Register Daily Newsletters My Bookmarks My Queries (D. Forum) My Replies (D. Forum) My Articles My Inbox (PM) Feedback/ Suggestions
Tax Management India. Com
Law and Practice  :  Digital eBook
Research is most exciting & rewarding

   For Sales / Support:
WhatsApp WhatsApp 9911796707
Case Laws Acts Notifications Circulars Classification Forms Manuals Articles News D. Forum Highlights Notes
TMI - e-Newsletter     TaxTMI    Government Revises Customs Duty Conditions for...     TaxTMI    PAN Card Holders Must Link Aadhaar by December 31,...     TaxTMI    Export Entry Conversion Rules Allow One-Year Window...     TaxTMI    Exporters Get Streamlined Documentation Rules:...     TaxTMI    Taxpayers Can Leverage Section 128A Benefits for...     TaxTMI    Customs Extends Sea Cargo Manifest Electronic...     TaxTMI    Pharmaceutical Exporter Wins IGST Refund Claim,...     TaxTMI    Legal Challenge Upheld: Statutory Non-Compliance...     TaxTMI    Accused Granted Bail in GST Evasion Case After...     TaxTMI    Legal Challenge to CGST Act Section 16(2)(c)...     TaxTMI    Tax Order Quashed: Procedural Defects Invalidate...     TaxTMI    Legal Relief Granted: GST Registration Restored...     TaxTMI    Tax Reassessment Invalidated: Second Section 148...     TaxTMI    Tax Reassessment Invalidated: Critical Procedural...     TaxTMI    India Authorizes Export of Nine Essential...     TaxTMI    Latest Case-Laws     TaxTMI    Latest Notifications + Circulars     TaxTMI    GST Council Decisions     TaxTMI       Right Stop
  TMI - Tax Management India. Com
Follow us:
  Facebook   Twitter   Linkedin   Telegram

TMI Blog

Home

Cyber Security & Cyber Resilience framework for KYC Registration Agencies

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... e clients in the securities market, it is desirable that KRAs have robust Cyber Security and Cyber Resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market. 4. In view of the above, SEBI's High Powered Steering Committee - Cyber Security decided that the framework on Cyber Security and Cyber Resilience be made applicable for KRAs. The framework placed at Annexure A, would be required to be complied by the KRAs with regard to Cyber Security and Cyber Resilience. KRAs are directed to take necessary steps to put in place systems for implementation of this circular by January 01, 2020. 5. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. Yours faithfully D Rajesh Kumar General Manager Market Intermediaries Regulation and Supervision Department Annexure - A 1. Cyber attacks and threats attempt to compromise the Confidentiality, Integrity and Availability (CIA) of the computer systems .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... sequent revisions, if any, from time to time. 6. KRAs should designate a senior official as Chief Information Security Officer (CISO) whose function would be to assess, identify and reduce cyber security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the cyber security and resilience policy approved by the Board of the KRAs. 7. The Board of the KRAs shall constitute a Technology Committee comprising experts proficient in technology. This Technology Committee should on a quarterly basis review the implementation of the Cyber Security and Cyber Resilience policy approved by their Board, and such review should include review of their current IT and Cyber Security and Cyber Resilience capabilities, set goals for a target level of cyber resilience, and establish a plan to improve and strengthen Cyber Security and Cyber Resilience. The review shall be placed before the Board of the KRAs for appropriate action. 8. KRAs should establish a reporting procedure to facilitate communication of unusual activities and events to CISO or to the senior management in a timely manner. .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... than two (2) years. 18. KRAs should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users). Such controls and measures should inter-alia include restricting the number of privileged users, periodic review of privileged users' activities, disallow privileged users from accessing systems logs in which their activities are being captured, strong controls over remote access by privileged users, etc. 19. Account access lock policies after failure attempts should be implemented for all accounts. 20. Employees and outsourced staff such as employees of vendors or service providers, who may be given authorised access to the KRA's critical systems, networks and other computer resources, should be subject to stringent supervision, monitoring and access restrictions. 21. Two-factor authentication at log-in should be implemented for all users that connect using online/internet facility. 22. KRAs should formulate an Internet access policy to monitor and regulate the use of internet and internet based services such as social media sites, cloud-based internet storage sites, etc. 23. Proper 'en .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... esses. Hardening of Hardware and Software 34. Only a hardened and vetted hardware / software should be deployed by the KRAs. During the hardening process, KRAs should inter-alia ensure that default passwords are replaced with strong passwords and all unnecessary services are removed or disabled in equipments / software. 35. All open ports which are not in use or can potentially be used for exploitation of data should be blocked. Other open ports should be monitored and appropriate measures should be taken to secure the ports. Application Security and Testing 36. KRAs should ensure that regression testing is undertaken before new or modified system is implemented. The scope of tests should cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions. Patch Management 37. KRAs should establish and ensure that the patch management procedures include the identification, categorisation and prioritisation of security patches. An implementation timeframe for each category of security patches should be established to implement security patches in a timely manner. 38. KRAs should perform rigorous testing of securi .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... its effect and eradicate the incident. 47. The response and recovery plan of the KRAs should aim at timely restoration of systems affected by incidents of cyber attacks or breaches. KRAs should have the same Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time. 48. The response plan should define responsibilities and actions to be performed by its employees and support / outsourced staff in the event of cyber attacks or breach of cyber security mechanism. 49. Any incident of loss or destruction of data or systems should be thoroughly analyzed and lessons learned from such incidents should be incorporated to strengthen the security mechanism and improve recovery planning and processes. 50. KRAs should also conduct suitable periodic drills to test the adequacy and effectiveness of response and recovery plan. Sharing of information 51. Quarterly reports containing information on cyber attacks and threats experienced by KRAs and measures taken to mitigate vulnerabilities, threats and attacks including information on bu .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

 

 

 

 

Quick Updates:Latest Updates

What's New:
    Latest Case Laws
What's New:
    Latest Notifications
What's New:
    Latest Circulars
F: Imported Services RCM: Complex ITC Claim Challenges Emerge for Registe...
F: Swimming Pool Construction Challenges: Decoding ITC Eligibility Under ...
H: Govt Raises Excise Duty on Petrol and Diesel to Rs. 13 and Rs. 10 per ...
H: Insolvency Professionals Regulations Updated: Time Frame Extended from...
H: Insolvency Resolution Professionals Must Now Use Detailed Compliance C...
H: Interactive Flat Panel Displays Clarified: Technical Features Determin...
H: Government Extends Sea Cargo Manifest Regulations Deadline to May 2025...
H: Customs Importers Must Upload Complete E-Sanchit Documentation with Pr...
A: Trade Policy Overhaul: U.S. Ends Duty-Free Entry for Small Chinese Shi...
A: Tax Cuts Balancing Act: Strategic Relief vs. Economic Growth Requires ...
A: GST Non-Compliance: Taxpayers Face Best Judgment Assessment with Oppor...
A: LLPs Must File Annual Returns on Time: Complete Forms, Use Digital Sig...
A: Transforming Packaging Waste: Innovative Solutions to Tackle Environme...
A: Manufacturers and Consumers Unite: Collaborative Waste Management Stra...
A: Microplastics Threaten Ecosystems: Urgent Need for Comprehensive Regul...
A: Tackling Vehicle Smoke Pollution: Comprehensive Strategy to Reduce Emi...
A: Plastic Waste Management Shifts: Producers and Consumers Unite to Tack...
A: Innovative Solutions Needed to Mitigate Microplastic Pollution from Ve...
A: Plastic Waste Management Strategy Ties Corporate Turnover to Mandatory...
A: Innovative Plastic Shredder Machines to Transform Waste Management and...
H: GST Registration Cancelled After Comprehensive Review Finds No Procedu...
H: Government Hospital Support Services Deemed Tax-Exempt Under Public He...
H: Integrated Terminal Project Deemed Composite Works Contract, Attracts ...
H: Circular 18.10.2006 Validates Petitioner's Claim, Halts Entry Tax Reco...
H: Refund Claim Upheld: Petitioner Wins Challenge Against Incorrect Rejec...
H: Government Dues Settlement Clears Property Sale Path, Orders Immediate...
H: Municipal Onion Market Leasing Deemed Public Function Exempt from GST ...
H: GST Advance Ruling Rejected: Contractor's Application Deemed Inadmissi...
H: Tapioca Flour Waste Classified as Livestock Feed Residue, Attracts 5% ...
F: GST Input Tax Credit Rules: Navigating Invoice Entry Timelines and Cod...