NEW SEBI GUIDELINES ON VAPT FOR STOCK BROKERS, DEPOSITORIES, AND AMCs

 Introducing New VAPT Guidelines by SEBI

In order to help you better understand your legal and financial responsibilities, Adviacent, one of the best VAPT company in India has prepared a list of requirements for you to follow.

In an attempt to protect investors’ interests, India’s market regulator has recently released new guidelines for stock brokers, depository institutions, asset management companies, and alternative market centers.

The new regulations revise the previous SEBI/HO/MIRSD/CIR/PB/2018/147 (dated December 03, 2018) and SEBI/HO/IMD/DF2/CIR/P/2019/12 (dated January 10, 2019) released by the Board to protect investors’ interests in the securities market.

The guidelines require companies to follow a range of regulations, including a complete VAPT evaluation once a year and regular comprehensive cyber audits.

  What is SEBI?

The Securities and Exchange Board of India (SEBI) is a government body that checks securities for companies and provides regulations and rules periodically. It is the counterpart of the Securities and Exchange Commission in the united states with an objective of securing investors and promoting the development and regulation of the market.

SEBI has to keep its eyes on the whole market and make regulations, impose fines on violators and update financial developments on security breaches. It mainly focuses on three groups of the market:

• Security Enforcers, 
• Investors and 
• brokers.

What are the new SEBI Guidelines on VAPT?

 Changes made in Circular 1 (SEBI/HO/MIRSD/TPD/CIR/2022/80)

Paragraph:11

Stock Brokers / Depository Participants shall identify and classify critical assets based on their sensitivity and criticality for business operations, services, and data management. 

The critical assets shall include

• Business-critical systems, 
• internet facing applications /systems, 
• systems that contain sensitive data,
• sensitive personal data, 
• sensitive financial data, 
• Personally Identifiable Information (PII) data, etc. 
• All the ancillary systems used for accessing/communicating with critical systems either for operations or maintenance shall also be classified as critical systems. 
• The list of critical systems will be reviewed and approved by the Board/Partners/Proprietor of the stock Brokers.

• As a registered stock broker or depository participant, there must be an updated inventory of the hardware and software, information assets (internal and external), details of the network resources, connections to the network, and data flows.

Paragraph:41

This regulation requires all Stock Brokers/Depository Participants to carry out a Vulnerability Assessment and Penetration Test every year. It must cover the following areas

1. Servers, 
2. Networking systems
3. Security devices,
4. load balancers, 
5. Any IT systems being used for executing and recording the trades by Stock Brokers/Depository Participants.

Paragraph:42

• Stock Brokers / Depository Participants shall conduct VAPT at least once in a financial year.
• All stock brokers and depository participants must only work with CERT-In accredited companies to conduct VAPT.
• The final report on said VAPT shall be submitted to the Stock Exchanges / Depositories after approval from the Technology Committee of respective Stock Brokers / Depository Participants, within 1 month of completion of VAPT activity.
• Prior to commissioning a new system that is a critical system or a component of an existing critical system, stock brokers and depository participants are also required to perform vulnerability scanning and penetration testing.

Paragraph:44 

Any gaps/vulnerabilities detected shall be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the Stock Exchanges/depositories within three months after the final VAPT report’s submission.

              Changes made in Circular 2 (SEBI/HO/IMD/IMD-I/DOF2/COR/2022/81) 

 Paragraph:11

• The list of crucial assets must be approved by the Trustees and the Board of the AMCs.
• Mutual Funds/AMCs are required to keep an accurate inventory of their hardware, software, and information assets (both internal and external), as well as information on their network connections, resources, and data flows.

  Paragraph:40

• VAPT must be conducted by Mutual Funds/AMCs at least once per fiscal year.
• Mutual Funds/ AMCs, whose systems have been identified as “protected systems” by National Critical Information Infrastructure Protection Centre (NCIIPC) under the Information Technology (IT) Act, 2000, VAPT shall be conducted at least twice in a financial year.

  Paragraph:41

• Any gaps or vulnerabilities detected shall be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 months post the submission of the final VAPT report.

  Paragraph:42

• Prior to commissioning a new system, Mutual Funds/AMCs must undergo penetration testing and vulnerability scanning.

  Paragraph:51

• All cyber-attacks, threats, cyber-incidents, and breaches experienced by Mutual Funds/ AMCs shall be reported to SEBI within 6 hours of noticing/ detecting such incidents or being brought to their notice about such incidents.
• The incident shall also be reported to CERT-In in accordance with the guidelines/ directions issued by CERT-In from time to time.
• Mutual Funds/ AMCs, whose systems have been identified as “protected systems” by NCIIPC, shall also report the incident to NCIIPC. 
• The quarterly reports containing information on cyber-attacks, threats, cyber-incidents, and breaches experienced by Mutual Funds/ AMCs and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs/ vulnerabilities/ Within 15 days of the quarters ending in June, September, December, and March of each year, SEBI must receive any threats that would be helpful for other Mutual Funds or AMCs.
• The above information/ reports shall be shared through the dedicated e-mail ids: vapt_reports@sebi.gov.in and cybersecurity_amc@sebi.gov.in
• The Mutual Funds/ AMCs are mandated to conduct a comprehensive cyber audit at least 2 times in a financial year. Along with the cyber audit reports.
• All Mutual Funds/ AMCs are directed to submit a declaration from the Managing Director (MD)/ Chief Executive Officer (CEO) certifying compliance by the Mutual Funds/ AMCs with all SEBI Circulars and advisories related to cyber security from time to time.
• They are also required to take necessary steps to put in place systems for implementation of the circular, including modification of internal policies if any.
• Mutual Funds/ AMCs are required to take necessary steps to put in place systems for implementation of the circular, including modification of internal policies if any.
• The provisions of this Circular shall come into force with effect from July 15, 2022.

   How can Adviacent help you to comply with the new SEBI Guidelines?

Adviacent, an integrated solution provider of cybersecurity services, offers VAPT services in compliance with SEBI guidelines. Our committed team of experts ensures that your critical assets are kept safe with our integrated security solutions.

As affiliated with Cert-in impaneled cybersecurity solution firms, we help organizations provide secure access to their data and critical assets by employing the latest technology with our complete suite of VAPT services. Because of our strong expertise and experience in the field, Adviacent has formed a trusted relationship with CERT-In, allowing us to offer tailor-made, quality service to our clients across India. 

Through Adviacent’s complete VAPT testing, organizations can successfully detect the vulnerabilities in their critical infrastructure, and keep their critical assets secure. 

Thanks to SEBI’s new guidelines, do you think brokers and mutual funds will face fewer ambiguities? 

We want to hear your thoughts, please feel free to comment below.