SEBI Notifies Modification In Cyber Security, Cyber Resilience Framework Of Stock Exchanges, Clearing Corporations & Depositories

The revised framework mandates that Market Infrastructure Institutions (MIIs) must carry out comprehensive cyber audits at least twice during a financial year. Alongside the audit reports, MIIs are required to submit a certification from their MD/CEO affirming several key points.

These include the implementation of robust measures and processes to identify, detect, and close vulnerabilities in their IT systems. Additionally, MIIs are directed to have adequate resources in place for staffing their Security Operations Centers (SOCs). The certification also ensures that the MII is in compliance with all SEBI circulars and advisories pertaining to cybersecurity.

Furthermore, MIIs whose systems have been categorized as Critical Information Infrastructure (CII) by the National Critical Information Infrastructure Protection Centre (NCIIPC) are obligated to provide regular updates and closure status of vulnerabilities found in their "protected systems" to NCIIPC.

The circular mandates MIIs to initiate the necessary measures to incorporate the changes within their systems. This involves making any required amendments to relevant bylaws, rules, and regulations. MIIs are also directed to communicate the status of the implementation of these provisions to SEBI within 30 days from the date of the circular.

The revised provisions, as detailed in the circular, come into effect immediately. The authority to issue this circular is derived from the powers conferred under Section 11(1) of the Securities and Exchange Board of India Act, 1992. This is in conjunction with Regulation 51 of the Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2018, as well as Section 19 of the Depositories Act, 1996, and Regulation 97 of the Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018.