SEBI Cyber Security Framework

The regulatory situation in India is becoming more stringent. Institutions/Organizations have been asked by regulating authorities to put in place board-approved, robust cyber-risk management systems. The regulator has also set norms that put losses due to cyber-attacks. In the securities sector, SEBI on 8 September, 2017 issued a cyber security framework called Cyber Security and Cyber Resilience framework for Registrars to an Issue / Share Transfer Agents” under circular no. SEBI/HO/MIRSD/CIR/P/2017/0000000100. Some of the important topics covered by said framework are listed below:

  1. Governance
  2. Network Security Management
  3. Hardening of Hardware and Software
  4. Vulnerability Assessment and Penetration Testing
  5. Monitoring and Detection
  6. Response and Recovery
  7. Access Control

Objectives of the Cyber Security framework:

  1. Provide recommendation with respect to operational risk management for managing risk to systems, networks and databases from cyber-attacks and threats
  2. Provide recommendation to constitute a Technology Committee comprising experts proficient in technology
  3. Provide recommendation to define responsibilities of its employees, outsourced staff, andemployees of vendors, members or participants and other entities, who may have access or
    use systems / networks of QRTAs, towards ensuring the goal of cyber security
  4. Provide recommendation to establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and
    enterprise mobile devices within the IT environment
  5. Provide recommendation to establish appropriate security monitoring systems and processes to facilitate continuous monitoring of security events and timely detection of
    unauthorised or malicious activities, unauthorised changes, unauthorised access and unauthorised copying or transmission of data / information held in contractual or fiduciary capacity, by internal and external parties.
  6. Provide recommendation to have Business Continuity and Recovery Plan