compliance simplified

Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions

SEBI/HO/MIRSD2/DOR/CIR/P/2020/221                                                                                        November 03, 2020

 

All Stock Brokers through exchanges

All Depository Participants through Depositories

All Merchant Bankers

All Registrar to an Issue and Share Transfer Agent

All Debenture Trustee

All Credit Rating Agencies

All Bankers to an issue

All STP Service Providers

All Approved Intermediaries

 

Dear Sir / Madam,

 

Sub: Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions

(1) Ministry of Electronics & Information Technology, Govt. of India (MoE&IT), has informed SEBI that the financial sector institutions are availing or thinking of availing Software as a Service (SaaS) based solution for managing their Governance, Risk & Compliance (GRC) functions so as to improve their cyber Security Posture. As observed by MoE&IT, though SaaS may provide ease of doing business and quick turnaround, but it may bring significant risk to health of financial sector as many a time risk and compliance data of the institution moves beyond the legal and jurisdictional boundary of India due to nature of shared cloud SaaS, thereby posing risk to the data safety and security.

 

(2) In this regard, Indian Computer Emergency Response Team (CERT-in) has issued an advisory for Financial Sector organizations. The advisory has been forwarded to SEBI for bringing the same to the notice of financial sector organization. The advisory is enclosed at Annexure A of this circular.

 

(3) It is advised to ensure complete protection and seamless control over the critical systems at your organizations by continuous monitoring through direct control and supervision protocol mechanisms while keeping the critical data within the legal boundary of India.

 

(4) The compliance of the advisory shall be reported in the half yearly report by stock brokers and DP to stock exchanges and depositories respectively and by direct intermediaries to SEBI with an undertaking, “Compliance of the SEBI circular for Advisory for Financial Sector Organizations regarding Software as a Service (SaaS) based solutions has been made.”

 

(5) The advisory annexed with this circular shall be effective with immediate effect.

 

(6) This circular is issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market.