To All Members,
This with reference to the SEBI circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024, regarding Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) and Exchange notice 20210430-20 dated April 30, 2021, regarding Cyber Security Advisory – Standard Operating Procedure (SOP) for handling Cyber Security Incidents.
In view of the SEBI -Cybersecurity and Cyber Resilience Framework, the Standard Operating Procedure (SOP) for handling Cyber Security incidents has been updated, in co-ordination with other Exchanges and Depositories. The updated SOP has been attached as Annexure A.
REs/Members/ Depository Participants (DP) shall ensure to report any cyber security incident within 6 hours of noticing / detecting such incidents or being brought to the notice about such incidents (In case of inability in submitting cyber security incident by the REs/Member/DP on the SEBI/Exchange/ Depository portal, REs/Member/ DP may report the cyber security incident over email in the prescribed format on common group email ID as specified by SEBI/ Market Infrastructure Institutions (MIIs), so as to ensure adherence with the above prescribed timeline of 6 hours). Further, the Exchanges/Depositories may take/implement various precautionary containment measures/action to prevent any lateral movement of the threat/malware to the Exchanges/Depositories or to other Trading Member networks through Exchange/Depository connectivity. The following precautionary measures/action may be taken based on the classification/ severity of the reported cyber incident as defined/explained in Annexure A.
Precautionary Measure/Action:
• The connectivity between the RE/Trading Member/DP and Exchanges/Depositories– COLO/POP/SFTP/API, shall be kept disabled, in case of CRITICAL or HIGH severity cyber incidents.
• The connectivity shall be restored, ONLY once the trading RE/Member/DP submits “Immediate Mitigation Measure Report, certified by a Cert-IN empaneled Auditor which shall certify that, “the Risk with respect to the reported Cyber security Incident has been completely mitigated and there is NO potential for any lateral movement of the threat/malware to the Exchange/Depository or to other Trading Member networks through Exchange/Depository connectivity of the Trading Member.”
The timelines applicable for following post incident reporting(s) / submissions by the REs/Members/DP to SEBI/Exchange/Depository shall be as under:
|
Table 1
|
|
Sr. No.
|
Name of the Report / Activity
|
Timeline for Submission
|
|
1
|
Submission of Cyber Incident reporting (Immediate Submission)
|
Within 6 hours
|
|
2
|
Immediate Mitigation Measure Report
|
On same day
|
|
3
|
Interim Report*
|
T#+3 Days
|
|
4
|
Mitigation Measure Report**
|
T#+7 Days
|
|
5
|
Root Cause Analysis (RCA)*** report along with recommendations from Technology Committee of the RE
|
T#+30 Days##
|
|
6
|
Forensic Audit Report (on the incident) and its closure report****
|
Refer clause Forensic Investigation/ Audit given below****
|
|
7
|
Vulnerability Assessment and Penetration Testing (VAPT) for cyber incident and its closure reports
|
T#+45 days
|
|
8
|
Any other report advised by Exchange/Depository/SEBI
|
To be submitted as per timelines advised by Exchange/Depository/SEBI
|
# T day refers to day of noticing / detecting such incidents or being brought to notice about such incidents.
## Additional time may be granted by SEBI/ MIIs for the submission of RCA on a case-by-case basis on request of the RE taking into account the complexity and nature of the incident(s). The same shall be an exception rather than the rule.
*The interim report must contain, inter alia, the following: Details of the incident including time of occurrence, information regarding affected processes/ systems/ network/ services, severity of the incident, and the steps taken to initiate the process of response and recovery.
** Mitigation Measure Report to describe immediate action taken by the Member/DP upon noticing / detecting such incidents or being brought to the notice about such incidents.
***The RCA report should inter-alia include exact cause of the incident (including root cause from vendor(s), if applicable), exact timeline and chronology of the incident, details of impacted processes/ systems /network /services, details of corrective/ preventive measures taken (or to be taken) by the entity along with timelines and any other aspect relevant to the incident. Additionally, it should also include time when operations/ functions/ services were restored and in the event of a disaster, time when disaster was declared.
****Forensic Investigation/ Audit
1. For all incidents classified as High or Critical, the RE shall submit a forensic audit/ investigation report.
2. For incidents classified as low or medium, forensic report shall be submitted if the RCA is inconclusive or if the SEBI/ MII directs the same.
3. After the completion of forensic audit, RE shall submit a final closure report, which shall include the root cause of the incident, its impact and measures to prevent recurrence. The timeline for submission of the reports (including closure reports), shall be decided based on discussion with all stakeholders. However, the maximum period for the submission of forensic audit report shall be 75 days from date of reporting of incident. In case the report is not submitted by the RE within the prescribed timeline, an appropriate regulatory action may be taken.
4. For all the issues/ observations submitted in the forensic report, the RE shall provide a timeline for fixing the same. This timeline shall be submitted along with the forensic investigation/ audit report. Once the issues are resolved, the RE shall file a closure report for the same after review (of the report) by respective IT Committee for REs.
5. In case the issues are not fixed within the prescribed timeline, appropriate regulatory action may be taken as deemed fit depending on the nature of incident.
The penalty framework as applicable in case of delay / non submission of Immediate Cyber Incident, Mitigation Report, RCA, VAPT Report & Forensic Audit Report as stated in Table 1 above, is attached provided in Annexure B.
In addition to above, considering the severity of the cyber security incident (viz; Critical / High / Medium), number of active clients with the said Member/RE (viz; equal to or greater than 50,000 active UCC clients as on March 31) and such other parameters as defined from time to time, the matter may be placed before the Joint / Relevant Committee of the Exchange(s)/Depositories. The Penalty framework as applicable based on review of the cyber security incidents by the Joint / Relevant Committee of the Exchange(s) /Depositories is attached at Annexure C.
The provisions of this SOP/Circular shall be applicable for all the cyber incidents as reported from January 20, 2025, and onwards.
Members are advised to take note and ensure compliance with the above regulatory requirements.
For and on behalf of BSE Ltd.
Devendra Kulkarni
Additional General Manager
Member Oversight
|