SEBI Enhances Market Infrastructure Requirements on Cyber Security

The requirements cover data backups, the ability to rebuild critical systems, ransomware attack drills, and cyber audits. 

SEBI (Securities and Exchange Board of India) has issued new guidelines strengthening the cyber security and cyber resilience framework for market infrastructure institutions (MIIs).

In a circular on Tuesday (29 August), SEBI says the new guidelines were issued in light of a significant increase in the interdependence and interconnectedness between MIIs such as stock exchanges, clearing corporations and depositories.

The guidelines require MIIs to maintain offline, encrypted backups of data and to test these backups at least on a quarterly basis to ensure confidentiality, integrity and availability of data.

MIIs must also maintain regularly updated “gold images” of critical systems that include a preconfigured operating system and associated software applications so that systems such as virtual machines or servers can be quickly rebuilt if needed.

SEBI says MIIs should also explore the possibility of retaining spare “ready to use” hardware in an isolated environment to rebuild systems in case operating from the primary data centre and the disaster recovery site are both not feasible.

The guidelines say MIIs should regularly conduct business continuity drills to test their readiness and the effectiveness of existing security controls, people, processes and technologies to deal with ransomware attacks.

MIIs must also conduct regular vulnerability scanning especially on internet-facing devices, implement a cybersecurity user awareness and training programme, use multi-factor authentication for “all services”, and apply the principle of “least privilege” to all systems and services.

The new guidelines come into force with immediate effect, giving MIIs 120 days for implementation.

Cyber audits

The new guidelines follow a separate SEBI circular issued on Friday (25 August) directing MIIs to conduct a comprehensive cyber audit by an independent auditor at least twice every financial year.

The audit report should cover the adequacy and effectiveness of the cyber security policies, procedures and controls implemented by the MIIs. This cyber audit report should be submitted to SEBI along with a “declaration of compliance” from the MD or CEO, certifying that processes are in place to identify and close IT system vulnerabilities and that adequate resources are in place for their security operations centre (SOC).

The circular says MIIs whose systems have been identified as ‘critical information infrastructure’ by the NCIIPC (National Critical Information Infrastructure Protection Centre) have to send regular updates of the vulnerabilities found in their ‘protected systems’ to NCIIPC.

The new circular came into force with immediate effect, giving MIIs 30 days to report to SEBI on implementation status.

Series of measures

The new guidelines and circular are among a series of measures by SEBI to strengthen the cyber resilience of the Indian capital market.

Last month, SEBI proposed the introduction of a consolidated cybersecurity and cyber resilience framework for all regulated entities. In February, the regulator also issued an advisory for regulated entities on cyber security best practices.

SEBI has also recently issued separate circulars to modify the cyber security and cyber resilience frameworks for stock brokers, KRAs (KYC Registration Agencies), share registrars and transfer agents, and asset managers.