KYC Registration Agencies Have To Report Cyber Attacks Within Six Hours of Detection: SEBI

Capital markets regulator Sebi on Wednesday asked Qualified Registrars to an Issue and Share Transfer Agents (QRTAs) and KYC Registration Agencies (KRAs) to report all cyber attacks, threats and breaches experienced by them within six hours of detecting such incidents.

The incident will also be reported to the Indian Computer Emergency Response Team (CERT-In) in accordance with the guidelines issued by CERT-In from time to time, the regulator said in two separate circulars.

Additionally, the QRTAs and KRAs, whose systems have been identified as ‘protected system’ by National Critical Information Infrastructure Protection Centre (NCIIPC) will also report such incidents to NCIIPC. “All cyber attacks, threats, cyber incidents and breaches experienced by QRTAs shall be reported to Sebi within six hours of noticing / detecting such incidents or being brought to notice about such incidents,” the regulator said in a circular on Wednesday.

It has issued a similar directive to KRAs.

The quarterly reports containing information on cyber attacks, threats, cyber incidents and breaches experienced by QRTAs as well as KRAs and measures taken to mitigate the vulnerabilities, including information on bugs vulnerabilities, threats that may be useful for others, will have to be submitted to Sebi within 15 days from the end of every quarter.

This information will be shared to the Securities and Exchange Board of India (Sebi) through a dedicated e-mail id. Last month, the regulator came out with a similar directive for stock brokers and depository participants.