Indian Stock Exchanges Have 6 Hours to Report Cyber IncidentSEBI Says Incidents in Protected Systems Must Also Be Reported to NCIIPC
Indian stock brokers and trading houses now come under an expansive cybersecurity incident reporting mandate requiring them to notify the Securities and Exchange Board of India within six hours of detecting an incident.
The new guidance also extends to "threats" and requires additional reporting to stock exchanges and the India Computer Emergency Response Team.
The mandate implements what's likely the world's tightest breach reporting timeline requirement, one set earlier this year by CERT-In. It came into effect on Tuesday.
The six hours reporting mandate for stock brokers and depository participants comes into effect immediately, SEBI says.
Stock brokers or depository participants whose systems are designated as "protected system" by the National Critical Information Infrastructure Protection Center will be required to report the incident yet again, to the NCIIPC.
SEBI also wants market participants to disclose each quarter reports containing information on cyberattacks, threats, cyber incidents and breaches to other exchanges and depositories within 15 days of the end of every quarter.
Other Cybersecurity Posture Modifications
In earlier guidance published in June, the capital markets regulator also modified the cybersecurity and cyber resilience framework for stock brokers and depositories by asking them to classify and define their critical assets on the basis of "sensitivity and criticality."
Critical assets include systems containing sensitive personal data, particularly if connected to the internet.
Regulators also told capital market participants to conduct regular vulnerability assessments and penetration tests, or VAPT.
All stock brokers and depository participants are required to engage only with CERT-In-listed organizations for conducting penetration tests and must file a report discussing the test results within one month. The corresponding vulnerabilities must be remedied within three months of the submission of the report.
Any new system installed as a critical system or a part of the existing critical system is also required to undergo VAPT before being fully commissioned, SEBI says.
The fortified requirements also demand an annual cybersecurity audit and a declaration from company principals certifying compliance with all SEBI guidance and advisories related to cybersecurity.