Regulatory Compliance
SEBI
Compliance Audit
“Cyber Security and Resilience Framework for Stock Exchanges and Depositories”.
With a developing economy, more and more people are inclined towards growing their finances with the Stock Market and Mutual Funds. Watching this, SEBI or the Securities and Exchange Board of India has issued three circulars for the Cyber Security Audit for the trading Members of the stock market, Exchanges Depositories and Intermediaries. The idea behind this cyber resilience framework audit is to enhance security practices amidst increasing cyber threats and attacks. This eventually strengthens the integrity of trading facilities on the trading software pursuant to their system respectively.
Consolidated List of SEBI Guidelines For Cyber Resilience
Here is a compiled list of SEBI’s distinctive circular numbers that make it easy to access the most recent SEBI Guidelines. Stay updated with new regulatory changes and remain compliant.
| Circular Number | Circular Name |
|---|---|
|
SEBI/HO/MRD/TPD/P/CIR/2023/146 |
Guidelines for MIIs regarding Cyber security and Cyber resilience |
|
SEBI/HO/MRD/TPD/P/CIR/2023/147 |
Modification in Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories |
|
SEBI/HO/IMD/IMD-PoD-1/P/CIR/2023/046 |
Cyber Security and Cyber Resilience framework for Portfolio Managers |
|
SEBI/HO/MIRSD/TPD/P/CIR/2022/96 |
Modification in Cyber Security and Cyber resilience framework of Qualified Registrars to an Issue and Share Transfer Agents (QRTAs) |
|
SEBI/HO/MIRSD/TPD/P/CIR/2022/95 |
Modification in Cyber Security and Cyber resilience framework of KYC Registration Agencies (KRAs) |
|
SEBI/HO/MIRSD/TPD/P/CIR/2022/93 |
Modification in Cyber Security and Cyber resilience framework for Stock Brokers / Depository Participants |
|
SEBI/HO/IMD/IMD-I/DOF2/P/CIR/2022/81 |
Circular on Modification in Cyber Security and Cyber Resilience Framework of Mutual Funds/ Asset Management Companies (AMCs) |
|
SEBI/HO/MIRSD/TPD/P/CIR/2022/80 |
Modification in Cyber Security and Cyber resilience framework for Stock Brokers / Depository Participants |
|
SEBI/HO/MIRSD/DoP/P/CIR/2022/74 |
Modification in Cyber Security and Cyber resilience framework of KYC Registration Agencies (KRAs) |
|
SEBI/HO/MIRSD/MIRSD_RTAMB/P/CIR/2022/73 |
Modification in Cyber Security and Cyber resilience framework of Qualified Registrars to an Issue and Share Transfer Agents (“QRTAs”) |
|
SEBI/HO/MRD1/MRD1_DTCS/P/CIR/2022/68 |
Modification in Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories |
|
SEBI/HO/MRD2/DCAP/CIR/P/227 |
Outsourcing of activities, Business Continuity Plan and Disaster Recovery, and Cyber Security and Cyber Resilience framework – Limited Purpose Clearing Corporation |
|
SEBI/HO/MIRSD/DOP/CIR/P/2019/109 |
Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants – Clarifications |
|
SEBI/HO/MIRSD/DOP/CIR/P/2019/111 |
Cyber Security & Cyber Resilience framework for KYC Registration Agencies |
|
SEBI/HO/MIRSD/DOP/CIR/P/2019/110 |
Cyber Security & Cyber Resilience framework for Qualified Registrars to an Issue / Share Transfer Agents |
|
CIR/HO/MIRSD/DOS2/CIR/PB/2019/038 |
Clarification on Cyber Security & Cyber Resilience Circular |
|
SEBI/HO/IMD/DF2/CIR/P/2019/12 |
Cyber Security and Cyber Resilience framework for Mutual Funds / Asset Management Companies (AMCs) |
|
CIR/MRD/CSC/148/2018 |
Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories |
|
SEBI/HO/MIRSD/CIR/PB/2018/147 |
Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants – Clarifications |
|
SEBI/HO/MIRSD/CIR/P/2017/0000000100 |
Cyber Security and Cyber Resilience framework for Registrars to an Issue / Share Transfer Agents |
|
SEBI/HO/CDMRD/DEICE/CIR/P/2016/0000000044 |
Cyber Security and Cyber Resilience framework of National Commodity Derivatives Exchanges |
|
CIR/MRD/DP/13/2015 |
Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporation and Depositories |
Who all are Involved?
Stockbrokers
Depositories
Wealth Management
Asset Management
Mutual Funds
Trustee Companies
Asset Management Company
Association of Mutual Funds in India
Methodology
The Purpose of the Audit is to pick out the discrepancies or inadequacies of the system, if any, by the compliance desiderata and the consequences of such hiatuses. The checklist, also known as the Cyber Resilience Framework checklist, highlights several domains that must be taken into consideration while auditing the Stock Market, Exchanges Depositories and Intermediaries.
The circulars are as follows:
-
SEBI/HO/MIRSD/CIR/PB/2018/147 – for stockbrokers and depositories
-
CIR/MRD/CSC/148/2018- for Stock Exchanges, Clearing Corporations and Depositories
-
SEBI/HO/IMD/DF2/CIR/P/2019/12- for Asset Management Companies or Mutual Funds
Our Approach
Our cyber security approach prioritizes a layered, proactive defense strategy encompassing robust network security, vigilant endpoint protection, strict access controls, regular vulnerability assessments, employee security awareness training, and a rapid incident response plan, ensuring the protection of sensitive data and systems against evolving cyber threats by focusing on the “people, process, and technology” pillars.
Scope Drafting
Creating an Audit Plan
Finalizing the Audit Schedule
Auditing
Report and Attestation
Scope Drafting
Finally, all the information and understandings are compiled in a well-documented scope, determining the boundaries and applicability of the SEBI Cyber Resilience audit, referring to the pain point and the requirements of the stakeholders. The Scope encompasses the work systems, number of departments and location of the organization.
Creating an Audit Plan
Once the scope, objective and criteria for the audit have been defined, the board members must draft an audit plan. The board members (auditee) along with auditors should streamline the nature, timing and extent of tests of controls and substantive procedures, along with examining the network security measures.
Finalizing the Audit Schedule
After defining what and what not has to be audited, a proper audit schedule must be published with the approval of both parties. The audit schedule includes a proper timeline suggesting which departments must be audited within a time range.
Auditing
Once the audit schedule is published, the auditors will examine the pre-implemented documents and controls in the auditee’s organization. The purpose of the audit is to determine if there are any discrepancies or certain observations in the depository’s organization.
Report and Attestation
After conducting the audit, the auditing body will nail down their observations, areas of improvement, and minor and significant Non-conformities against the departments which were being audited. All of these observations will be further compiled in a summary report along with the standard checklist that had been followed.
FAQ's
What is the mandate for Market Infrastructure Institutions (MII) by SEBI?
According to circular no. CIR/MRD/CSC/148/2018, SEBI has mandated all Market Infrastructure Institutions (MIIs) to have Cyber Security Operation Center (C-SOC) serving throughout, manned by professional security analysts to identify, monitor, and rectify the threats.
What is a necessity as per circular no. SEBI/HO/IMD/DF2/CIR/P/2019/12 for a new system?
There is a mandate for all the Mutual Funds and AMCs to conduct VAPT for the new systems before deploying them for the needful.
What constitutes Critical Assets as per SEBI Cyber Resilience Framework?
Data encompassing Sensitive Personal Data, Personally Identifiable Information, Sensitive Financial Data and Business Critical Systems are critical assets as per SEBI Cyber Resilience Framework.