The Securities and Exchange Board of India ('SEBI') published, on 22 February 2023, an advisory regarding cybersecurity best practices, addressed to SEBI regulated entities, such as financial sector organisations, stock exchanges, depositories, mutual funds, and other financial entities. In particular, the advisory explains that, given the increased frequency and sophistication of cyber incidents, an efficient and effective response and recovery programme is essential to limit any related financial stability risks.

Further to the above, the advisory recommends SEBI regulated entities to:

• define roles and responsibilities of chief information security officer and other senior personnel;
• implement measures against phishing attacks/websites;
• patch Management and Vulnerability Assessment and Penetration Testing ('VAPT');
• adopt measures for data protection and data breaches;
• implement strong log retention policies;
• implement a strong password policy and enable multi-factor authentication;
• set up a 'least privilege' approach;
• deploy cybersecurity controls;
• ensure proper security of cloud services;
• implement the Indian Computer Emergency Response Team ('CERT-In') and the Computer Security Incident Response Team-Finance Sector ('CSIRT-Fin') advisories;
• identify concentration risks in relation to vendors; and
• engage independent auditors and obtain ISO certification.

You can read the advisory here.