To mitigate data breaches, Sebi issues cybersecurity framework for KYC registration agencies

Amid growing concerns over possible data breaches, markets regulator Sebi put in place a detailed cybersecurity framework for KYC registration agencies, requiring them to define responsibilities of employees, including outsourced staff, who have privileged access to networks. Besides, the watchdog said that no person should have any intrinsic right to access confidential data by virtue of their rank or position.

With the new norms, to be effective from January 1, 2020, KYC registration agencies or KRAs would be required to define the responsibilities of its employees, including outsourced staff, who have privileged access to the networks, the Securities and Exchange Board of India (Sebi) said in a circular.

Sebi said that rapid technological developments in securities market have highlighted the need for maintaining robust cyber security and cyber resilience framework to protect the integrity of data and guard against breaches of privacy.

Advertisement

‹

EVENT

Saksham Bharat 2026

A multi-stakeholder dialogue on skilling gap in Cybersecurity, Data Resilience and AI — and the roadmap to a Saksham Bharat.

📅 Tue, 26 May 2026

📍 Mumbai, Bengaluru, Delhi

Register Now →

EVENT

VeeamON 2026 Tour India - Mumbai

A VeeamON 2026 India Leadership Series Mumbai for senior public sector and government technology leaders.

📅 Tue, 26 May 2026

📍 Grand Hyatt, BKC

Register Now →

EVENT

Cyber Surakshit Uttar Pradesh

Find out strategies, frameworks and solutions for building a resilient and secure digital ecosystem across Uttar Pradesh.

📅 Thu, 28 May 2026

📍 Lucknow

Register Now →

EVENT

VeeamON 2026 Tour India - Bengaluru

A VeeamON 2026 India Leadership Series Bengaluru for senior public sector and government technology leaders.

📅 Wed, 03 Jun 2026

📍 JW Marriott Hotel

Register Now →

EVENT

VeeamON 2026 Tour India - Delhi

A VeeamON 2026 India Leadership Series Delhi for senior public sector and government technology leaders.

📅 Fri, 19 Jun 2026

📍 Shangri-La Eros

Register Now →

EVENT

Infosec Reimagined

Infosec Reimagined 2026 is the premier information security summit where top leaders—CISOs, CROs, CIOs, CTOs and risk executives—converge to redefine cyber resilience.

📅 Fri, 26 Jun 2026

📍 New Delhi

Register Now →

EVENT

Digital Senate

Digital Senate is a premier conference uniting government leaders, technologists and innovators to share ideas, success stories and strategies on digital governance, public sector transformation, cybersecurity and emerging technologies in India.

📅 Thu, 30 Jul 2026

📍 New Delhi

Register Now →

EVENT

CIO Prism

CIO Prism unites forward-thinking technology leaders to exchange transformative insights, shape digital strategies, and foster innovation, empowering enterprises to excel in an era of rapid technological change.

📅 Fri, 18 Sep 2026

📍 Goa

Register Now →

›

Cybersecurity framework includes measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience.

“Since KRAs perform important function of maintaining KYC records of the clients in the securities market, it is desirable that KRAs have robust Cyber Security and Cyber Resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market,” Sebi noted.

Accordingly, Sebi has asked KRAs to formulate a comprehensive cybersecurity and cyber resilience policy document encompassing the framework.

The policy document should be approved by the board of KRAs and in case of deviations from the suggested framework, reasons for such deviations, technical or otherwise, should be provided in the policy document. The document should be reviewed by the board of KRAs at least annually.

KRAs will have to define responsibilities of its employees, outsourced staff, and employees of vendors, members and other entities, who may have privileged access to the networks. Further, such staff should also be subject to stringent supervision, monitoring and access restrictions.

They need to establish a reporting procedure to facilitate communication of unusual activities and events to the designated officer in a timely manner.

KRAs should establish appropriate security monitoring systems and processes to facilitate continuous monitoring of security events and timely detection of unauthorised or malicious activities, held in contractual or fiduciary capacity, by internal and external parties.

Sebi said that alerts generated from monitoring and detection systems need to be suitably investigated in order to determine activities that are to be performed to prevent expansion of such incident of cyber attack or breach, mitigate its effect and eradicate the incident.