CIR/MRD/DMS/ 03 /2014 January 21, 2014
Dear Sir/ Madam
Subject: (Information Technology) IT Governance For Depositories
1. SEBI constituted the Depository System Review Committee (DSRC) to undertake a comprehensive review of the Indian depository system. Based on the recommendations of DSRC, following guidelines are issued to strengthen the Information Technology (IT) governance framework of depositories.
2. Depositories shall formulate an IT strategy committee at the Board level of depository to provide insight and advice to the Board in various areas that may include:
a. Developments in IT from a business perspective.
b. The alignment of IT with the business direction.
c. The availability of IT resources to meet strategic objectives.
d. Competitive aspects of IT Investments.
e. Alignment of the IT architecture to the organization needs and its approval.
f. Setting priorities and milestones.
3. Depositories shall formulate an executive level IT Steering Committee to assist the IT Strategy Committee in Implementation of IT strategy. The IT steering committee shall comprise of representatives from IT, Human Resources (HR), Legal and various business functions as felt appropriate.
4. The Depositories shall formulate an IT strategy document and an Information Security policy which should be approved by the Board and reviewed annually.
5. The Depositories shall create an Office of Information Security and designate a senior official as Chief Information Security Officer (CISO) whose work would be to assess, identify and reduce information technology (IT) risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of policies and procedures.
6. SEBI has laid down Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR) for stock exchange and depositories vide circular CIR/MRD/DMS/12/2012 dated April 13, 2012 and CIR/MRD/DMS//17/2012 dated June 22, 2012. In Addition to the requirements of the aforementioned circulars, depositories shall designate a senior official as the head of BCP function.
7. Depositories are directed to:
a. Take necessary step and put in place necessary systems for implementation of the above.
b. Make necessary amendments to the relevant bye-laws, rules and regulations for the implementations of the above decisions, wherever applicable.
8. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 read with Sections 19 of the Depositories Act,1996 to protect the interested of investors in securities and to promote the development of, and to regulate the Securities market.
DILIP B J
Deputy General Manager
Tags: Depository System Review Committee, Exchange Board of India Act, India, Information Security, Information technology, SEBI, Securities & Exchange Board of India, Securities and Exchange Board of India Act 1992