Capital markets regulator SEBI has asked stock exchanges, depositories and clearing corporations (together called market infrastructure institutions or MIIs) to put in place robust cyber security frameworks as part of their operational risk management.
MIIs provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in the securities market.
In a circular on Monday, SEBI directed MIIs to comply with its cyber security and cyber resilience framework by putting such systems in place within six months.
The move follows SEBI’s adoption of International Organisation of Securities Commissions’ (IOSCO) Principles for Financial Market Infrastructures (PFMIs) which calls for management and mitigation of ‘operational risk’.
Operational risk refers to the risk of a system going wrong on account of cyber attacks besides human errors thereby compromising the financial market infrastructure and resulting in heavy losses to investors.
Compromising secrecySEBI observed that cyber attacks and threats attempt to compromise the confidentiality (access only to authorised users), integrity (assurance of reliable and accurate information) and availability (guarantee of reliable access to systems and information by authorised users) of computer systems, networks and databases.
Cyber security frameworks include measures, tools and processes intended to prevent cyber attacks and improve cyber resilience (the ability to prepare and respond to an attack without disrupting business).
SEBI has mandated that all MIIs formulate a comprehensive cyber security and cyber resilience policy document approved by their respective boards and reviewed annually.
Encompassing norms
In addition, SEBI has also prescribed that the cyber security policy should encompass principles prescribed by the National Critical Information Infrastructure Protection Centre, .
MIIs have to appoint a senior official as Chief Information Security Officer for this purpose and the technology committees should undertake a quarterly review.