CDSL detects malware in a few internal machines; settlements delayed

India’s largest depository in terms of numbers of accounts, Central Depository Services (India) (CDSL), faced cyber security issues on Friday, which impacted settlement activities.

The depository detected malware in a few of its internal machines, following which the company isolated the machines and disconnected itself from other constituents of the capital market.

“As per initial findings, there is no reason to believe that any confidential information or the investor data has been compromised,” said CDSL in a statement. The incident has been reported to the authorities.

The official website of the securities depository remained non-functional and showed error till the filing of the story on Friday.

“(The company) is working with its cyber security advisors to analyse the impact. Resolution of the incident is in process, subsequent to which settlement activities would be completed,” added CDSL.

In October 2021, reports claimed that a vulnerability at a CDSL subsidiary -- CDSL Ventures Limited (CVL) -- exposed personal and financial data of over 43 million investors, twice in a period of 10 days. 

Cyber security consultancy startup CyberX9 had claimed that the securities depository took around seven days to fix the bug which could have been resolved immediately.

At the end of August, CDSL operated 71.6 million demat accounts with assets under custody of Rs 38.5 trillion. 

In its annual report for 2021-22, the Securities and Exchange Board of India (Sebi) had proposed to conduct a special purpose cyber audit of all market infrastructure institutions (MIIs) to evaluate their preparedness for any cyber threat.

Sebi had noted that in the view of various cyber security, MIIs, registrars to an issue and share transfer agents (RTAs), KYC registration agencies (KRAs) and top broking companies will be directed to submit their security audit reports and their compliance reports to Sebi for detailed analysis.  

Last month, Sebi chair Madhabi Puri Buch had hinted at a new framework to protect investor trades at an incident of cyber security attack or breach facilitating exchange of data between stock exchanges.