Cyber security incidents to be reported quarterly to stock exchanges
Circular differs from the discussion in SEBI Board meeting
– Aisha Begum Ansari | corplaw@vinodkothari.com
Brief background
With business operations going digital, the threat of cyber attacks have increased considerably. Effective from April 2019, the Risk Management Committee of a listed entity was mandated by SEBI to discharge the function for laying down a framework for identifying the cyber security risks. In case of financial sector entities, the requirements laid down by the sectoral regulators are stricter and elaborate[1].
Additionally, the companies are required to report the cyber security incidents to an agency called Indian Computer Emergency Response Team (‘CERT-In’) which is established in terms of section 70B of the Information Technology Act, 2000 and comes under the Ministry of Electronics and Information Technology (‘MEITY’).
Present Circular
Since, the cyber security incidents are material in nature and may be relevant for the investors, SEBI vide its notification dated June 14, 2023 inserted reg. 27(2)(ba) in the Listing Regulations mandating the listed entities to disclose the details of cyber security incidents or breaches or loss of data or documents in its quarterly Corporate Governance (CG) report filed in terms of Reg. 27 (2) effective from July 13, 2023. Pursuant to the same, the stock exchanges, on September 29, 2023, released a format for disclosure of cyber security incidents in the quarterly CG report commencing from quarter ended September 30, 2023 , which covers the following:
- Confirmation on any instance of cyber security incident or breach or loss of data or documents during the quarter;
- Date of the event;
- Brief details of the event.
This article analyzes the above requirement in light of the proposal made in the consultation paper, discussion in SEBI Board meeting agenda and the gaps arising therefrom .
Read more →