MIIs identified as Critical Information Infrastructure must send regular updates of the vulnerabilities found in their respective “protected systems” to NCIIPC.
The market regulator has given further directions to improve cyber security and cyber resilience of market infrastructure institutions (MIIs), and specifically for the managing director or chief executive officer of an MII.
MIIs include stock exchanges, clearing corporations and depositories.
In the latest circular, dated August 24, the Securities and Exchange Board of India (Sebi) has amended the directions given in a May 20, 2022, circular.
In the latest circular, in addition to doing cyber audit twice a year, MIIs have been directed to submit a declaration from the MD/CEO that three criteria have been satisfied. One, comprehensive measures and processes including suitable incentive/disincentive structures, have been put in place for identification/detection and closure of vulnerabilities in the organisation’s IT systems. Two, adequate resources have been hired for staffing their Security Operations Centre (SOC). Three, there is compliance by the MII with all SEBI circulars and advisories related to cyber security.
The earlier circular was more general in its instruction in saying that, along with the cyber audit reports, MIIs must submit a declaration from the MD/ CEO certifying compliance by the MII with all SEBI Circulars and advisories related to Cyber security issued from time to time.
The latest circular also said that MIIs, whose systems have been identified as Critical Information Infrastructure (CII) by National Critical Information Infrastructure Protection Centre (NCIIPC), must send regular updates/closure status of the vulnerabilities found in their respective “protected systems” to NCIIPC.
MIIs have been directed to communicate the status of the implementation of the provisions of this circular to SEBI within 30 days from the issue of the circular.
– moneycontrol