The Securities and Exchange Board of India (SEBI) on Friday tightened norms around cyber security for Market Infrastructure Institutions (MIIs).
The regulator has mandated MIIs to conduct comprehensive cyber audits at least two times in a financial year.
Further, the Managing Sirectors (MD) and Chief Operating Officers (CEO) of the MIIs have been directed to submit a declaration of compliance with all circulars and advisories related to cyber security issued by Sebi from time to time.
The market regulator has also directed MIIs to communicate the status of the implementation of the provisions of the latest circular it has issued on cyber security to Sebi within 10 days.
Under the modified framework, MIIs should identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management.
The critical assets should include business critical systems, internet facing applications /systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, personally identifiable information data, among others.
All the ancillary systems used for accessing or communicating with critical systems either for operations or maintenance should also be classified as critical system. Further, the board of the MII will be required to approve the list of critical systems.
“To this end, MII should maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.