Tax Management India. Com
Law and Practice  :  Digital eBook
Research is most exciting & rewarding
  TMI - Tax Management India. Com
Follow us:
  Facebook   Twitter   Linkedin   Telegram

TMI Blog

Home

Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... s been designed, which is placed at Annexure 1. The framework would be required to be complied by all Stock Brokers and Depository Participants registered with SEBI. 4. The guidelines annexed with this circular shall be effective from April 1, 2019. 5. Stock Exchanges and Depositories shall; a) make necessary amendments to the relevant byelaws, rules and regulations for the implementation of the above direction; b) bring the provisions of this circular to the notice of their members/participants and also disseminate the same on their websites; and c) communicate to SEBI, the status of implementation of the provisions of this circular in their Monthly Report. 6. This circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. Yours faithfully Debashis Bandyopadhyay General Manager Market Intermediaries Regulations and Supervision Department Annexure 1 1. Cyber-attacks and threats attempt to compromise the Confidentiality, I .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... al Critical Information Infrastructure ) and subsequent revisions, if any, from time to time. 5. Stock Brokers trading through APIs based terminal / Depository Participants may refer to best practices from international standards like ISO 27001, COBIT 5, etc., or their subsequent revisions, if any, from time to time. 6. Stock Brokers / Depository Participants should designate a senior official or management personnel (henceforth, referred to as the Designated Officer ) whose function would be to assess, identify, and reduce security and Cyber Security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the Cyber Security Policy. 7. The Board / Partners / Proprietor of the Stock Brokers / Depository Participants shall constitute an internal Technology Committee comprising experts. This Technology Committee should on a half yearly basis review the implementation of the Cyber Security and Cyber Resilience policy approved by their Board / Partners / Proprietor, and such review should include review of their current IT and Cyber Security and Cyber Resilience capabilities, .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... the period when the access is required and should be authorized using strong authentication mechanisms. 15. Stock Brokers / Depository Participants should implement an access policy which addresses strong password controls for users access to systems, applications, networks and databases. Illustrative examples for this are given in Annexure C. 16. All critical systems of the Stock Broker / Depository Participant accessible over the internet should have two-factor security (such as VPNs, Firewall controls etc.) 17. Stock Brokers / Depository Participants should ensure that records of user access to critical systems, wherever possible, are uniquely identified and logged for audit and review purposes. Such logs should be maintained and stored in a secure location for a time period not less than two (2) years. 18. Stock Brokers / Depository Participants should deploy controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users) to Stock Broker / Depository Participant s critical systems. Such controls and measures should inter-alia include restricting the number of privileged users, periodic review of privile .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... rk security devices, such as firewalls, proxy servers, intrusion detection and prevention systems (IDS) to protect their IT infrastructure which is exposed to the internet, from security exposures originating from internal and external sources. 28. Adequate controls must be deployed to address virus / malware / ransomware attacks. These controls may include host / network / application based IDS systems, customized kernels for Linux, anti-virus and anti-malware software etc. Data security 29. Critical data must be identified and encrypted in motion and at rest by using strong encryption methods. Illustrative measures in this regard are given in Annexure A and B. 30. Stock Brokers / Depository Participants should implement measures to prevent unauthorized access or copying or transmission of data / information held in contractual or fiduciary capacity. It should be ensured that confidentiality of information is not compromised during the process of exchanging and transferring information with external parties. Illustrative measures to ensure security during transportation of data over the internet are given in Annexure B. 31. The information security policy should .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ation and prioritization of patches and updates. An implementation timeframe for each category of patches should be established to apply them in a timely manner. 38. Stock Brokers / Depository Participants should perform rigorous testing of security patches and updates, where possible, before deployment into the production environment so as to ensure that the application of patches do not impact other systems. Disposal of data, systems and storage devices 39. Stock Brokers / Depository Participants should frame suitable policy for disposal of storage media and systems. The critical data / Information on such devices and systems should be removed by using methods such as crypto shredding / degauss / Physical destruction as applicable. 40. Stock Brokers / Depository Participants should formulate a data-disposal and data-retention policy to identify the value and lifetime of various parcels of data. Vulnerability Assessment and Penetration Testing (VAPT) 41. Stock Brokers / Depository Participants should regularly conduct vulnerability assessment to detect security vulnerabilities in their IT environments exposed to the internet. 42. Stock Brokers / Deposito .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... offering alternate services or systems to Customers. Stock Brokers / Depository Participants should have the same Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time 49. The response plan should define responsibilities and actions to be performed by its employees and support / outsourced staff in the event of cyber-attacks or breach of Cyber Security mechanism. 50. Any incident of loss or destruction of data or systems should be thoroughly analyzed and lessons learned from such incidents should be incorporated to strengthen the security mechanism and improve recovery planning and processes. 51. Stock Brokers / Depository Participants should also conduct suitable periodic drills to test the adequacy and effectiveness of the aforementioned response and recovery plan. Sharing of Information 52. Quarterly reports containing information on cyber-attacks and threats experienced by Stock Brokers / Depository Participants and measures taken to mitigate vulnerabilities, threats and attacks including information on b .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... itor to check compliance with the above areas and shall submit the report to Stock Exchanges / Depositories along with the comments of the Board / Partners / Proprietor of Stock Broker/ Depository Participant within three months of the end of the financial year. Annexure A Illustrative Measures for Data Security on Customer Facing Applications 1. Analyse the different kinds of sensitive data shown to the Customer on the frontend application to ensure that only what is deemed absolutely necessary is transmitted and displayed. 2. Wherever possible, mask portions of sensitive data. For instance, rather than displaying the full phone number or a bank account number, display only a portion of it, enough for the Customer to identify, but useless to an unscrupulous party who may obtain covertly obtain it from the Customer s screen. For instance, if a bank account number is 123 456 789 , consider displaying something akin to XXX XXX 789 instead of the whole number. This also has the added benefit of not having to transmit the full piece of data over various networks. 3. Analyse data and databases holistically and draw out meaningful and silos (physical or vir .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ate on the web server is mandatory, making the transport channel HTTP(S). 3. Avoid the use of insecure protocols such as FTP (File Transfer Protocol) that can be easily compromised with MITM attacks. Instead, adopt secure protocols such as FTP(S), SSH and VPN tunnels, RDP (with TLS) etc. Annexure C Illustrative Measures for Application Authentication Security 1. Any Application offered by Stock Brokers to Customers containing sensitive, private, or critical data such as IBTs, SWSTs, Back office etc. referred to as Application hereafter) over the Internet should be password protected. A reasonable minimum length (and no arbitrary maximum length cap or character class requirements) should be enforced. While it is difficult to quantify password complexity , longer passphrases have more entropy and offer better security in general. Stock Brokers should attempt to educate Customers of these best practices. 2. Passwords, security PINs etc. should never be stored in plain text and should be one-way hashed using strong cryptographic hash functions (e.g.: bcrypt, PBKDF2) before being committed to storage. It is important to use one-way cryptographic hashes to en .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

 

 

 

 

Quick Updates:Latest Updates