SEBI issues Cyber Security & Cyber Resilience framework for Stock Brokers, Depository Participants
View PDFOn December 03, the Securities and Exchange Board of India (SEBI) issued a Circular, in exercise of the powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, to the Managing Directors of all Recognized Stock Exchanges and Depositories providing them with a Cyber Security & Cyber Resilience framework in order to protect the interests of investors...
On December 03, the Securities and Exchange Board of India (SEBI) issued a Circular, in exercise of the powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, to the Managing Directors of all Recognized Stock Exchanges and Depositories providing them with a Cyber Security & Cyber Resilience framework in order to protect the interests of investors in securities and to promote the development of and to regulate the securities market.
Notably, the guidelines annexed with this circular shall be effective from April 1, 2019.
The Circular stated, “Rapid technological developments in securities market have highlighted the need for maintaining robust cyber security and cyber resilience framework to protect the integrity of data and guard against breaches of privacy. Since stock brokers and depository participants perform significant functions in providing services to holders of securities, it is desirable that these entities have robust cyber security and cyber resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market.”
It added, “Accordingly, after discussions with Exchanges, Depositories and Stock Brokers’ and Depository Participants’ associations, a framework on cyber security and cyber resilience has been designed. The framework would be required to be complied by all Stock Brokers and Depository Participants registered with SEBI.”
The Circular also specified the relevant functions that should be performed by the Stock Exchanges and Depositories, which are as follows:
a) make necessary amendments to the relevant byelaws, rules, and regulations for the implementation of the above direction;
b) bring the provisions of this Circular to the notice of their members/participants and also disseminate the same on their websites; and
c) communicate to SEBI, the status of implementation of the provisions of this circular in their Monthly Report.
Regarding the Governance perspective, the Circular states:
1. Cyber security framework includes measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience. Cyber Resilience is an organization’s ability to prepare and respond to a cyber-attack and to continue operation during, and recover from, a cyber-attack.
2. As part of the operational risk management framework to manage risk to systems, networks and databases from cyber-attacks and threats, Stock Brokers / Depository Participants should formulate a comprehensive Cyber Security and Cyber Resilience policy document encompassing the framework mentioned hereunder. In case of deviations from the suggested framework, reasons for such deviations, technical or otherwise, should be provided in the policy document.
The policy document should be approved by the Board / Partners / Proprietor of the Stock Broker / Depository Participants. The policy document should be reviewed by the aforementioned group at least annually with the view to strengthen and improve its Cyber Security and Cyber Resilience framework.
3. The Cyber Security Policy should include the following process to identify, assess, and manage Cyber Security risk associated with processes, information, networks and systems:
a) ‘Identify’ critical IT assets and risks associated with such assets.
b) ‘Protect’ assets by deploying suitable controls, tools and measures.
c) ‘Detect’ incidents, anomalies and attacks through appropriate monitoring tools/processes.
d) ‘Respond’ by taking immediate steps after identification of the incident, anomaly or attack.
e) ‘Recover’ from incident through incident management and other appropriate recovery mechanisms.
4. The Cyber Security Policy of Stock Brokers trading through APIs based terminal / Depository Participants should consider the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organization (NTRO), Government of India (titled ‘Guidelines for Protection of National Critical Information Infrastructure’) and subsequent revisions, if any, from time to time.
5. Stock Brokers trading through APIs based terminal / Depository Participants may refer to best practices from international standards like ISO 27001, COBIT 5, etc., or their subsequent revisions, if any, from time to time.
6. Stock Brokers / Depository Participants should designate a senior official or management personnel (henceforth, referred to as the “Designated Officer”) whose function would be to assess, identify, and reduce security and Cyber Security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the Cyber Security Policy.
7. The Board / Partners / Proprietor of the Stock Brokers / Depository Participants shall constitute an internal Technology Committee comprising experts. This Technology Committee should on a half yearly basis review the implementation of the Cyber Security and Cyber Resilience policy approved by their Board / Partners / Proprietor, and such review should include review of their current IT and Cyber Security and Cyber Resilience capabilities, set goals for a target level of Cyber Resilience, and establish plans to improve and strengthen Cyber Security and Cyber Resilience. The review shall be placed before the Board / Partners / Proprietor of the Stock Brokers / Depository Participants for appropriate action.
8. Stock Brokers / Depository Participants should establish a reporting procedure to facilitate communication of unusual activities and events to the Designated Officer in a timely manner.
9. The Designated officer and the technology committee of the Stock Brokers / Depository Participants should periodically review instances of cyber-attacks, if any, domestically and globally, and take steps to strengthen Cyber Security and cyber resilience framework.
10. Stock Brokers / Depository Participants should define responsibilities of its employees, outsourced staff, and employees of vendors, members or participants and other entities, who may have privileged access or use systems / networks of Stock Brokers / Depository Participants towards ensuring the goal of Cyber Security.
The Circular also provides details on:
• IDENTIFICATION
• PROTECTION - Access controls; Physical Security; Network Security Management; Data security; Hardening of Hardware and Software; Application Security in Customer Facing Applications; Certification of off-the-shelf products; Patch management; Disposal of data, systems, and storage devices; Vulnerability Assessment and Penetration Testing (VAPT)
• MONITORING AND DETECTION
• RESPONSE AND RECOVERY
• SHARING OF INFORMATION
• TRAINING AND EDUCATION
• SYSTEMS MANAGED BY VENDORS
• SYSTEMS MANAGED BY MIIS
• PERIODIC AUDIT
In addition, the Circular provides for the following:
• Annexure A: Illustrative Measures for Data Security on Customer Facing Applications
• Annexure B: Illustrative Measures for Data Transport Security
• Annexure C: Illustrative Measures for Application Authentication Security
To view the entire Official Notification in detail, please view the file attached herein.