SEBI Lays Out Cyber Security Policy for Stock Exchanges, Others | NWI

To protect the securities market from cyber threats, regulator Sebi on Monday asked stock exchanges and other key entities to put in place necessary framework to safeguard systems, networks and databases from such attacks.

Asking all exchanges, clearing corporations and depositories to implement necessary changes within six months, Sebi said these Market Infrastructure Institutions (MIIs) need to have a robust cyber security framework to provide essential facilities and perform systemically critical functions of trading, clearing and settlement in securities market.

“As part of the operational risk management framework to manage risk to systems, networks and databases from cyber attacks and threats, MII should formulate a comprehensive cyber security and cyber resilience policy document” to put in place such a framework, Sebi said in a circular.

Identifying cyber crime as a major threat, Sebi Chairman U K Sinha recently said such attacks are occurring these days in a more sophisticated manner while he also raised concerns about the state-sponsored cyber attacks from abroad.

“We are worried over state-sponsored cyber attacks. There are worries that the vulnerability in markets are increasing.

We need to create a framework for future plan of action on securities market resilience,” he had said.

In its Monday’s circular, Sebi also asked MIIs to restrict access controls, whenever necessary.

“No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities.

“MII should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users),” it said.

The exchanges and other MIIs would also have to submit quarterly reports to Sebi, containing information on cyber attacks and threats experienced by them and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs, vulnerabilities and threats that may be useful for other MIIs.

Sebi also asked the MIIs to share the useful details among themselves “in masked and anonymous manner” using a mechanism to be specified by the regulator from time to time.

The regulator further asked MIIs to identify critical assets based on their sensitivity and criticality for business operations, services and data management.

“To this end, MII should maintain up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows.” The regulator also asked MIIs to identify cyber risks (threats and vulnerabilities) that they may face, along with the likelihood of such threats and impact on the business and thereby, deploy controls commensurate to the criticality.

“MII should also encourage its third-party providers, such as service providers, stock brokers, depository participants, etc to have similar standards of Information Security,” it said.

For the network security, Securities and Exchange Board of India (Sebi) asked market entities to establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise mobile devices within the IT environment.

It also asked market entities to restrict physical access to the critical systems to minimum.

“MII should ensure that the perimeter of the critical equipment room are physically secured and monitored by employing physical, human and procedural controls such as the use of security guards, CCTVs, card access systems, mantraps, bollards, etc where appropriate,” it said.

The regulator said that market infrastructure entities would have to designate a senior official as Chief Information Security Officer whose function would be to assess, identify and reduce cyber security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures.

According to the regulator, cyber attacks and threats attempt to compromise the confidentiality, integrity and availability of the computer systems, networks and databases.