Sebi this week claimed share transfer agents and large registrars to put in place a healthy framework of cyber security, comprising strict management of outsourced staff having authorization to significant systems.
The move of the regulator also came at a time when there was increasing cases of cyber attacks, and in late times, exchanges have also alerted of malwares and ransomwares. In the circular on “Cyber Security and Cyber Resilience framework for Registrars to an Issue/Share Transfer Agents” (RTAs), the organization claimed that the policy in this regard must be accepted by the particular boards.
It might be appropriate for RTAs examining more than 2 Crore folios and such bodies are also dubbed as QRTAs (Qualified RTAs). Such bodies have been requested to put in place necessary systems by end of December 1, 2017, as per the regulator. High Powered Steering Committee (Cyber Security) of Sebi has made a decision that the structure for cyber security approved in July 2015 must be largely valid to QRTAs.
“Outsourced staff and employees such as workers of service providers or vendors, who may be given authorized access to the networks, critical systems, and other computer resources of QRTA, must be issued to strict monitoring, supervision, and access limitations,” the circular claimed. Besides yearly audits of its networks, QRTAs have been requested to make sure that appropriate alerts are made in the event of discovery of unusual online transactions to abnormal or unauthorized system activities.
The audit report, coupled with feedback from the panel of QRTA has to be presented to Sebi within 3 Months from the end of the fiscal year. “No individual by asset of position or rank must have any inherent right to authorize applications, confidential data, facilities, or system resources,” Sebi claimed. To make sure sturdy framework of cyber security, the regulator has claimed that QRTAs also have to devise a rule to control the use of Internet-based services and Internet, comprising cloud-based Internet storage sites and social media sites.
“Appropriate end of life system must be accepted to disable access privileges of consumers who are leaving the organization or whose access rights have been introverted,” the circular claimed.