Securities and Exchange Board of India

29.08.2023

Capital Market

Guidelines for MIIs Regarding Cyber Security and Cyber Resilience

MANU/SSMD/0036/2023

1. Market Infrastructure Institutions (i.e. Stock Exchanges, Clearing Corporations and Depositories) are systemically important institutions as they, inter-alia, provide infrastructure necessary for the smooth and uninterrupted functioning of the securities market. As part of the operational risk management, these Market Infrastructure Institutions (MIIs) need to have robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in securities market. It is also important that MIIs establish and continuously improve their Information Technology (IT) processes and controls to preserve confidentiality, integrity and availability of data and IT systems.

2. With the change in market dynamics in the Indian Securities markets, the interdependence among the MIIs has seen significant increase. Considering the interconnectedness and interdependency of the MIIs to carry out their functions, the cyber risk of any given MII is no longer limited to the Mil's owned or controlled systems, networks and assets.

3. In view of the above, based on the recommendations of the High Powered Steering Committee on Cyber Security of SEBI and in consultation with MIIs, it has been decided to issue guidelines for strengthening the existing cyber security and cyber resilience framework of MIIs. The said guidelines are placed at Annexure-A and MIIs are required to comply with the same.

4. These guidelines should be read in conjunction with the applicable SEBI circulars (including but not limited to that relating to Cybersecurity and Cyber Resilience framework, System and Network Audit framework, etc.) and subsequent updates issued by SEBI from time to time.

5. The compliance of the guidelines shall be provided by the MIIs along with their cybersecurity audit report (conducted as per the applicable SEBI Cybersecurity and Cyber Resilience framework). The compliance shall be submitted as per the existing reporting mechanism.

6. The provisions of the Circular shall come into force with immediate effect.

7. MIIs are required to take necessary steps to put in place systems for implementation of the circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any, within 120 days from the date of the circular.

8. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 , read with Regulation 51 of the Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2018 and Section 19 of the Depositories Act, 1996 read with Regulation 97 of Securities and Exchange Board of India (Depositories and Participants) Regulations, 2018 to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.

9. The circular is issued with the approval of Competent Authority.

Tags : Guidelines Cyber Security Cyber Resilience

Share :