Sebi brings guidelines to boost cyber security framework for exchanges

Capital markets regulator Sebi on Tuesday came out with guidelines to strengthen the existing cyber security and cyber resilience framework for stock exchanges and other market infrastructure institutions (MIIs).

The new guidelines will come into force with immediate effect, the Securities and Exchange Board of India (Sebi) said in a circular.

"Considering the interconnectedness and interdependency of the MIIs to carry out their functions, the cyber risk of any given MII is no longer limited to the MII's owned or controlled systems, networks, and assets," Sebi said.

Accordingly, the regulator came out with guidelines to strengthen the existing framework for MIIs -- stock exchanges, clearing corporations, and repositories.

 

Under the guidelines, MIIs will have to maintain offline, encrypted backups of data and regularly test these backups at least every quarter to ensure confidentiality, integrity, and availability.

Further, they should explore the possibility of retaining spare hardware in an isolated environment to rebuild systems in the event starting their operations from both the Primary Data Centre (PDC) and Disaster Recovery Site (DRS) is not feasible.

Also, they should undertake regular business continuity drills to check the readiness of the organization and the effectiveness of existing security controls at the ground level to deal with ransomware attacks.

MIIs should conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface.

Noting that MIIs are systemically important institutions as they provide the infrastructure necessary for the smooth and uninterrupted functioning of the securities market, Sebi said that they should employ multi-factor authentication for all services, secure domain controllers, and secure dark web monitoring services to check for any brand abuse.

As part of the operational risk management, these MIIs need to have a robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in the securities market, Sebi said.