The decision has been taken after discussions with market participants, the Securities and Exchange Board of India (Sebi) said in a circular.
During the meeting it was noted that compliance with cyber security guidelines may be onerous for smaller intermediaries because of lack of knowledge about cyber security and also the cost factor involved in setting up own security operations centre.
Under the new framework, Sebi said, small intermediaries can utilise services of market security operations center (SOC), which is proposed to be set up by market infrastructure institutions (MIIs) with the objective to provide cyber security solutions to such intermediaries. "The intermediaries' membership in market SOC is non-mandatory," it added.
Such a centre will be set up as a separate entity and MIIs will have at least 51 per cent stake in the new entity. Intermediaries, which do not have the capability to set up such centre on their own, can opt for market SOC. Market SOC would provide only technology perspective for cyber security guidelines, but people and process perspectives of cyber security would still have to be managed by intermediaries.
Market SOC needs to ensure that intermediaries participating in SOC adhere to minimum IT guidelines and security protocols. MII will carry out the audit of their market SOC activity annually and submit report to the regulator.
MIIs have been directed to put in place appropriate systems for implementation of guidelines within six months.
Last week, Sebi had asked MIIs — clearing corporations, depositories and exchanges — to set up a round-the-clock cyber security operation centre manned by dedicated security analysts to identify, respond, recover and thwart cyber attacks.