Mar 31, 2023

SEBI Circular on Cybersecurity Practices

On February 23, 2023, SEBI released the Advisory for SEBI Regulated Entities (‘REs’) regarding Cybersecurity best practices (‘Circular’), in light of the increasing cybersecurity threats to the securities market and financial institutions.

The Circular lists recommendations by the Financial Computer Security Incident Response Team (‘CSIRT-Fin’) to be implemented by REs and compliance is to be reported along with their cybersecurity audit report as per the applicable SEBI Cybersecurity and Cyber Resilience framework.  The requirements set out in the Circular are as follows:

i.     Defined roles: Roles and responsibilities of the Chief Information Security Officer or Designated Officer and other senior personnel are to be clearly specified in the security policy of the RE;

ii.    Patch Management, Vulnerability Assessment and Penetration Testing (‘VAPT’): To be ensured by updating operating systems and applications with the latest patches, setting up virtual patching, conducting regular security audits and VAPT and reporting any gaps;

iii.   Log retention: Implementation of a strong log retention policy as per applicable regulations with log collection audits, monitoring log events and identifying unusual patterns;

iv.   Password policy / Authentication Mechanism: Conducting reviews of obsolete accounts, enabling multi-factor authentication.;

v.    Privilege Management: Implementing Maker-Checker framework and zero trust models with identity verification;

vi.    Cybersecurity controls: Including but not limited to deploying web/email filters on the network, scanning email content;

vii.   Outsourced Agencies: Analysing concentration risk when outsourcing several critical services to the same vendor; and

viii. Audit and ISO certification: SEBI instructions on external audits of REs by independent auditors empaneled with CERT-In to be complied with and ISO certification to be obtained and audit process due diligence to be conducted.

Additional requirements include taking measures to avoid phishing and data protection breach, strengthening cloud service security and implementation of advisories by CSIRT-Fin/CERT.




These are the views and opinions of the author(s) and do not necessarily reflect the views of the Firm. This article is intended for general information only and does not constitute legal or other advice and you acknowledge that there is no relationship (implied, legal or fiduciary) between you and the author/AZB. AZB does not claim that the article's content or information is accurate, correct or complete, and disclaims all liability for any loss or damage caused through error or omission.