Sebi issues cybersecurity framework for brokers, depositories

Regulator Sebi Monday put in place a stricter cybersecurity framework for stock brokers and depository participants amid concerns over possible data breaches.

With the new norms, to be effective from April 2019, stock brokers and depository participants would be required to define the responsibilities of individuals, including outsourced staff, who have privileged access to the networks.

Besides, the watchdog has said that no person should have any intrinsic right to access confidential data by virtue of their rank or position.

In a circular, Sebi said that rapid technological developments in securities market have highlighted the need for maintaining robust cybersecurity and cyber resilience framework to protect the integrity of data and guard against breaches of privacy.

As per the regulator, cybersecurity framework includes measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience.

Cyber resilience is an organisation's ability to prepare and respond to such attacks and to continue operation during and recover from cyberattacks.

Since stock brokers and depository participants perform significant functions in providing services to holders of securities, it is desirable that these entities have robust cybersecurity and cyber resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market, it added.

Accordingly, Sebi has asked brokers and depository participants to formulate a comprehensive cybersecurity and cyber resilience policy document encompassing the framework.

The policy document should be approved by the board or proprietor of the broker and depository participants.

In case of deviations from the suggested framework, reasons for such deviations, technical or otherwise, should be provided in the policy document.

Brokers and depository participants will have to define responsibilities of its employees, outsourced staff, and employees of vendors, members and other entities, who may have privileged access to the networks. Further, such staff should also be subject to stringent supervision, monitoring and access restrictions.

They need to establish a reporting procedure to facilitate communication of unusual activities and events to the designated officer in a timely manner.

"No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities," the regulator noted.

In case applications are offered to customers over the internet by market infrastructure Institutions (MIIs) such as NSE's NOW and BSE's BEST among others, the responsibility of ensuring cyber resilience on those applications reside with the MIIs and not with the broker or depository participant.

The cyber security policy of brokers trading through application programming interface (APIs) based terminal should consider the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organisation (NTRO), Government of India.

Sebi said that alerts generated from monitoring and detection systems need to be suitably investigated in order to determine activities that are to be performed to prevent expansion of such incident of cyber attack or breach, mitigate its effect and eradicate the incident.