On Jan. 25, IND CDSL issued reminder on cyber security compliance.
IND CDSL reminded stock brokers as well as depository participants about the modification to cyber security, cyber resilience framework for depository participants.
Relates to requirement of stock brokers/depository participants (DPs) to conduct vulnerability assessment, penetration testing (VAPT) at least once in a financial year.
Follows IND SEBI Jun. 2022 modifications to cyber resilience framework, see #139940.
Compliance Reminder on Reporting
Re the VAPT requirement above, DPs are required to submit VAPT report after approval from technology committee of respective DPs on/before Feb. 15, 2023 for FY 2022-23.
IND CDSL said that the manual for submission of the report is enclosed as annexure A.
Also, DPs are requested to fix all the vulnerabilities reported in the VAPT and conduct revalidation assessment and submit the report to IND CDSL on/before Mar. 31, 2023.
IND CDSL said it may be noted that the revalidation VAPT report should be submitted to IND CDSL after obtaining approval from technology committee of respective DPs.
VAPT shall be carried out, completed during period Sep. to Nov. of every financial year.
Final report on VAPT shall be submitted to the IND CDSL within 1 month from the date of completion of VAPT after approval from technology committee of respective DPs.
Effectiveness
DPs are required to submit VAPT report on/before Feb. 15, 2023, as noted above.
Mar. 2023 Compliance of Closure of Findings
On Mar. 31, 2023, IND CDSL reminded participants to submit compliance of closure of findings identified during VAPT on or before Apr. 15, 2023, for the FY 2022-2023.
Nov. 2023 Submission of VAPT Report
On Nov. 30, 2023, IND CDSL reminded DPs to submit current financial year's VAPT report to CDSL by Dec. 31, 2023 using online portal; detailed instructions in annexure.
Feb. 2024 Compliance of Closure of Findings
On Feb. 13, 2024, IND CDSL reminded participants to submit compliance of closure of findings identified during VAPT on or before Mar. 31, 2024, for the FY 2023-2024.
Apr. 2024 Submission of Compliance
On Apr. 2, 2024, IND CDSL said DPs who have yet to submit the compliance of closure of vulnerabilities identified for 2023-2024, are requested to do so immediately.
Dec. 2024 Submission of VAPT Report
On Dec. 6, 2024, IND CDSL said VAPT report for FT 2024-25 must be conducted by a CERT-In empaneled entity, uploaded in PDF on Audit Web Portal by Dec. 31, 2024.
Scope includes grey box assessments, authenticated vulnerability assessments of infrastructure, external penetration testing for URLs/IPs, reviews of network architecture, firewall rule reviews, configuration audits, wireless penetration testing.
DPs must address all vulnerabilities from initial VAPT report, submit compliance within three months, and upload a CERT-In-certified revalidation report by March 31, 2025.
Failure to submit VAPT report within specified timelines will result in non-compliance.
Regulators
IND CDSL
Entity Types
B/D; Depo; Exch
Reference
Com CDSL/RISK/DP/POLCY/2024/738, 12/6/2024; Com CDSL/RISK/DP/POLCY/2024/177, 4/2/2024; Com CDSL/AUDIT/DP/POLICY/2024/91, 2/13/2024; Com CDSL/AUDIT/DP/POLICY/2023/696, 11/30/2023; Com CDSL/AUDIT/DP/POLICY/2023/202, 3/31/2023; Com CDSL/AUDIT/DP/POLICY/2023/58, 1/25/2023
