VAPT activity.

As per the circular, the new framework will come into force with immediate effect and all KRAs must communicate the status of the implementation of the circular to the regulator within 10 days.