You are here: Home » News-IANS » Business-Economy
Business Standard

SEBI releases cyber security framework for brokers, depositories

IANS  |  Mumbai 

The Securities and Exchange Board of (SEBI) on Monday came out with a cyber framework for stock brokers and depositories.

The guidelines would come into force on April 1, 2019, SEBI said in a circular.

"As part of the operational risk management framework to manage risk to systems, networks and databases from cyber attacks and threats, stock brokers/depository participants should formulate a comprehensive cyber and cyber resilience policy document encompassing the framework," the circular said.

In case of deviations from the suggested framework, reasons for such deviations, technical or otherwise, should be provided in the policy document, it added.

As per the guidelines, stock brokers or depository participants should designate a or management personnel whose function would be to assess and identify cyber risks, respond to incidents, establish appropriate standards and controls.

The board or proprietors of the stock brokers or depository participants would have to constitute an internal "technology committee" comprising experts, which would, on a half-yearly basis review the implementation of the cyber security and cyber resilience policy of the organisation.

It also said: "No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities."

Any access to systems, applications, networks, databases and so on, should be for a defined purpose and for a defined period, the regulator added.

"All critical systems of the stock broker/depository participant accessible over the Internet should have two-factor security (such as VPNs, controls etc)."

It mandated the brokers and depositories to ensure that records of user access to critical systems, wherever possible, are uniquely identified and logged for audit and review purposes and also ordered for storing logs in a secure location for at least two years.

The guidelines further said that physical access to the critical systems should be restricted only to authorised officials.

For algorithmic trading facilities, SEBI ordered that adequate measures should be taken to isolate and secure the perimeter and connectivity to the servers running

"Critical data must be identified and encrypted in motion and at rest by using strong methods," the circular said.

--IANS

rrb/prs

(This story has not been edited by Business Standard staff and is auto-generated from a syndicated feed.)

First Published: Mon, December 03 2018. 21:46 IST
RECOMMENDED FOR YOU
RECOMMENDED FOR YOU