Sebi clarifies cyber security and cyber resilience framework

Markets Regulator Sebi clarifies on Thursday that the CyberSecurity and Cyber ​​Resilience Framework (CSCRF) only applies to systems that are used exclusively for its regulated activities.

The shared infrastructure is also checked if they are not covered under the RBI or another regulator.

Furthermore, if regulated entities (RES) comply with the cyber security rules of RBI (or other regulator) that are equivalent to SEBIs, such an compliance will be accepted by the Marktenwaakhond.

In its circular, SEBI has also classified the definition of critical systems, which states that it includes all systems that contain, store or send the core activities, client -oriented applications, internet -oriented systems and other systems on the same network.

RES has been asked to take over zero-tract principles such as network segmentation, high availability, and avoiding some failure points with approval of their IT committees.

The regulator said that guidelines with regard to mobile applications are recommended, not mandatory, while for cyber crisis response, entities must act according to their cyber crisis management plan instead of issuing press releases. The regulator has further clarified that the use of tools such as threat simulations, vulnerability management and locking systems is encouraged but not mandatory. Entities are also required to assess external/supplier risks in consultation with their IT committees.

Sebi said about audit -related matters: “While receiving and treating cyberaudi reports that have been submitted by their members, take care of trade fairs and preserves that there are sufficient guarantees to maintain the confidentiality and integrity of such reports”.

In terms of emergency recovery, RES must be able to resume critical operations within two hours (RTO), to maintain a recovery point of 15 minutes (RPO) and planning scenarios that do not meet time lines, Sebi said.

The regulator has also revised the thresholds and categorization of regulated entities under the CSCRF. For portfolio managers, with assets under management (AUM) of RS 10,000 crore and higher will be categorized as qualified RES, while those who manage 10,000 crore between RS 3,000 crore fall under the medium-sized RE category.

Portfolio managers with AUM from RS 3000 crore or lower are treated as small RES, and which can be classified under the minimum threshold as self-certification resess with simplified compliance requirements.

For Merchant Bankers (MBS), all active MB Die will be traded as a small res for compliance purposes in the relevant period of trading bank activities, while inactive MBS will be exempt from CSCRF provisions.