Capital markets regulator Sebi on Friday fine-tuned the cybersecurity and cyber-resilience framework for Qualified Issue Registrar and Share Transfer Agents (QRTAs).
QRTAs have been mandated to conduct a full cyber audit at least twice in a fiscal year, Sebi said in a circular.
In addition, QTRAs must submit a statement from their respective CEO/CEO certifying compliance with all Sebi cybersecurity guidelines, along with cyber audit reports.
Under the amended rules, QRTAs are required to identify and categorize critical assets based on their sensitivity and criticality to business operations, services and data management.
Critical assets should include business-critical systems, Internet-accessible applications, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data.
According to Sebi, all auxiliary systems used to access or communicate with critical systems, whether for operation or maintenance, must also be classified as critical systems.
QRTA boards must approve the list of critical systems. In this regard, they should maintain an up-to-date inventory of its hardware and systems, software and information assets, details of its network resources, connections to its network and data flows.
QRTAs will be required to perform periodic Vulnerability Assessment and Penetration Testing (VAPT), including on critical assets and infrastructure components such as servers, network systems and security appliances, to detect security vulnerabilities in the IT environment. It will also help to have a thorough assessment of the security posture of the system through simulations of real attacks on its systems and networks.
Additionally, QRTAs must perform the VAPT at least once per exercise.
However, QRTAs whose systems have been identified as “protected systems” by the National Critical Information Infrastructure Protection Center (NCIIPC) must perform VAPT at least twice during an exercise.
In addition, Sebi stated that all QRTAs are required to engage only CERT-In incorporated organizations for the conduct of the VAPT and that the final report on the VAPT will be submitted to Sebi upon approval by the Technology Committee of the respective QRTAs. , within one month of completing the VAPT activity.
“Any gaps/vulnerabilities detected must be remedied immediately and compliance of closure of findings identified during the VAPT must be submitted to Sebi within three months of submission of the final VAPT report,” Sebi said.
Additionally, QRTAs are required to perform vulnerability scanning and penetration testing before commissioning a new system that is a critical system or part of an existing critical system.
The new rules will come into force with immediate effect, the Securities and Exchange Board of India (Sebi) said.
(This story has not been edited by the Devdiscourse team and is auto-generated from a syndicated feed.)