Central Depository Services (India) Limited has come out with new norms to scale up the Cyber Security & Cyber Resilience Framework for Stock Brokers/ Depository Participants are advised to take note of the same and ensure compliance.
According to the circular, the Rapid growth of Technology have enforced, all enterprises to have robust cyber security and cyber resilience framework to protect the integrity of data and guard against breaches of privacy.
The circular, titled “Cyber Security & Cyber Resilience Framework for Stock Brokers/ Depository Participants “, it has become necessary to all such entities to enhance the security. By improving the security defenses to address the rapidly growing cyber risks.
After discussions with Exchanges, Depositories and Stock Brokers’ and Depository Participants’ associations, a framework on cyber security and cyber resilience has been designed. The framework would be required to be complied by all Stock Brokers and Depository Participants registered with SEBI.
The guidelines annexed with this circular shall be effective from April 1, 2019.
It is observed that the level of Cyber-attacks and threats attempt to compromise the Confidentiality, Integrity and Availability (CIA) of the computer systems, networks and databases (Confidentiality refers to limiting access of systems and information to authorized users, Integrity is the assurance that the information is reliable and accurate, and Availability refers to guarantee of reliable access to the systems and information by authorized users).
Cyber Resilience is an organization’s ability to prepare and respond to a cyber-attack and to continue operation during, and recover from, a cyber-attack.
All Stock Brokers/ Depository Participants should adopt a risk management framework to manage risk to systems, networks and databases from cyber-attacks and threats.
- The Cyber Security Policy should include the following process to identify, assess, and manage Cyber Security risk associated with processes, information, networks and systems:
- ‘Identify’ critical IT assets and risks associated with such assets.
- ‘Protect’ assets by deploying suitable controls, tools and measures.
- ‘Detect’ incidents, anomalies and attacks through appropriate monitoring tools/processes.
- ‘Respond’ by taking immediate steps after identification of the incident, anomaly or attack.
- ‘Recover’ from incident through incident management and other appropriate recovery mechanisms.
- Stock Brokers trading through APIs based terminal / Depository Participants should refer best practices from international standards like ISO 27001, COBIT 5, etc., or their subsequent revisions, if any, from time to time.
- Stock Brokers / Depository Participants should designate a senior official or management personnel whose responsibility would be to assess, identify, and reduce security and Cyber Security risks, respond to incidents establish appropriate standards and controls and direct the establishment and implementation of processes and procedures as per the Cyber Security Policy.
- Stock Brokers / Depository Participants should establish a reporting procedure to facilitate communication of unusual activities and events to the Designated Officer in a timely manner.
- The Designated officer and the technology committee of the Stock Brokers / Depository Participants should periodically review instances of cyber-attacks, if any, domestically and globally, and take steps to strengthen Cyber Security and cyber resilience framework.
- Stock Brokers / Depository Participants should identify critical assets based on their Sensitivity and criticality for business operations, services and data management. They should maintain up-to-date inventory of its hardware and systems and the personnel to whom these have been issued, software and information assets (internal and external), details of its network resources, connections to its network and data flows. Accordingly identify cyber risks, along with the likelihood of such threats and impact on the business and thereby, deploy controls commensurate to the criticality.
- Any access to Stock Brokers / Depository Participants systems, applications, networks, databases, etc., should be for a defined purpose and for a defined period. Stock Brokers / Depository Participants should grant access to IT systems, applications, databases and networks on a need-to-use basis and based on the principle of least privilege. Implement an access policy which addresses strong password controls for users’ access to systems, applications, networks and databases.
- Employees and outsourced staff such as employees of vendors or service providers, who may be given authorized access to the Stock Brokers / Depository Participants critical systems, networks and other computer resources, should be subject to stringent Supervision, monitoring and access restrictions.
- Physical access to the critical systems should be restricted to minimum and only to authorized officials. Physical access of outsourced staff/visitors should be properly supervised by ensuring at the minimum that outsourced staff/visitors are accompanied at all times by authorized employees. Access should be revoked immediately if the same is no longer required.
- Office premises should be physically secured and monitored by security guards.
Network Security Management:
- Stock Brokers / Depository Participants should establish baseline standards to facilitate Consistent application of security configurations to operating systems, databases, Network devices and enterprise mobile devices within their IT environment. The LAN and wireless networks should be secured within the premises.
- Adequate controls must be deployed to address virus / malware / ransomware attacks.
- Strong encryption methods to be used for identifying and encrypting the critical data. The confidentiality of information is not compromised during the process of exchanging and transferring information with external parties. The information security policy should also cover use of devices such as mobile phones, faxes, photocopiers, scanners, etc.
Hardening of Hardware and Software:
- Should deploy hardened hardware / software, including replacing default passwords with strong passwords and disabling or removing services identified as unnecessary for the functioning of the system. Open ports on networks and systems which are not in use should be blocked.
Application Security in Customer Facing Applications:
- Application security for Customer facing applications offered over the Internet such as IBTs, portals containing sensitive or private information and Back office applications are paramount as they carry significant attack surfaces by virtue of being available publicly over the Internet for mass use. Measures to be taken for applications.
- Patch management procedures should include the identification, categorization and prioritization of patches and updates. An implementation timeframe for each category of patches should be established to apply them in a timely manner. Testing to be perform on security patches and updates, where possible, before deployment into the production environment so as to ensure that the application of patches do not impact other systems.
Disposal of data, systems and storage devices:
- Identify a Policy for disposal of storage media and systems. The critical data / Information on such devices and systems should be removed by using methods such as crypto shredding / degauss / Physical destruction as applicable.
Vulnerability Assessment and Penetration Testing (VAPT):
- Regularly conduct vulnerability assessment to detect security vulnerabilities in their IT environments exposed to the internet.
- Systems which are publicly available over the internet should also carry out penetration tests, at-least once a year, in order to conduct an in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks that are exposed to the internet. Additionally perform vulnerability scanning and conduct penetration testing prior to the commissioning of a new system that is accessible over the internet.
Monitoring and Detection:
- Establish appropriate security monitoring systems and processes to facilitate continuous monitoring of security events/ alerts and timely detection of unauthorised or malicious activities, unauthorised changes, unauthorised access and unauthorised copying or transmission of data / information held in contractual or fiduciary capacity, by internal and external parties. The security logs of systems, applications and network devices exposed to the internet should also be monitored for anomalies.
- Ensure high resilience, high availability and timely detection of attacks on systems and networks exposed to the internet, implement suitable mechanisms to monitor capacity utilization of its critical systems and networks that are exposed to the internet, for example, controls such as firewalls to monitor bandwidth usage.
Response and Recovery:
- Alerts generated from monitoring and detection systems should be suitably investigated in order to determine activities that are to be performed to prevent expansion of such incident of Cyber-attack or breach, mitigate its effect and eradicate the incident.
- The response and should have plans for the timely restoration of systems affected by incidents of cyber-attacks or breaches, for instance, offering alternate services or systems to Customers. Stock Brokers / Depository Participants should have the same Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time.
Sharing of Information:
- Quarterly reports containing information on cyber-attacks and threats measures taken to mitigate vulnerabilities, threats and attacks including information on bugs / vulnerabilities / threats that may be useful for other Stock Brokers / Depository Participants.
Training and Education
- Entities should conduct periodic training programs to enhance knowledge of IT / Cyber Security Policy and standards among the employees incorporating up-to-date Cyber Security threat alerts. Where possible, this should be extended to outsourced staff, vendors etc.
- The training programs should be reviewed and updated to ensure that the contents of the program remain current and relevant.
Systems managed by vendors, MIIs
- Stock Brokers / Depository Participants should instruct the vendors to adhere to the applicable guidelines in the Cyber Security and Cyber Resilience policy and obtain the necessary self-certifications from them to ensure compliance with the policy guidelines.
- The Depository Participants and Type I Stock Brokers shall arrange to have their Systems audited on an annual basis by a CERT-IN empanelled auditor or an independent CISA/CISM qualified auditor to check compliance with the above areas and shall submit the report to Stock Exchanges / Depositories along with the comments of the Board / Partners / Proprietor of Stock Broker/ Depository Participant within three months of the end of the financial year.