Regulator Securities and Exchange Board of India (SEBI) has issued a comprehensive cyber security framework for Stock Brokers and Depositories amid rising concerns about data breaches and cyber attacks. The guidelines annexed with this circular will be available from April 1, 2019. The framework has been devised seeing the rapid technological advancement in securities market where the need for maintaining robust cyber security and cyber resilience framework to protect the integrity of data and guard against breaches of privacy. The framework would be required to be complied by all stock brokers and depository participants. Cyber resilience is an organization’s ability to prepare and respond to a cyber attack and to continue operation during a cyber attack and recover from it.
Key highlights of the guidelines in the Sebi circular
- As a part of operational risk management to manage risk to systems, network and databases from cyber-attack and threats, stock brokers and depository participants should formulate a comprehensive cyber security and cyber resiliency policy document encompassing the framework. In case of deviations from the suggested framework, reasons for such deviations, technical or otherwise, should be provided in the policy document.
- The policy should be approved by the Boards/Partners/Depository participants/Proprietor of the Stock brokers and will be reviewed annually with the aim to strengthen and improve its cyber security and cyber resilience framework. As per the guidelines, stock brokers and depository participants should have a designated senior official or management personal whose function would be to access, identify, and reduce security and cyber security risk, respond to incidents, establish appropriate standards and control and direct the establishment for implementation of process and procedures as per cyber security policy.
- The designated officer and the technology committee of the stock brokers and depository participants should periodically review instances of cyber attacks if any domestically or globally and take steps to strengthen cyber security and cyber resilience framework. The guideline further stated that no person by virtue of rank and position should have intrinsic right to access confidential data, applications, system resources or facilities. As per the guidelines all critical systems of the Stock Brokers & Depository Participant accessible over the internet should have two factor security (such as VPNs and Firewall Controls, etc.).
- Further, the guidelines stated that the brokers and depositories need to ensure that records of user access to critical systems, wherever possible, are uniquely identified and logged for audit and review purposes and also ordered for storing logs in a secure location for at least 2 years. Stock Brokers & Depository Participants should deploy controls and security measures to supervise staff with elevated system access entitlements to Stock Brokers & Depository Participants critical systems.
- Physical access to the critical systems should be restricted to minimum and only to authorized officials. For algorithmic trading facility, adequate measures should be taken to isolate and secure the perimeter and connectivity to servers running algorithmic trading applications. Critical data must be identified and encrypted in motion and at rest by using strong encryption methods, the guidelines stated.
- Stock Brokers & Depository Participants should only deploy hardened hardware/software, including replacing default passwords with strong passwords and disabling services identified as unnecessary for the functioning of the system.
- Stock Brokers & Depository Participants should perform rigorous testing of security patches and updates. The security logs of systems, applications and network devices exposed to the internet should also be monitored for anomalies.
- The circular also stated that to ensure high resilience, high availability and timely detection of attacks on systems and network exposed to the internet, Stock Brokers & Depository Participants should implement suitable mechanisms to monitor capacity utilization of its critical systems and networks that are exposed to the internet, for example, controls such as firewalls to monitor bandwidth usage. For applications carrying sensitive data that are served as web pages over the internet, a valid properly configured TLS (SSl) certificate on the web server is mandatory making the transport channel HTTP(S). Implementation of strict data access controls among personnel, irrespective of their responsibilities, technical or otherwise.
(Image Courtesy : www.zdnet.com)