KYC Registration Agencies should conduct a comprehensive cyber audit at least twice in a fiscal year
As per a mandate by SEBI, the KYC Registration Agencies (KRAs) will have to conduct a comprehensive cyber audit at least twice in a fiscal year. They will also have to submit a statement from the Managing Director and Chief Executive Officer certifying compliance by them with SEBI’s cyber-security related guidelines and notices issued periodically, SEBI said in a circular on Monday.
The new rules say that KRAs will have to identify and classify critical assets based on their sensitivity and criticality to business operations, services and data management. SEBI said the critical assets should include business-critical systems, Internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, personally-identifiable information data, among others. It added that all ancillary systems utilised to access or communicate with critical systems, must also be classified as critical systems. The KRAs’ boards are also required to approve the list of critical systems now.
‘’To this end, KRA must maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,’‘ SEBI said.
Published on May 30, 2022