The Securities and Exchange Board of India on 5th July 2022, has directed the KYC registration agencies (KRA) to report all the Cyber-attacks, threats, cyber-incidents and breaches experienced by them to SEBI within 6 hours of noticing/detecting such incidents or being brought to notice about such incidents.
The incident shall also be reported to Indian Computer Emergency Response team (CERT-In) in accordance with the guidelines/directions issued by CERT-In from time to time. Additionally, the KRAs, whose systems have been identified as “Protected system” by National Critical Information Infrastructure Protection Centre (NCIIPC) shall also report the incident to NCIIPC.
Further, a quarterly report containing information on cyber-attacks, threats, cyber-incidents and breaches experienced by KRAs and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs/ vulnerabilities/threats that may be useful for other KRAs shall be submitted to SEBI within 15 days from the quarter ended June, September, December and March of every year. The above information shall be shared through the dedicated e-mail id: kra@sebi.gov.in.
