The National Stock Exchange (NSE) is undertaking major initiatives to boost its information security following recommendations by a third party auditor from Israel. While the bourse has already implemented several suggestions, as many as 11 other measures have been taken up as separate projects and are in various stages of implementation.
“Out of the 152 recommendations, 141 have been closed. The remaining 11 open items are large pan-organisation initiatives and will be completed as separate projects,” the NSE annual report for the year that ended on March 2016 said. A third party audit with focus on information security is not a regular feature and did not find mention in earlier annual reports.
These measures assume significance at a time when the Securities and Exchange Board of India (Sebi) has separately asked for an independent audit of the exchange’s systems and deposit of earning from its colocation services in an escrow account, following a report by the regulator’s Technical Advisory Committee (TAC).
Also Read
TAC was asked to examine the systems after allegations by a Singapore-based anonymous whistle-blower last year that some brokers were getting unfair access to the colocation servers in collusion with the exchange’s employees. Sebi is also separately considering measures to ensure a level playing field by putting safeguards on algorithmic trading.
The Sebi directive could have an impact on the revenue and profit of the bourse, which has a dominant position in the future and options and the cash segments. Colocation servers and algorithmic trading are among the new growth areas for NSE. The bourse started colocation facility in 2010 to reduce latencies in algo and high-frequency trading. It has built 113 full racks and 150 half racks in three phases. As these racks are fully utilised, NSE added 104 racks this year.
In April, Business Standard reported that the Union finance ministry had asked the regulator to investigate the allegations contained in three letters from the whistle-blower, the first of which was sent in January 2015.
The many disclosures
An NSE spokesperson in an email response said, “For obvious reasons, we cannot share security-related measures and protocols. Please also be informed that NSE proactively takes up such measures as the exchange wants to study and implement some of the latest practices as suitable to its needs.”
In an earlier email seeking comments on the Sebi directives, the steps taken by the exchange and their impact on revenues, the spokesperson said, “We do not have anything to share with the media on this subject and we also avoid commenting on any bilateral discussion that NSE may be having with regulators.”
Business Standard analysed the two annual reports of the exchange filed since the first whistle-blower letters hit the headlines on disclosures related to colocation servers, information technology and risk management mechanisms. The disclosures show that the exchange is in the process of strengthening and improving systems, though it has publicly maintained that there was no merit in the whistle-blower’s allegations, going to the extent of filing a Rs 100-crore defamation suit against senior journalist Sucheta Dalal for reporting it. The Bombay High Court struck down the case, but the exchange has appealed against the ruling and the matter is before a division bench.
According to the 2014-15 annual report, the exchange introduced new monitoring tools for online latency measurement in trading and strengthened the risk system for cash market, futures and options and currency derivatives.
“It is now possible to monitor latency performance of trading system on a day-to-day basis in a non-intrusive manner and real-time latency visibility into the entire execution chain has been achieved,” the exchange said.
In 2014-15, the exchange also started work on creating a dashboard of the trading ecosystem comprising hardware servers, network devices, middle wares, databases and the trading application (software). The goal is to get a real time view of the health of its IT infrastructure. The project is being implemented in four phases, and so far the first three phases have been completed.
A part of this project involves creating a central command centre to ensure better coordination between its IT departments. At present, its IT teams focused on different aspects of the business, such as trading, apps, network, data centre, security, and so on, are not only working in silos but also spread across the country.
“For better co-ordination, especially during resolution, it is important to collocate these teams. The command centre project allows for creation of an integrated situational awareness room and deployment of command centre visual dashboards for effective monitoring for speeding up identification and resolution of incidents,” the 2015 annual report said.
Changes all around
The Israeli audit was the highlight of the 2016 annual report. However, it was not the only measure undertaken this year. NSE has also eliminated manual activities in the colocation application process.
Further, the bourse said that its “members can take TBT (tick-by- tick) connectivity for the complete rack. The process was also automated resulting in faster processing and reduction in paperwork. This module allows trading members to put request for activation / de-activation of multicast tick-by-tick on colocation racks.”
The whistle-blower had referred to the absence of the facility of multicast tick-by-tick price feeds in the initial days of colocation as a major flaw. Multicast tick-by-tick is a group communication where information is addressed to destination computers simultaneously. The exchange systems, until last year, used to send feed to each computer one-by-one.
“Multicast is inherently unreliable and investments need to be made by members (among others), in handling errors and using alternate recovery feeds to ensure reliability,” NSE had said in a response to a Sebi query.
FIXING ITS SYSTEM |
|