The Securities and Exchange Board of India (Sebi) has announced modifications in cyber security and cyber resilience framework for stock brokers and depository players as part of its investor safeguard mechanism.
Sebi said in a circular that stock brokers and depository participants must notify the stock exchanges or depositories as well as Sebi of any cyberattacks, threats or breaches within six hours of them becoming aware of the incident or it being brought to their notice.
The incidents must also be reported to the Indian computer emergency response team (CERT-In) with accordance to the rules or directions that are issued by CERT- In.
Additionally, the National Critical Information Infrastructure Protection Centre (NCIIPC) requires stockbrokers, and/or depository participants with systems designated as ‘Protected Systems’ to report such incidents.
The body also announced that the circular shall come into force with immediate effect, and stock brokers and depository participants must take necessary action for implementation of the circular.
The circular further mentioned that stock exchanges and depositories must
a) Revise the relevant bylaws, rules and regulations for implementation of the above rules and directions, and
b) Bring the provisions of this circular to the attention of their members/participants and make them available on their websites
According to the circular, the information on cyber threats, cyberattacks and incidents also need to be mentioned in the quarterly reports so that Sebi and other stock brokers or depository participants can take preventive measure to prevent such recurrences. They have to be submitted to the stock exchanges or depositories within 15 days of the quarter’s ending in June, September, December, and March of each year.
The email address for sharing the information with SEBI is sbdp-cyberincidents@sebi.gov.in.
Incidentally, the Sebi, had on June 9 come out with a circular on cybersecurity and cyber resilience framework for asset management companies (AMCs), which will, however, come into effect a month later, on July 15, 2022.
Click here to read more on this
Prior to that Sebi had come out with another circular which dealt with cybersecurity and cyber resilience framework for market infrastructure institutions (MII).
Click here to read more about that