The Securities and Exchange Board of India (“SEBI”) has, in a circular dated December 3, 2018 specified the Cyber Security & Cyber Resilience framework for Stock Brokers and Depository Participants.
The framework aims at protecting the interests of investors in securities and to promote the development of, and to regulate the securities market. The guidelines will gain effect from April 1,2019.
Background:
The recent developments in technology have impacted the securities market. There is a need for maintaining an effective cyber security and cyber resilience framework to protect data
Since stock brokers and depository participants perform significant functions in providing services to holders of securities, they must have in place a comprehensive cyber security and cyber resilience framework to perform effectively.
All Stock Brokers and Depository Participants registered with SEBI must comply with the framework. Stock Exchanges and Depositories must;
- make necessary amendments to the relevant byelaws, rules and regulations for the implementation the framework;
- bring the provisions of this circular to the notice of their members/participants and also disseminate the same on their websites; and
- communicate to SEBI, the status of implementation of the provisions of this circular in their Monthly Report
The framework specifies guidelines for cyber security on the following heads:
- Governance
- Identification –of critical assets and the cyber risks that it may face
- Protection –of confidential data and restriction on access
- Physical Security
- Network security management
- Data Security- identification and encryption of critical data and restriction on access
- Hardening of Hardware and Software
- Application Security in Customer Facing Applications
- Certification of off-the-shelf products
- Patch Management Procedures
- Disposal of data, systems and storage devices
- Conduction of Vulnerability Assessment and Penetration Testing (VAPT)
- Security Monitoring and Detection systems
- Response and Recovery upon alerts
- Sharing of Information
- Training and Education of staff
- Systems managed by vendors
- Systems managed by MIIs (Market Infrastructure Institutions)
- Periodic Audit
Source: Securities and Exchange Board of India