With stock trading, communications, data storage and all auxiliary processes moving to a paperless format online, cyber-security now takes centrestage. One aspect of cyber security deals with shielding the exchange servers and all related systems from attacks which can lead to trading or settlement disruptions, eroding the credibility of Indian stock markets. The other aspect deals with the protection of the data belonging to investors, which could be at risk if the system of regulated entities including asset management companies, stockbrokers and alternate investment funds get hacked. The market regulator, SEBI, has issued various circulars dealing with cyber surveillance and protection for different market segments since 2015. In a welcome step, these rules are now being reviewed to strengthen them further by issuing a consolidated frame-work for cybersecurity and cyber resilience. But the regulator will have to continue maintaining a tight vigil in this area and be ready to alter or add to this framework, as continuing technological innovations will also lead to development of novel ways to hack public systems.

Recent incidents of trading halts in the largest stock exchange had underlined the lack of preparedness in meeting such exigencies and lacunae in the disaster recovery systems of exchanges. The proposed framework has a set of rules to meet such events, including asking market infrastructure institutions to have a standard operating procedure for response and recovery, laying down that Vulnerability Assessment and Penetration Testing (VAPT) shall be done at regular intervals and prescribing cyber audits of the systems. Measures such as asking all regulated entities to identify critical assets in consultation with the Board and frame a detailed cybersecurity and resilience policy to protect these assets and test these policies frequently should help to some extent. It’s good that the framework includes services provided by third party vendors, since cyber attacks in these systems can impact the entity accessing these services. Determining access to the sensitive and critical software systems is very important since gaps in this area had led to the NSE colocation scam. By mandating a strong log retention, password and access policy which is well documented and communicated to all employees, such lapses can be avoided.

The paper has said that all regulated entities should have a security operation centre for continuous monitoring of operations to pick any anomalies and alert the cyber-security team, if needed. While the larger intermediaries, fund houses, depository participants, KRC Registration Agencies and share transfer agents will find it easy to comply with these rules, smaller entities may find the compliance cost formidable. Enforcement of the framework in smaller entities needs to be closely monitored.

It is welcome that SEBI is adopting global best practices to establish a secure and credible stock market ecosystem; other regulators such as IRDAI and PFRDA should also adopt similar framework for entities regulated by them.