Sebi asks registrars to have robust cyber security framework

The regulator's move comes at a time when there are rising incidents of cyber attacks

Sebi today asked large registrars and share transfer agents to put in place a robust cyber security framework, including stringent supervision of outsourced staff having access to critical systems.

The regulator's move also comes at a time when there are rising incidents of cyber attacks and in recent times, exchanges have also warned of ransomware.

In the circular on 'Cyber Security and Cyber Resilience framework for Registrars to an Issue/ Share Transfer Agents' (RTAs), the watchdog said the policy in this regard should be approved by the respective boards.

It would be applicable for RTAs servicing more than two crore folios and such entities are also referred to as Qualified RTAs (QRTAs).

Such entities have been asked to put in place requisite systems by December 1, 2017, according to the regulator.

Sebi's High Powered Steering Committee (Cyber Security) has decided that the framework for cyber security prescribed in July 2015 should be broadly applicable to QRTAs.

"Employees and outsourced staff such as employees of vendors or service providers, who may be given authorised access to the QRTA's critical systems, networks and other computer resources, should be subject to stringent supervision, monitoring and access restrictions," the circular said.

Apart from annual audits of its systems, QRTAs have been asked to ensure that suitable alerts are generated in the event of detection of unauthorised or abnormal system activities or unusual online transactions.

The audit report, along with comments from the board of QRTA has to be submitted to Sebi within three months from the end of the financial year.

"No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities," Sebi said.

To ensure strong cyber security framework, the regulator has said QRTAs also have to formulate a policy to regulate the use of internet and internet-based services, including social media sites and cloud-based internet storage sites.

"Proper end of life mechanism should be adopted to deactivate access privileges of users who are leaving the organisation or whose access privileges have been withdrawn," the circular said.