A TIMELINE
01 JULY 6, 2015
Provision
SEBI Circular issued - CIR/MRD/DP/13/2015:
Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories.
Analysis
SEBI provided a Cyber Security and Cyber Resilience Framework for Market Infrastructure Institutions, to increase accountability.
02 APRIL 1, 2019
Provision
Clause inserted to the SEBI (LODR) Regulations, 2015*
21(4) The board of directors shall define the role and responsibility of the Risk Management Committee and may delegate monitoring and reviewing of the risk management plan to the committee and such other functions as it may deem fit (such function shall specifically cover cyber security).
Analysis
SEBI mandated the Risk Management Committee of Boards to take on primary responsibility and oversight of cybersecurity.
03 MAY 5, 2021
Provision
Clause inserted to the SEBI (LODR) Regulations, 2015.
Schedule II, Part D, (C)(1a) The role of the Risk Committee shall, inter alia, include a framework for identification of internal and external risks specifically faced by the listed entity, in particular including financial, operational, sectoral, sustainability (particularly, ESG related risks), information, cyber security risks or any other risk as may be determined by the Committee.
Analysis
SEBI mandated the Risk Committee of Boards to include a framework for identification of internal and external risks of cybersecurity.
04 MAY 10, 2021
Provision
SEBI Circular issued - SEBI/HO/CFD/CMD2/P/CIR/2021/562:
Business Responsibility and Sustainability Reporting by listed
The SEBI-released BRSR framework includes nine principles.
Principle 9 requires listed companies to report on the following details:
(i) Number of consumer complaints with respect to Cybersecurity
(ii) Does the entity have a framework/ policy on cyber security and risks related to data privacy? (Yes/No) If available, provide a web-link of the policy
(iii) Provide details of any corrective actions taken or underway on issues relating to cyber security and data privacy of customers.
Analysis
SEBI made cybersecurity a key agenda item to be included in Business Responsibility and Sustainability Reporting (BRSR).
05 APRIL 28, 2022
Provision
Directions issued by CERT-In (Indian Computer Emergency Response Team):
Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet.
“Any service provider, intermediary, data centre, body corporate and Government organisation shall mandatorily report cyber incidents as mentioned in Annexure I to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents”
Analysis
The Ministry of Electronics and Information Technology (MeitY) issued directions applicable to all corporate organisations, to mandatorily report cyber incidents to CERT-In within 6 hours of identification of such incidents.
06 FEBRUARY 22, 2023
Provision
SEBI Circular issued-SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/032:
Advisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practices.
Analysis
SEBI issued an advisory for all regulated entities on cybersecurity best practices. This includes guidance on authentication mechanisms, cloud services, audits and ISO certification, phishing and website attacks, and the role of the Chief Information Security Officer (CISO), among other key areas.
07 JULY 15, 2023
Provision
Clause inserted to the SEBI (LODR) Regulations, 2015.
27 (ba) The listed entity shall submit a quarterly compliance report on corporate governance in the format as specified by the Board from time to time to the recognised stock exchange(s) within twenty one days from the end of each quarter. Details of cyber security incidents or breaches or loss of data or documents shall be disclosed along with the report, as may be specified.
Analysis
SEBI mandated all listed entities to disclose cybersecurity incidents, breaches, or data loss to recognized stock exchange(s) on a quarterly basis along with the corporate governance report.
08 JUNE 27, 2024
Provision
SEBI announced the Cybersecurity and Cyber Resilience Framework (CSCRF)
CSCRF is a new framework for Cyber Resilience and Cybersecurity for all SEBI regulated entities. It is a standard-based framework and broadly covers the five cyber resiliency goals, viz. Anticipate, Withstand, Contain, Recover, and Evolve which are adopted from CERT-In Cyber Crisis Management Plan (CCMP), for countering Cyber Attacks and Cyber Terrorism.
Analysis
SEBI announced a Consolidated Cyber Security and Resilience Framework (CSCRF) following its consultation paper dated July 4, 2023. This framework aims to provide a unified structure for all entities, for various cybersecurity approaches to mitigate cyber risks and incidents.
TYPES OF CYBER SECURITY INCIDENTS MANDATORILY TO BE REPORTED TO CERT-IN:
01 | Data Breach |
02 | Data Leak |
03 | Unauthorised access of IT systems/data |
04 | Unauthorised access to social media accounts |
05 | Identity Theft, spoofing and phishing attacks |
06 | Compromise of critical systems/information |
07 | Attacks through Malicious mobile Apps |
08 | Fake mobile Apps |
09 | Attacks on Application such as E-Governance, E-Commerce etc |
10 | Attacks or incident affecting Digital Payment systems |
11 | Targeted scanning/probing of critical networks/systems |
12 | Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks |
13 | Attacks on Critical infrastructure, SCADA and operational technology systems & Wireless networks |
14 | Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers |
15 | Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers |
16 | Attack on servers such as Database, Mail and DNS and network devices such as Routers |
17 | Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc |
18 | Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications |
19 | Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones |
20 | Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning |
The incidents can be reported to CERT-In via email (incident@cert-in.org.in) and Phone (1800-11-4949). The details regarding methods and formats of reporting cybersecurity incidents is published on the CERT-in website.
Compiled by:
Board Research and Advisory Team
Institute of Directors
Bringing a Silent Revolution through the Boardroom
Institute of Directors (IOD) is an apex national association of Corporate Directors under the India's 'Societies Registration Act XXI of 1860'. Currently it is associated with over 30,000 senior executives from Govt, PSU and Private organizations of India and abroad.
Owned by: Institute of Directors, India
Disclaimer: The opinions expressed in the articles/ stories are the personal opinions of the author. IOD/ Editor is not responsible for the accuracy, completeness, suitability, or validity of any information in those articles. The information, facts or opinions expressed in the articles/ speeches do not reflect the views of IOD/ Editor and IOD/ Editor does not assume any responsibility or liability for the same.
About Publisher
Bringing a Silent Revolution through the Boardroom
Institute of Directors (IOD) is an apex national association of Corporate Directors under the India's 'Societies Registration Act XXI of 1860'. Currently it is associated with over 30,000 senior executives from Govt, PSU and Private organizations of India and abroad.
View All BlogsMasterclass for Directors
Categories