Introduction
The Securities and Exchange Board of India (SEBI) recently introduced an amendment to the Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2018. The amendment majorly deals with the appointment, roles and responsibilities of the Key Managerial Personnels (KMPs) (namely, the managing directors and the executive directors). However, the major highlight is the appointment and responsibilities of the Chief Technology Officer (CTO) and the Chief Information Security Officer (CISO), widening the scope of KMPs. Such a step is in line with SEBI’s intent to foster cyber resilience and security across the Market Infrastructure Institutions (MIIs).
In light of the technological innovation and to curb the cyber threats arising therefrom, the amendment clearly reflects the intention of the regulator where the MIIs should act as the first line of defense against any risk arising in relation to information technology and cyber security. By defining their roles and responsibilities, the regulator has solidified the certainty, after releasing the Cyber Security and Cyber Resilience Framework (CSCRF). Even though the intent of SEBI is positive, the instant framework, is marred with certain drawbacks. It fails to have clear accountability framework. There should be clear responsibilities imposed, which must be checked against an established oversight mechanism. Besides this the Indian framework provides for the separation between the persons who have to look after the administration of the infrastructure and the ones who are responsible for the overall risk management of the MIIs, unlike other regimes where a single body looks after both.
Regulatory Framework Covering CTO and CISO
Under the regulation 30B, SEBI had provided for the appointment of CISO. Following the recommendation provided under the CSCRF, CISO has been given a mandate, focusing on the containment of the incidents and enabling the organization to recover itself. It has been provided with a governance function which includes standard-setting and policy implementation with respect to cyber-security and information security. It has been clarified by SEBI that the post of CISO shall be a full time. The CTO on the other hand, is a domain specific role. His responsibilities extend to supervising of the workflow and processes related to information technology and at the same time, taking corrective measures. Both these officers are required to report to the ED of the Vertical 1.
Under the CSCRF, the regulator provides for the appointment of an IT committee which is responsible for the review of the cyber related policies and its implementation and approval of audit reports, before they are submitted to the authorities.
In view of increasing incidents of cyber threat in India and their complexity, which is going to nonetheless rise in the future, is making the existing systems redundant. The appointment of such officers in the present time has become important to address the evolving threats and augment the cyber and technological resilience.
Under the Securities Contract Regulation Act (SCRA), three verticals are created namely, vertical 1, 2 and 3, dealing with critical operations (infrastructure), risk and oversight and business development respectively. After the fourth amendment, there has to two EDs, one each for the vertical one and vertical two and the officers in both the vertical has to report to the respective ED of the vertical. The CTO and CISO are answerable to the ED of vertical 1 while the chief risk officer is answerable to the ED of vertical, which is a shift from previous practice where they had to report directly to the MD.
However, even though the amendment provides the roles and responsibilities of the offices, it falls short of clearly defining clear set accountabilities upon these offices who have been delegated with such a vast set of responsibilities extending from design to the operation of infrastructure and the formation and implementation of the policies which is to protect the important data’s of client and let the MIIs perform their public utility service. Under the CSCRF, the MIIs are required to report the incidents within 6 hours of having the knowledge of the incident and important details within on the portal within 24 hours. It is also required to share such data with other regulated entities (RE), within 15 days. However, it falls short of specifying about the individual liabilities of the persons who are delegated with the responsibility. So even though, the offices have been formed and responsibilities have been piled up, any onus in case of fallout is missing. Additionally, the expertise held by such officers or that of the board in assessment is left to the respective MIIs to decide upon.
As the threat from cyber-attacks cannot be more eminent, the preparation and the adaption to newer threats to evolving paradigm of the risk is important. It will require the MIIs not only to reduce the impact of the incident but to evolve better and provide satisfactory-level services thereafter. It will require a more holistic approach which shall also take into consideration the devices and the algorithms that are embedded in the infrastructure.
International Frameworks
In relation to the accountability, USA’s Securities and Exchange Commission (SEC) clearly provides for disclosure of the roles and expertise possessed by the management board in dealing with the cyber related threats. This set up helps the board to act in a more engaging manner and not just act as a rubber stamp. Additionally, in contrast to the internal assessment and review system in India for qualified REs, the US regime has focused on an assessment done by an objective person. The idea is clear that minimum independence, where a person not involved in planning and implementation of infrastructure, shall be necessary for the certification of the compatibility and provide crucial information as to the things which can be additionally required. It ultimately helps in ensuring weight to the infrastructure and that a proper system is in place. In India, MIIs are mandated to conduct third party assessment of their cyber-related infrastructure on a bi-annual basis.
The European Union’s (EU) Digital Operation Resilience Act (DORA), which at its heart focuses on cyber awareness and hygiene at every level of the arrangement, imposes the liability on the management bodies for the risk management and cyber resilience. In case of DORA, under Article 5, provides that the management body is responsible for all the administration and risk that arises from Information and Communication Technologies (ICT). It is required not only to provide the policies but also look after the proper execution through periodic reviews. Under DORA, the entities are also required to clearly delegate responsibilities on the persons. The persons who are independent from the day-to-day functioning of the system are to be made responsible to look after the risk to the ICT and its proper functioning.
On the same line, the Monetary Authority of Singapore Technology Risk Management framework imposes the liability on the board of directors to ensure the establishment of a technology risk management framework along with the appointment of officers with requisite and reported qualifications. Additionally, the senior management has to look after the administration of that framework. The regulation provides for a three line of defense, where the audit is performed by a person who has functional independence from administrating the infrastructure and risk management.
The Accountability Gap
Under the Indian regime, both CTO and CISO belong to the same vertical and are answerable to the same ED. There are possibilities of conflict of interest in this case where the person responsible for the proper functioning of the infrastructure and the person responsible for the proper oversight of that infrastructure are answerable to the same person. However, by way of an amendment to the framework the CTO and CISO, they are now to report to the same ED but be present in the meetings of the Standing Committee of Technology (SCOT). SCOT has been mandated to assess the performance of the ED of this vertical. Alongside them the Chief Risk Officer is to also attend the meeting as an invitee. The chief risk officer who is responsible for the audit of the cyber security systems falls outside the vertical 1 and is not to report to the same ED, which acts as a label for independence. The MD has to necessarily be absent from these meetings. The EDs are now made reportable to the Governing Board.
Such a system helps in reducing the control and undue influence, which can be concentrated in one person. The MD still has the over-all authority over the operation of the MIIs, but through the changes it means that the EDs will also have a delegated decision making and oversight power. It also ensures that the MIIs are able to focus on the business development but at the same time have synergy to efficiently look after the risk. Since the EDs are now made answerable to the Boad committees, the board will now have to primary view of the work performed by various verticals instead of relying on MD for this. But the amendment still preserves the power of the MD of having overall operational control. But what can happen when the MD and the ED disagree on an issue seems to be seen. However, the reporting structure of the ED, can make sure that there is seam less flow of business without such conflicts and more importantly the ED which is responsible for the execution will be directly answerable.
Still, the amendment fails to delineate clear set of liability upon such officers in case they fail to fulfill their responsibility. At the present time, the accountability in case of failure is of the organization and hence, collective. There are regimes which impose liability on the individuals when they fail to perform their duties. In particular, the Australian Securities and Investment
Commission (ASIC), imposes duties upon the entities in relation to technological resilience. There are a set of obligation which are imposed on the entities and in case of their failure to abide by them, the directors or the officers who were duty bound to administer them, can be held liable on account of failure to take due care and diligence. SEBI too earlier imposed personal liability upon MD and CTO in case of failure to make due declarations in case of incidents. However, the same was withdrawn vide amendment to the circular and limited it only to the MII. In cases where individual responsibility is imposed, it becomes more practical for the Board to invest in cyber awareness and regular assessments from third parties, to make sure that proper system is in place to prevent any glitches and that they are properly resourced to handle such incidents, which will ultimately lead to cost efficiency. When certain responsibilities are imposed upon a person, fear of liability could incentivize them to take reasonable steps to fulfill them.
Conclusion
The amendment brought by the regulator is a defining moment with respect to the scope of KMPs, where specialized officers have been appointed to strengthen the cyber and technological resilience in the MIIs, so that public utility of these institutions is maintained. The amendment prevents information filtration, so that the governing board are well informed about the organizations risk preparedness, by diffusing the operational control previously solely exercised by the MD. The changes brought by the regulator to remove the personal liability of the officers in view of “ease of doing business” shall be reconsidered. Such instances can ultimately lead to exercise of due care and good governance practices.
************
Author Bio: Aditya Narayan, a 4th year law student at Chanakya National Law University, Patna
Author Bio
