SEBI has released new guidelines in order to reinforce the current framework for cyber security and cyber resilience at market infrastructure organizations including stock exchanges, clearing companies, and depositories,
Reason for launching new guidelines
Stock exchanges, clearing organizations, and depositories are considered market infrastructure institutions by SEBI since they, among other things, offer the infrastructure required for the continuous and efficient operation of the securities market.
These market infrastructure institutions (MIIs) must have a strong cyber security framework as part of operational risk management in order to offer necessary facilities and carry out systemically important tasks related to trading, clearing, and settlement in the securities market.
According to the market regulator, it’s crucial that MIIs set up and maintain information technology (IT) processes and controls to protect the privacy, accuracy, and accessibility of data as well as IT systems.
Increase in interdependence
The interdependence among the MIIs has significantly increased as a result of the altered market dynamics in the Indian securities markets. The cyber risk of any one MII is no longer restricted to the MII’s owned or controlled systems, networks, and assets since the MIIs are linked and dependent on one another to perform their responsibilities. SEBI stated this in regard to adopting new regulations.
SEBI’s New Guidelines
According to the new regulations, MIIs must keep offline, encrypted copies of their data and verify those backups frequently—at least once every three months—to guarantee their confidentiality, integrity, and availability.
Critical systems must have up-to-date “gold images” maintained by MIIs in case they need to be rebuilt. This involves keeping image “templates” that may be swiftly deployed to reconstruct a system, such as a virtual machine or server, and include a preset operating system (OS) and related software applications.
In the case that commencing MII’s operations from both the principal data centre (PDC) and disaster recovery site (DRS) are not practical, MIIs should investigate the feasibility of keeping spare hardware in an isolated environment to reconstruct systems.
The MIIs should also make an effort to maintain backup hardware in a usable form so that it can supply crucial services. These systems must be updated whenever new updates (such as OS patches and security patches) are made to the primary systems. In accordance with the MIIs’ reaction and recovery strategy, this spare hardware should undergo testing on a regular basis.
Regular business continuity exercises should be conducted by MIIs to evaluate how well the organization is prepared for ransomware attacks and how well the local security policies are working. Recovery after a ransomware attack is one such drill scenario that is advised to be evaluated given that both PDC and DRS have been affected. This would evaluate how well people, processes, and technology are able to counter such threats.
In order to reduce the attack surface, MIIs should also do routine vulnerability scanning to find and fix vulnerabilities, particularly those on internet-facing devices.
SEBI instructed MIIs to use Multi Factor Authentication (MFA) for all services, saying that MIIs are systematically significant entities as they supply the infrastructure required for the efficient operation of the securities market.
Such measures underline the importance of fortifying cyber infrastructure to shield both market participants and investors from potential risks, and SEBI’s decision to strengthen cyber security norms for stock exchanges, clearing corporations, and depositories is both timely and crucial in the face of increasing cyber threats.