MANU/SMIS/0014/2023

Ministry : Securities and Exchange Board of India

Department/Board : Information Technology Department

Circular No. : SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/032

Date : 22.02.2023

To,

All Stock Exchanges
All Clearing Corporations
All Depositories
All Stock Brokers through Exchanges
All Depository Participants through Depositories
All Mutual Funds/Asset Management
Companies/Trustee Companies/Boards of Trustees of Mutual Funds/Association of Mutual Funds in India (AMFI)
All KYC Registration Agencies
All Qualified Registrars to an Issue/Share Transfer Agents

Dear Sir/Madam,

Advisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practices

1. Financial sector organizations, stock exchanges, depositories, mutual funds and other financial entities have been experiencing cyber incidents which are rapidly growing in frequency and sophistication. Considering the interconnectedness and interdependency of the financial entities to carry out their functions, the cyber risk of any given entity is no longer limited to the entity's owned or controlled systems, networks and assets

2. Further, given the sophistication and persistence of the threat with a high level of coordination among threat actors, it is important to recognize that many traditional approaches to risk management and governance that worked in the past may not be comprehensive or agile enough to address the rapid changes in the threat environment and the pace of technological change that is redefining public and private enterprise.

3. Thus, an efficient and effective response to and recovery from a cyber-incident by REs are essential to limit any related financial stability risks. For ensuring the same, Financial Computer Security Incident Response Team (CSIRT-Fin) has provided important recommendations in its report sent to SEBI. The applicable recommendations, in the form of an advisory, are enclosed at Annexure-A of this circular.

4. This advisory should be read in conjunction with th........