9911796707
TMI BlogAdvisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practicesX X X X Extracts X X X X X X X X Extracts X X X X ..... SEBI Regulated Entities (REs) regarding Cybersecurity best practices 1. Financial sector organizations, stock exchanges, depositories, mutual funds and other financial entities have been experiencing cyber incidents which are rapidly growing in frequency and sophistication. Considering the interconnectedness and interdependency of the financial entities to carry out their functions, the cyber risk of any given entity is no longer limited to the entity s owned or controlled systems, networks and assets 2. Further, given the sophistication and persistence of the threat with a high level of coordination among threat actors, it is important to recognize that many traditional approaches to risk management and governance that worked in ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... , and to regulate the securities market. Yours Faithfully, Shweta Banerjee Deputy General Manager Phone: 022-26449509 Email: [email protected] Annexure-A In view of the increasing cybersecurity threat to the securities market, SEBI Regulated Entities (REs) are advised to implement the following practices as recommended by CSIRT-Fin: 1. Roles and Responsibilities of Chief Information Security Officer (CISO)/ Designated Officer: REs are advised to define roles and responsibilities of Chief Information Security Officer (CISO) and other senior personnel. Reporting and compliance requirements shall be clearly specified in the security policy. 2. Measures against Phishing attacks/ websites: ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... dit should be resolved as per the timelines prescribed by SEBI. 4. Measures for Data Protection and Data breach: i. REs are advised to prepare detailed incident response plan. ii. Enforce effective data protection, backup, and recovery measures. iii. Encryption of the data at rest should be implemented to prevent the attacker from accessing the unencrypted data. iv. Identify and classify sensitive and Personally Identifiable Information (PII) data and apply measures for encrypting such data in transit and at rest. v. Deploy data leakage prevention (DLP) solutions / processes. 5. Log retention: Strong log retention policy should be implemented as per extant SEBI regulations and required by CERT-In and IT Act 2000. ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... network perimeter. 8. Cybersecurity Controls: i. Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses, block these before receiving and downloading messages. Scan all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution. ii. Block the malicious domains/IPs after diligently verifying them without impacting the operations. CSIRT-Fin/CERT-In advisories which are published periodically should be referred for latest malicious domains/IPs, C C DNS and links. iii. Restrict execution of powershell and wscript in enterprise environment, if not required. Ensure installation and use of the latest version of ..... X X X X Extracts X X X X X X X X Extracts X X X X ..... nted in letter and spirit by the regulated entities. Additionally, the advisories should be implemented promptly as and when received. 11. Concentration Risk on Outsourced Agencies: i. It has been observed that single third party vendors are providing services to multiple REs, which creates concentration risk. Here, such third parties though being small non-financial organizations, if any cyber-attack, happens at such organizations, the same could have systemic implication due to high concentration risk. ii. Thus, there is a need for identification of such organizations and prescribing specific cyber security controls, including audit of their systems and protocols from independent auditors, to mitigate such concentration risk. ..... X X X X Extracts X X X X X X X X Extracts X X X X
|
