Sebi's new cybersecurity guidelines: What it means and their implications

Capital markets regulator Sebi has issued guidelines to strengthen the existing cyber security and cyber resilience framework for stock exchanges and other market infrastructure institutions (MIIs), which comes into effect from immediate effect.

What are the guidelines: 

Under the new guidelines, Mlls will have to maintain offline, encrypted backups of data and regularly test these backups at least on a quarterly basis in order to ensure confidentiality, integrity and availability. 

Further, they have to explore the possibility of retaining spare hardware in an isolated environment to rebuild systems in the event starting their operations from both the Primary Data Centre (PDC) and Disaster Recovery Site (DRS) is not feasible.

MIIs should regularly conduct business continuity drills in a bid to check the readiness of the organization and the effectiveness of the existing security controls at the ground level to deal with ransomware attacks. 

MIIs are also required to conduct vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices in order to limit the attack surface. 

They should also implement a cybersecurity user awareness and training programme which includes guidance on how to identify and report suspicious activity. 

What this means

"These guidelines are a measure of risk management that any organisation must regularly exercise, to address the day-by-day increasing cyber-security risks. In today’s world, everything is now dependent and inter-dependent on various information technology systems, processes and controls which are now posing grave threats to the very information that is being exchanged," said Shashank Agarwal, Advocate, Delhi HC.

One of the key aspects that the SEBI has highlighted and suggested, is having or retaining spare hardware separate from the place where all the other hardware is kept so that when the threat comes and the existing hardware is damaged, there is a possibility of rebuilding the system with the spare hardware.

"By imposing these guidelines and enforcing them with immediate effect, SEBI acknowledges the increasing interdependence among MIIs and the potential far-reaching impact of cyber risks," said Ravi Prakash, Associate Partner, Corporate Professionals.

MIIs are required to take necessary steps to put in place systems for implementation of the circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any, within 120 days from the date of the circular.

Sebi guidelines aim to address cyber attacks on financial institutions 

"Cases like NSE Co-location scam along with NSE crash on February 2021 and March 2022 due to cyberattacks have highlighted the crucial need for robust guidelines. Furthermore, recent world history shows cyber-attacks on international financial institutions, like the Equifax breach in 2017 and the SolarWinds attack. SEBI's guidelines aim to proactively address such threats," said Prakash.

The implications of these guidelines extend beyond individual institutions

 With interconnectedness among MIIs on the rise, a cyber incident in one institution could cascade across the entire financial ecosystem. The guidelines encourage MIIs to conduct rigorous business continuity drills, ensuring their readiness to handle ransomware attacks or other cyber threats.