Amid increasing cybersecurity threats to the securities market, the Securities and Exchange Board of India (Sebi) has issued an advisory for regulated entities regarding cybersecurity best practices to limit cyber threats and phishing attacks. SEBI has asked all regulated entities (REs), including financial sector organisations, stock exchanges, depositories, mutual funds and other financial entities, to provide compliance of the advisory along with their cybersecurity audit report. Sebi has also asked REs to define roles and responsibilities of chief information security officer (CISO) and other senior personnel.
These entities have been asked to prepare a detailed incident response plan, enforce data protection and recovery processes. Furthermore, they have been asked to take steps to prevent any data leak from cloud services, do security audit and vulnerability testing, and devise awareness programs against phishing or malicious emails.
Sebi has also advised the entities to encrypt sensitive and personally identifiable information (PII) data, specifically in transit, to protect its access from any attacker.
The regulator has told the REs to follow these five steps as measures for data protection:
- Prepare detailed incident response plan
- Enforce effective data protection, backup, and recovery measures
- Encryption of the data at rest should be implemented to prevent the attacker from accessing the unencrypted data
- Identify and classify sensitive and Personally Identifiable Information (PII) data and apply measures for encrypting such data in transit and at rest.
- Deploy data leakage prevention (DLP) solutions / processes.
The regulated entities have also been directed to maintain a strong log retention policy and password policy in all digital assets and also enable multi factor authentication (MFA) for all users. The advisories issued by CERT-In should be implemented in letter and spirit by the regulated entities, SEBI said in the circular. The REs are also advised to go for ISO certification and due diligence with respect to audit process and tools used for such audit needs to be undertaken.
Also, Sebi said that operating systems and applications should be updated with the latest patches on a regular basis. It further said that security audit or Vulnerability Assessment and Penetration Testing (VAPT) of the application should be conducted at regular basis.
“Given the sophistication and persistence of the threat with a high level of coordination among threat actors, it is important to recognise that many traditional approaches to risk management and governance that worked in the past may not be comprehensive or agile enough to address the rapid changes in the threat environment and the pace of technological change that is redefining public and private enterprise,” Sebi said.
The circular will come into force with immediate effect.
If you need help in beefing up your cybersecurity, write to us at marketing@cloverinfotech.com and our team of experts will be glad to assist you.
