On August 24, 2023, the Securities and Exchange Board of India (SEBI) issued a circular making it mandatory for Market Infrastructure Institutions (MIIs) to conduct comprehensive cyber audits at least 2 times in a financial year. The said circular is said to come into force with immediate effect.
As per the modified framework, a declaration from the MD or CEO of the MIIs has to be submitted. This declaration should effectively certify that the institution has put in place comprehensive measures and processes including suitable incentive or disincentive structures for identification or detection and closure of vulnerabilities in its IT systems. It should also specify that adequate resources have been hired for staffing their Security Operations Center (SOC) and the MII has complied with all the circulars and advisories of SEBI regarding cyber security.
If the systems of MIIs have been identified as Critical Information Infrastructure (CII) by the National Critical Information Infrastructure Protection Centre (NCIIPC), such MIIs would be required to send regular updates or closure status of the vulnerabilities found in their “protected systems” to the said Centre.
The MIIs have been directed to communicate the status of the circular’s implementation to SEBI within 30 days.