SEBI requests that exchanges perform a cyber assessment twice a year.
In addition to cyber audits, exchanges must conduct periodic vulnerability assessments and penetration testing (VAPT).
According to a circular published by the Securities and Exchange Board of India (SEBI) on May 20, stock exchanges and all other market infrastructure institutions (MIIs) would be obliged to perform cyber audits twice a fiscal year.According to the circular, the MIIs “are obligated to undertake thorough cyber audit at least twice in a fiscal year.”
Along with the cyber audit reports, the market regulator requires all MIIs to submit a statement from the managing director or chief executive officer “certifying compliance by the MII with all SEBI circulars and advisories pertaining to cyber security published from time to time.”
In addition to cyber audits, the bourses must conduct periodic vulnerability assessment and penetration testing (VAPT), which includes an inspection of all critical assets and infrastructure components such as servers, networking systems, security devices, load balancers, and other IT systems, according to SEBI.
While the VAPT must be performed once every fiscal year, MIIs whose systems have been recognised as “protected systems” by the National Critical Information Infrastructure Protection Centre (NCIIPC) must do the exercise twice, according to the circular.
Any weaknesses or vulnerabilities discovered during the VAPT should be “immediately addressed,” and a compliance of closure of findings should be presented to SEBI within three months of the final assessment report’s submission, it said.
The aforesaid regulations, as stated in the circular, would take effect “with immediate effect,” according to the regulator, who also specified that exchanges must “report the status of the execution of the requirements of this circular to SEBI within 10 days.”