SEBI Modifies Cybersecurity, Cyber Resilience Framework for KRAs, Mandates Cyber Audit Twice a Year

SEBI’s new framework will come into force with immediate effect, with KRAs communicating the status of the implementation within 10 days.

Advertisement
By Press Trust of India | Updated: 31 May 2022 14:23 IST
Highlights
  • SEBI mandated KRAs to conduct a comprehensive cyber audit
  • KRAs are required to identify and classify critical assets
  • KRAs board will be required to approve the list of critical systems

KRAs are required to conduct VAPT at least once in a financial year

Capital markets regulator SEBI on Monday changed the cybersecurity and the cyber resilience framework of KYC Registration Agencies (KRAs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year. Along with the cyber audit report, all KRAs have been instructed to submit a statement from the MD and CEO certifying compliance by them with all of SEBI's cybersecurity-related guidelines and notices issued periodically, according to a circular.

Under the revised framework, KRAs are required to identify and classify critical assets based on their sensitivity and criticality to business operations, services and data management.

Advertisement

Critical assets should include business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, personally identifiable information data, among others. All ancillary systems used to access or communicate with critical systems, whether for operations or maintenance, must also be classified as critical systems.

In addition, the KRAs board will be required to approve the list of critical systems.

Advertisement

"To this end, KRA must maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows," SEBI said.

According to SEBI, KRAs must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that includes all infrastructure components and critical assets such as servers, network systems, security devices and other IT systems to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on your systems and networks.

Advertisement

In addition, the regulator said that KRAs must conduct VAPT at least once in a financial year.

However, for KRAs whose systems have been identified as a "protected system" by the National Critical Information Infrastructure Protection Center (NCIIPC), SEBI said, VAPT must be performed at least twice in a fiscal year.

Advertisement

Furthermore, all KRAs are required to engage only CERT-In integrated organisations to conduct VAPT.

The final report on the VAPT must be submitted to SEBI after the approval of the technology standing committee of the respective KRA, within a month from the end of the VAPT activity.

"Any gaps/vulnerabilities detected must be remedied immediately and the closure compliance of the findings identified during VAPT will be sent to SEBI within 3 months after VAPT's final report is submitted to Sebi," the regulator said.

In addition, KRAs must also perform vulnerability scans and penetration tests prior to the roll-out of a new system that is a critical system or part of an existing critical system.

The new framework will come into force with immediate effect, SEBI said, adding that all KRAs must communicate the status of the implementation of the circular to the regulator within 10 days.


How is Alexa faring in India? We discuss this on Orbital, the Gadgets 360 podcast. Orbital is available on Spotify, Gaana, JioSaavn, Google Podcasts, Apple Podcasts, Amazon Music and wherever you get your podcasts.
Affiliate links may be automatically generated - see our ethics statement for details.
 

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Advertisement

Related Stories

Popular Mobile Brands
  1. OTT Releases This Week: Elle, Super Subbu, Enola Holmes 3, and More
  2. Motorola Edge 70 Max Spotted on Certification Websites
  3. CMF's Himanshu Tandon Departs Firm After a 10-Month Stint
  4. Nothing Phone 4b 'RCB Edition' Teased, Four Storage Variants Expected
  5. Oppo Reno 16, Reno 16c Make Their Debut in India at These Prices
  6. Oppo Enco Air 5 With Up to 52dB ANC, Up to 54 Hours Battery Debut in India
  1. Best Noise Cancellation Headphones in India to Buy This Amazon Prime Day: boAt Rockerz 512 ANC, JBL Tune 520 BT and More
  2. Oppo Enco Air 5 With Up to 52dB ANC, Up to 54 Hours Battery Launched in India: Price, Features
  3. Apple Reportedly Cuts iPhone 17 Series Production Plans by 15 Percent as Demand Softens
  4. Moto G77 Power Set to Launch in India Next Week; Price Range, Specifications Revealed
  5. CMF's Himanshu Tandon Announces Exit Weeks After Firm Confirms 2026 Phone Strategy
  6. Onimusha: Way of the Sword Release Date Moved Up to September 4 Amidst Busy Release Period
  7. HP HyperX Omen 16 Valorant Limited Edition With RTX 5060 GPU, 16GB RAM Launched in India: Price, Features
  8. Red Magic Gaming Tablet 5 Pro Launched With 185Hz OLED Display, Snapdragon 8 Elite Gen 5 Chip
  9. Samsung Galaxy Jump 5 Launched With 5,000mAh Battery, Snapdragon 6 Gen 3 Chipset: Price, Specifications
  10. Lumio Announces Project Neo Public Beta for AI-Powered Content Discovery on Lumio Vision TVs, Arc Projectors
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.