Advisory for SEBI Regulated Entities Regarding Cybersecurity Practices

Swetha Dhinesh

28 Feb, 2023

The Securities and Exchange Board of India has issued new safeguards for regulated intermediaries like stock exchanges, depositories, and mutual funds to strengthen its cybersecurity policy. For depositories, stock exchanges, and other regulated entities, SEBI issued an advisory on February 22, 2023, requesting that they define the duties and responsibilities of the (CISO) chief information security officer and other senior personnel in light of the growing cybersecurity threats to the securities market. Additionally, it required them to make the security policy’s reporting and compliance requirements crystal clear. We’ll talk about the CSRIT-Fin recommendation and the advisory for regulated entities regarding cyber security in this blog.

Cyber Security threats faced by SEBI-regulated entities (REs)

To protect the investor’s interest in securities, to encourage the growth of the securities market, and to regulate it, this circular is being issued in accordance with the authority granted under Section 11 (1) of the Securities and Exchange Board of India Act, 1992^[1]. The advisories that are released shall take effect immediately, and they are as follows:

• Organisations in the financial sector, including stock exchanges, depositories, mutual funds, and other financial enterprises, have been the target of cyber events that are both more frequent and sophisticated than ever before. The cyber risk of any particular business is no longer restricted to the entity’s owned or controlled systems, networks, and assets because financial entities are interconnected and dependent on each another to perform their activities.

• In addition, it is crucial to understand that many conventional approaches to risk management and governance that have been successful in the past may not be comprehensive or adaptable enough to address the rapid changes in the threat environment and the pace of technological change redefining public and private enterprise. It is because the threat is sophisticated, persistent, and characterised by a high level of coordination among threat actors.

• To reduce any associated risks to financial stability, regulated entities must respond to cyber incidents quickly and effectively and recover from them. To ensure the same, Financial Computer Security Incident Response Team (CSIRT-Fin) has offered crucial suggestions in its report sent to SEBI. The circular’s Annexure-A includes the appropriate recommendations as an advisory.

Compliance

This advice should be read in connection with any relevant SEBI circulars (such as the frameworks for annual system audits, cybersecurity, and cyber resilience, among others) and any changes that have been released by SEBI from time to time.

The regulated entities must submit their cybersecurity audit report and the compliance of the recommendation (conducted as per the applicable SEBI Cybersecurity and Cyber Resilience framework). The compliance must be reported in accordance with the current reporting process and the frequency of the relevant cybersecurity audit.

Recommendations of Computer Security Incidence Response Team (CSIRT- Fin)

The following twelve procedures, recommended by CSIRT-Fin, are advised to be implemented by SEBI Regulated Entities (REs) in light of the growing cybersecurity threat to the securities market:

1. Chief Information Security Officer (CISO) and Designated Officer Duties and Responsibilities: It is advised that regulated entities outline the roles and responsibilities of the CISO and other senior staff members. The security policy must make reporting and compliance obligations very clear.
2. Countermeasures against phishing websites and attacks:
   • The regulated entities must proactively scan the internet for phishing websites related to their domain and report them to CSIRT-Fin/CERT-In to take appropriate action.
   • Phishing emails, malicious advertisements on websites, and third-party apps and programmes are the main ways infections spread. Hence, well-planned security awareness efforts that emphasise the need to avoid opening email attachments and links can create a crucial line of protection. Also, the advisories issued by CERT-In/ CSIRT-Fin may be cited for aid in performing exercises for public awareness.
3. Patch management and vulnerability assessment and penetration testing (VAPT):
   • The most recent patches for all operating systems and programmes should be applied on a regular basis. Virtual patching can be thought of as a temporary solution for zero-day vulnerabilities and in cases where updates are unavailable. Via end-of-support and end-of-life apps and software vulnerabilities, this safeguard prevents thieves from accessing any system. Patches should only be purchased through the OEM’s official websites.
   • Security audits and penetration tests (VAPT) of the application should be performed on a regular basis and in compliance with SEBI circulars on cyber security and cyber resilience that are periodically issued. The VAPT/Security Audit’s observations and shortcomings must be filed within the time frames indicated by SEBI.
4. Data protection and data breach measures: 
   • Regulated entities are urged to create a thorough incident response strategy.
   • Implement robust data backup, recovery, and protection policies.
   • To stop an attacker from accessing unencrypted data, the data at rest should be encrypted.
   • Define and categorise sensitive and Personally Identifying Information (PII) data, then take the necessary precautions to encrypt it both in transit and at rest.
   • Implement data leakage prevention (DLP) techniques.
5. Log retention: 
   As mandated by the IT Act of 2000, CERT-In, and current SEBI requirements, a strict log retention strategy should be put into place. Regulated entities are encouraged to check that all logs are being gathered. It is essential to keep an eye out for any odd trends or behaviours in the event and incident records.
6. Password guidelines and authentication mechanisms:
   • A strong password policy needs to be put in place. The policy should have a provision requiring regular reviews of former employees’ accounts. Several accounts should not share the same password, and a list of passwords shouldn’t be kept on the system.
   • Implement multi-factor authentication (MFA) for all users connecting through the internet, with a focus on virtual private networks, webmail, and accounts that have access to vital systems.
   • The Maker and Checker frameworks need to be strictly applied, and MFA needs to be activated for all user accounts, particularly those that access crucial apps.
7. Privilege Management: 
   • Maker-Checker framework implementation is recommended in order to change the user’s rights in internal apps.
   • Zero-trust models should be used to provide security for both on- and off-premises resources in order to mitigate the insider threat concern. The idea behind Zero Trust is to “trust nothing, verify everything.” Whether they are inside or outside a network perimeter, this security architecture mandates tight identity verification for any resource and device trying to access any information on a private network.
8. Cybersecurity Measures: 
   • Set up email and web filters on the network. Before receiving and downloading messages, set up these devices to search for known malicious sites, sources, and addresses and to prevent them. Use a reliable antivirus programme to thoroughly scan all emails, attachments, and downloads on the host and at the mail gateway.
   • After thoroughly checking them, block the malicious domains/IPs without affecting the operations. For the most recent malicious domains/IPs, C&C DNS, and links, consult the CSIRT-Fin/CERT-In alerts that are released regularly.
   • If it’s not necessary, limit the use of “PowerShell” and “wscript” in enterprise environments. Verify that the most recent version of PowerShell is installed and used and that enhanced logging, script block logging, and transcription are all enabled. Send the related logs to a centralised log repository for monitoring and analysis.
   • If practical, use host-based firewalls to block communication between endpoints via Remote Procedure Call (RPC) and Server Message Block (SMB). It restricts lateral mobility and other forms of attack.
   • Instead of blacklisting specific ports, the practice of whitelisting ports based on business usage at the firewall level should be used. All other ports that have not been whitelisted should have their traffic automatically stopped.
9. Cloud service security:
   • Verify that every cloud instance in use is accessible to the general public. Verify that no server or bucket is unintentionally leaking data due to improper setup. 
   • Maintain sufficient security of cloud access tokens. The website’s source code, configuration files, etc., shouldn’t have the tokens accessible to the public. 
   • Establish suitable security measures for cloud-hosted environments used for testing, staging, and backups. Provide proper separation between these and the production environment. If using older or testing environments is no longer necessary, disable or remove them.
   • Consider using hybrid data security products designed to function in cloud-based systems using a shared responsibility approach.
10. Use of CERT-In/CSIRT-Fin Advisories: 
    The regulated entities must adhere to the word and spirit of the advisories issued by CERT-In. The advisories should also be implemented as soon as they are received.
11. Concentration Risk on Outsourced Agencies: 
    • Concentration risk has been found when a single third-party vendor provides services to numerous regulated entities. Due to the significant concentration risk, even though these third parties are modest non-financial firms, any cyberattack on them could have systemic effects.
    • To reduce this concentration risk, it is necessary to identify these firms and prescribe specific cyber security procedures, such as independent auditor audits of their systems and protocols.
    • Moreover, REs must consider this concentration risk while outsourcing numerous essential services to the same vendor.
12. Audit and ISO Certification: 
    • The letter and spirit of SEBI’s guidelines on the external audit of REs by independent auditors appointed by CERT-In should be followed. 
    • The regulated entities are also encouraged to pursue ISO certification as it offers confidence regarding their cybersecurity readiness. 
    • To ensure the competency and efficacy of audits, due diligence concerning the audit method and instruments must be taken.

Conclusion 

Global cyber strategy and tactical cybersecurity operations have been considerably impacted by the geopolitical events of the previous year, according to the World Economic Forum’s Global Cybersecurity Outlook 2023. The efficiency of cybersecurity controls with third parties is increasing, so efforts are made to tighten internal policies and procedures. It shows that immediate organisational actions to cyber risk will have a favourable long-term effect. SEBI’s guidelines present an opportunity to put the issues under control which will not only protect them today but helps to avoid these threats in future.

Also Read:
SEBI Investment Advisors Amendment Regulations 2020
Requirements for Investment Advisors Registration with SEBI
SEBI modifies cyber security framework for Stock Brokers/ Depository Participants