Market infrastructure institutions (MIIs)– stock exchanges, clearing corporations and depositories — are required to conduct a comprehensive cyber audit at least two times in a financial year.
Along with this cyber audit report, all MIIs have been directed by Sebi to submit a declaration of compliance from their MD or CEO certifying that comprehensive processes, including suitable incentive or disincentive structures, have been put in place for identification as well as closure of vulnerabilities in the organisation’s IT systems.
Also, they need to certify that adequate resources have been hired for staffing their Security Operations Center (SOC) and there is compliance by the MII with all Sebi circulars and advisories related to cyber security.
Further, MIIs, whose systems have been identified as ‘critical information infrastructure’ by National Critical Information Infrastructure Protection Centre (NCIIPC), have been mandated to send regular updates of the vulnerabilities found in their respective “protected systems” to NCIIPC.
MIIs have been directed to communicate the status of the implementation of the new guidelines to Sebi within 30 days.