SEBI comes up with cyber security policy for stock exchanges, depositories and clearing corporations

Securities and Exchange Board of India (SEBI), which
established in 1988 to regulate the securities market in India, asked stock
exchanges, depositories and clearing corporations to put in place a system that
would prevent systems, networks and databases from cyber attacks and improve
its resilience.
According to a report published on LiveMint, the SEBI
said these Market Infrastructure Institutions (MIIs) need to have a robust
cyber security framework to provide essential facilities and perform
systemically critical functions of trading, clearing and settlement in
securities market.
“As part of the operational risk management framework to
manage risk to systems, networks and databases from cyber attacks and threats,
the MII should formulate a comprehensive cyber security and cyber resilience
policy document to put in place such a framework,” the SEBI said.
It is said that the SEBI also asked the MII to restrict
access controls in the time of necessary.
As per which no one will have any intrinsic right to access
confidential data, applications, system resources or facilities.
The SEBI has asked it to deploy additional controls and
security measures to supervise staff with elevated system access entitlements.
According to the news report, the SEBI Chairman UK Sinha said
that attackers are attacking in a more sophisticated manner.  
“We are worried over state-sponsored cyber attacks. There
are worries that the vulnerability in markets are increasing. We need to create
a framework for future plan of action on securities market resilience,” he added.
The exchanges and other the MIIs would also have to submit
quarterly reports to the SEBI, containing information on cyber attacks and
threats experienced by them and measures taken to mitigate vulnerabilities,
threats and attacks including information on bugs, vulnerabilities and threats
that may be useful for other the MIIs.
Along with this, the MIIs have to share the useful details
among themselves in masked and anonymous manner using a mechanism to be
specified by the regulator from time to time, to identify critical assets based
on their sensitivity and criticality for business operations, services and data
management.
Likewise, it should maintain up-to-date inventory of its
hardware and systems, software and information assets (internal and external),
details of its network resources, connections to its network and data flows.

The SEBI asked market stakeholders to establish baseline
standards to facilitate consistent application of security configurations to
operating systems, databases, network devices and enterprise mobile devices
within the IT environment and also to restrict physical access to the critical
systems to minimum. 

Leave a Reply