India Insights with Suparna Goswami

Critical Infrastructure Security , Governance & Risk Management , IT Risk Management

SEBI Cybersecurity Recommendations: Old Wine in New Bottle?

Little New in Securities Regulator's Latest Guidelines
SEBI Cybersecurity Recommendations: Old Wine in New Bottle?

The Securities Exchange Board of India, which regulates the securities market, recently announced that it plans to create a three-tier structure for the commodities market to bolster cybersecurity.

See Also: Breaking Free from VPN Limitations: Simplifying Remote Access Security

It also wants to ensure that the commodities market deploys data analytics and other newer technologies to deal with various cybersecurity challenge.

Other recommendations include: using strong passwords, appointing a CISO and having reasonable security practices in place.

Most of the latest recommendations issued by SEBI were part of their guidelines issues last year as well as two years ago. Plus many of the recommendations, such as the call for "reasonable" security practices, remain quite vague.

Three-Tier Approach

In its annual report, SEBI explains that it plans to set up a "Cyber Security and Compliance Reporting System" for regulated entities, which will collaborate with regulators to tackle cyber vulnerabilities.

Security experts familiar with SEBI's plan tell me that the new three-tier Cyber Security and Compliance Reporting System would focus on:

  • Building awareness on cybersecurity;
  • Helping companies build network security and incident response plans;
  • Ensuring proper implementation of security controls.

I contacted SEBI for more clarification, but did not receive a response.

Meanwhile, an official from CERT-In, who asked not to be named, tells me: "We have not heard anything from SEBI. How they plan to deploy this, what technology they plan to use or if they have enough skilled man force - nothing is clear."

SEBI also announced it will develop a "cyber capability index" to assess the cybersecurity preparedness and resilience of market infrastructure institutions, which include stock exchanges, clearing corporations and depositories. "Such index will not only improve the oversight of cybersecurity implementations, but will also help to gauge the level of implementation of the guidelines issued by SEBI from time to time," the market watchdog said in its annual report.

But so far, SEBI has offered little clarity on how it plans to implement these cybersecurity plans.

Latest Recommendations

While it is good to see SEBI prioritizing cybersecurity, its latest recommendations to securities firms are mainly vague or too basic.

For instance, SEBI recommends that asset management companies implement strong passwords and two-factor authentication for users at log-in stage. While that's a reasonable recommendation, it ignores that progressive organizations are moving away from passwords to biometrics and other advanced forms of authentication.

Although the latest recommendations do make mention of using machine learning and artificial intelligence, they fail to clarify where companies should deploy these technologies.

What's Next?

SEBI has a cyber cell that creates these cybersecurity guidelines. This cyber cell should build an information sharing platform - along the lines FS-ISAC - to enable the sharing of information on security events among securities market enterprises.

The cyber cell should also take the initiative to launch pilot projects for newer security technologies to help demonstrate how they can best be put to use.

SEBI deserves credit for its earlier action calling on large market infrastructure institutions to create a community SOC they can share to improve efficiency. In accordance to the recommendations, Bombay Stock Exchange implemented a community security operations center, which provides its services to more than 1,000 member brokers.

The securities industry in India needs more innovative moves along these lines.

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.