Stock exchanges and all other market infrastructure institutions (MIIs) would be required to conduct cyber audits twice within a fiscal year, as per a circular issued by the Securities and Exchange Board of India (SEBI) on May 20.
The MIIs "are mandated to conduct comprehensive cyber audit at least two times in a financial year", the circular stated.
Along with the cyber audit reports, all MIIs are directed to submit a declaration from the managing director or chief executive officer "certifying compliance by the MII with all SEBI circulars and advisories related to cyber security issued from time to time", the market regulator added.
In addition to the cyber audits, the bourses are also required to carry out periodic vulnerability assessment and penetration testing (VAPT), which includes an inspection of all critical assets and infrastructure components like servers, networking systems, security devices, load balancers and other IT systems, SEBI said.
While the VAPT is required to be conducted once in a fiscal year, MIIs whose systems have been identified as “protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC) would be required to undertake the exercise twice, the circular noted.
Any gaps or vulnerabilities detected during the VAPT should be "remedied on immediate basis" and a compliance of closure of findings should be submitted to SEBI within three months post the submission of final assessment report, it added.
The above norms, as stated in the circular, will come into force "with immediate effect", the regulator said, adding that the exchanges are required to "communicate the status of the implementation of the provisions of this circular to SEBI within 10 days".
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
