Cyber Security & Cyber Resilience framework for Stock Brokers/Depository Participants
Stock brokers and depository participants perform significant functions in providing services to holders of securities. Thus, there is a need for maintaining robust cyber security and cyber resilience framework to protect the integrity of data and guard against breaches of privacy.
A framework on cyber security and cyber resilience has been designed by SEBI, which would be required to be complied by all Stock Brokers and Depository Participants registered with SEBI. This is already effective since April 01, 2019, still not complied by many.
CIA is important. Cyber-attacks and threats attempt to compromise the same. Cyber security framework includes measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience. Cyber Resilience is an organization’s ability to prepare and respond to a cyber-attack and to continue operation during, and recover from, a cyber-attack.
What is required as a part of this framework to be undertaken by Stock Brokers/ Depository Participants?
1. Formulation of a comprehensive Cyber Security and Cyber Resilience Policy Document, approved by the Board / Partners / Proprietor of the Stock Broker / Depository Participants, and reviewed annually.
2. The Cyber Security Policy of Stock Brokers trading through APIs based terminal / Depository Participants should consider the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organization (NTRO), Government of India (titled ‘Guidelines for Protection of National Critical Information Infrastructure’) and subsequent revisions, if any, from time to time.
3. There should be a ‘Designated Officer’ whose function would be to assess, identify, and reduce security and Cyber Security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the Cyber Security Policy.
4. The Board / Partners / Proprietor of the Stock Brokers / Depository Participants shall constitute an internal Technology Committee comprising experts. This Technology Committee should on a half yearly basis review the implementation of the Cyber Security and Cyber Resilience policy, among other responsibilities. The review shall be placed before the Board/ Partners/ Proprietor of the Stock Brokers / Depository Participants for appropriate action.
5. Stock Brokers/ Depository Participants should identify critical assets based on their sensitivity and criticality for business operations, services and data management.
6. Stock Brokers/ Depository Participants should deploy controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users) to Stock Broker/ Depository Participant’s critical systems.
7. Physical access to the critical systems should be restricted to minimum and only to authorized officials. Physical access of outsourced staff/visitors should be properly supervised by ensuring at the minimum that outsourced staff/visitors are accompanied at all times by authorized employees.
8. Stock Brokers/ Depository Participants should establish baseline standards to facilitate consistent application of security configurations to operating systems, databases, network devices and enterprise mobile devices within their IT environment.
9. Critical data must be identified and encrypted in motion and at rest by using strong encryption methods.
10. Stock Brokers/ Depository Participants should only deploy hardened hardware/ software, including replacing default passwords with strong passwords and disabling or removing services identified as unnecessary for the functioning of the system.
11. IBTs (Internet Based Trading applications), portals containing sensitive or private information and Back-office applications (repository of financial and personal information offered by Brokers to Customers) are paramount as they carry significant attack surfaces by virtue of being available publicly over the Internet for mass use.
12. Stock Brokers/ Depository Participants should ensure that off the shelf products being used for core business functionality (such as Back-office applications) should bear Indian Common criteria certification of Evaluation Assurance Level 4.
13. Stock Brokers/ Depository Participants should establish and ensure that the patch management procedures include the identification, categorization and prioritization of patches and updates. An implementation timeframe for each category of patches should be established to apply them in a timely manner.
14. Stock Brokers/ Depository Participants should formulate a data-disposal and data-retention policy to identify the value and lifetime of various parcels of data.
15. Stock Brokers / Depository Participants should regularly conduct vulnerability assessment and penetration tests in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks that are exposed to the internet.
16. Stock Brokers/ Depository Participants should implement suitable mechanisms to monitor capacity utilization of its critical systems and networks.
17. Stock Brokers/ Depository Participants should have the same Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular.
18. Response Plan should be in place.
19. Quarterly reports containing information on cyber-attacks and threats experienced and measures taken to mitigate vulnerabilities, threats and attacks should be submitted to Stock Exchanges / Depositories.
20. Periodic audit of implementation on an annual basis by a CERT-IN empaneled auditor or an independent CISA/CISM qualified auditor from ISACA or CERT-IN empaneled auditor, an independent DISA (ICAI) Qualification, CISSP (Certified Information Systems Security Professional) from International Information Systems Security Certification Consortium (commonly known as (ISC)2) to check compliance. Report is to be submitted to Stock Exchanges / Depositories along with the comments of the Board / Partners / Proprietor of Stock Broker/ Depository Participant within three months of the end of the financial year.
Post Script-cum-Disclaimer: This article has been collated and prepared by Adv Reema Jain and CA Ankur Dugar and can be contacted at +91 99532 99308/ +91 99993 40430. The entire contents of this document have been prepared based on relevant SEBI circular and as per the information existing at the time of the preparation. Although care has been taken to ensure the accuracy, completeness, and reliability of the information provided, the authors assume no responsibility, therefore. Users of this information are expected to refer to the relevant existing provisions of applicable Laws. The user of the information agrees that the information is not professional advice and is subject to change without notice. The authors assume no responsibility for the consequences of the use of such information. This article is no solicitation/ advertisement of any sort.