NEW SEBI GUIDELINES ON VAPT FOR STOCK BROKERS, DEPOSITORIES, AND AMCs

by | Jul 19, 2022 | VAPT

SEBI guidelines on VAPT

 Introducing New VAPT Guidelines by SEBI

To help you understand your legal and financial responsibilities, Adviacent, a well known VAPT company in India has made a list of things you need to do.

SEBI, Indias market regulator has made new rules to protect investors. These rules are for stock brokers, depository institutions, asset management companies and alternative market centers.

The new rules change the ones, which were SEBI/HO/MIRSD/CIR/PB/2018/147 from December 03 2018 and SEBI/HO/IMD/DF2/CIR/P/2019/12 from January 10 2019. SEBI made these rules to protect investors in the securities market.

The VAPT Guidelines say that companies must do a VAPT evaluation every year and have regular cyber audits.

  What is SEBI?

The Securities and Exchange Board of India or SEBI for short is a government body that checks companies securities and makes rules. It does this to secure investors and help the market grow. SEBI is like the Securities and Exchange Commission in the United States.

SEBI has to watch the market make rules punish people who break the rules and tell people about security breaches. SEBI focuses on three groups:

1- Security Enforcers

2- Investors and

3- Brokers.

SEBI has to keep an eye on all of these groups to make sure the market is safe for VAPT and secure for investors. SEBI and the VAPT Guidelines are important, for the securities market.

 

    What are the new SEBI Guidelines on VAPT?

     Changes made in Circular 1 (SEBI/HO/MIRSD/TPD/CIR/2022/80)

     

    Paragraph:11

    Stock Brokers / Depository Participants shall identify and classify critical assets based on their sensitivity and criticality for business operations, services, and data management. 

     

    System details required to test

    They are internet facing applications or systems.

    1- They have data.

    2- They have personal data.

    3- They have financial data.

    4- They have Identifiable Information (PII) data.

    All the systems that help them access or communicate with these systems are also considered critical. The list of systems has to be reviewed and approved by the Board or Partners or Proprietor of the Stock Brokers.

    As a registered stock broker or depository participant you need to have an updated list of all your hardware. You also need to list all your software information assets, network resources connections to the network and data flows.

      Paragraph:41

      All Stock Brokers and Depository Participants have to do a Vulnerability Assessment and Penetration Test every year. This test has to cover things like servers.

      1. Hey are networking systems.
      2. They are security devices.
      3. They are load balancers.
      4. They are any IT systems used for trades. 

       

      Areas to cover in VAPT

      Paragraph:42

      • SStock Brokers and Depository Participants have to do VAPT a year. They can only work with CERT-In companies to do this test. The final report has to be submitted to the Stock Exchanges or Depositories within a month of completing the test.
      • Before they start using a system they have to do vulnerability scanning and penetration testing.

      Paragraph:44

      If they find any gaps or vulnerabilities they have to fix them away. They have to submit a report to the Stock Exchanges or Depositories within three months of submitting the VAPT report.

                    Changes made in Circular 2 (SEBI/HO/IMD/IMD-I/DOF2/COR/2022/81) 

       Paragraph:11

      • The list of assets has to be approved by the Trustees and the Board of the Asset Management Companies (AMCs). Mutual Funds and AMCs have to keep a list of their hardware. T
      • Hey also need to list their software and information assets well as information on their network connections, resources and data flows.

        Paragraph:40

      • Mutual Funds and AMCs have to do VAPT a year. If their systems are considered “protected systems” by the National Critical Information Infrastructure Protection Centre (NCIIPC) they have to do VAPT least twice a year.

        Paragraph:41

      • If they find any gaps or vulnerabilities they have to fix them away. They have to submit a report to SEBI within three months of submitting the VAPT report.
      • Before they start using a system Mutual Funds and AMCs have to do penetration testing and vulnerability scanning.

        Paragraph:42

      • Prior to commissioning a new system, Mutual Funds/AMCs must undergo penetration testing and vulnerability scanning.

        Paragraph:51

      • Mutual Funds and AMCs have to report any cyber-attacks or breaches to SEBI within six hours of noticing them. They also have to report these incidents to CERT-In. If their systems are considered “protected systems ” they have to report the incident to NCIIPC well.
        Mutual Funds and AMCs have to submit reports to SEBI with information on cyber-attacks, threats and breaches. They have to send these reports to email ids: vapt_reports@sebi.gov.in and cybersecurity_amc@sebi.gov.in.
        Mutual Funds and AMCs have to do a cyber audit at least twice a year. They have to submit a declaration, from their Managing Director or Chief Executive Officer saying that they are complying with all SEBI circulars and advisories related to security.
        They have to take steps to implement these circulars including modifying their policies if needed. The new rules will come into effect from July 15 2022.

         How can Adviacent help you to comply with the new SEBI Guidelines?

      Adviacent provides cybersecurity services. Offers VAPT services to meet SEBI guidelines. Our team of experts keeps your assets safe with our security solutions.
       As a trusted cybersecurity solution firm we help organizations protect their data and assets using the technology and our VAPT services.
      Adviacent has a relationship with CERT-In, which allows us to provide customized services to clients across India.
      With Adviacent’s VAPT testing organizations can find vulnerabilities in their infrastructure. Keep their assets secure.
      Thanks to SEBI’s guidelines do you think brokers and mutual funds will face fewer ambiguities, with SEBI guidelines?
      We want to hear your thoughts please feel free to comment below about SEBI guidelines.
      Sumit Jain

      Sumit Jain

      Cybersecurity Expert/ CEO - Adviacent Consulting Services

      Sumit Jain is a Leader with 18+ years of extensive experience in Cybersecurity Solutions and Services across Corporate customers from different verticals.

      He founded Adviacent in 2014, with a vision to simplify technology solutions and make them sustainable for corporates. With 200+ success stories under his belt, Sumit is taking Adviacent to the next level with the goal of 600+ Customers by 2024.