Mumbai: The Securities and Exchange Board of India (SEBI) on Monday came out with a cyber security framework for stock brokers and depositories.
The guidelines would come into force on April 1, 2019, SEBI said in a circular.
“As part of the operational risk management framework to manage risk to systems, networks and databases from cyber attacks and threats, stock brokers/depository participants should formulate a comprehensive cyber security and cyber resilience policy document encompassing the framework,” the circular said.
In case of deviations from the suggested framework, reasons for such deviations, technical or otherwise, should be provided in the policy document, it added.
As per the guidelines, stock brokers or depository participants should designate a senior official or management personnel whose function would be to assess and identify cyber security risks, respond to incidents, establish appropriate standards and controls.
The board or proprietors of the stock brokers or depository participants would have to constitute an internal “technology committee” comprising experts, which would, on a half-yearly basis review the implementation of the cyber security and cyber resilience policy of the organisation.
It also said: “No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities.”
Any access to systems, applications, networks, databases and so on, should be for a defined purpose and for a defined period, the regulator added.
“All critical systems of the stock broker/depository participant accessible over the Internet should have two-factor security (such as VPNs, Firewall controls etc).”
It mandated the brokers and depositories to ensure that records of user access to critical systems, wherever possible, are uniquely identified and logged for audit and review purposes and also ordered for storing logs in a secure location for at least two years.
The guidelines further said that physical access to the critical systems should be restricted only to authorised officials.
For algorithmic trading facilities, SEBI ordered that adequate measures should be taken to isolate and secure the perimeter and connectivity to the servers running algorithmic trading applications.
“Critical data must be identified and encrypted in motion and at rest by using strong encryption methods,” the circular said.