SEBI Issues Risk Framework GuidelinesExperts: Take a Holistic Approach to Risk Assessment
The Mumbai-based Securities and Exchange Board of India has issued guidelines to the country's stock exchanges to develop a cybersecurity and cyber resilience framework to protect the securities market from cyber-threats.
SEBI issued a circular on Monday, July 6, urging all exchanges, clearing corporations and depositories to implement necessary changes within six months and implement a robust cybersecurity framework to provide essential facilities and perform critical functions of trading, clearing and settlement in the securities market.
It says that Market Infrastructure Institutions should designate a senior official as CISO whose function would be to assess, identify and reduce cybersecurity risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the policy.
While the circular does not specify any detail around the penalty levied in view of MIIs not complying with implementation guidelines, it is being issued in exercise of powers conferred under Section 11(1) of the SEBI Act, 1992 and Section 19 of the Depositories Act, 1996 to protect the interests of investors in securities.
The oversight Standing Committee on Technology of the stock exchanges and of the clearing corporations and the IT Strategy Committee of the depositories should on a quarterly basis review the implementation of the cybersecurity and resilience policy approved by their boards.
Security experts say it's a smart move, along the lines of the Gopalakrishna committee report for banking to secure against cyber-threats.
They recommends that exchanges take a holistic approach in developing a cybersecurity framework enabling actions based on risk assessment -- a globally accepted model.
"This is the right mandate to create an eco-system overarching the cybersecurity framework in encouraging a risk-based approach," says Bangalore-based Raghu R V, president, ISACA, Bangalore chapter.
SEBI, with the Technical Advisory Committee, had detailed discussions with MII to develop the necessary guidance in cybersecurity and cyber resilience. In April 2015, SEBI issued directives to create a risk-based framework to combat cyber-attacks.
SEBI mandates market institutions to identify plausible sources of operational risk, internal and external, and mitigate their impact through appropriate systems, policies, procedures and controls as part of the management and mitigation of operational risk.
The guideline says systems should be designed to ensure a high degree of security and operational reliability and adequate, scalable capacity. Business continuity management should aim for timely recovery of operations and fulfilment of the FMI's obligations, including in the event of a wide-scale or major disruption.
"We are worried about state-sponsored cyber-attacks," said SEBI Chairman U K Sinha in a recent statement. "There are worries that vulnerability in markets is increasing. We must create a framework for a future plan of action on securities market resilience."
SEBI's cybersecurity framework includes measures, tools and processes to prevent cyber-attacks and improve cyber resilience. Cyber resilience is an organisation's ability to prepare and respond to a cyber-attack and continue operation during, and recover from, a cyber-attack.
The mandate said the policy document should be approved by the board. For deviations, the reasons should be provided in the policy document. The policy document should be reviewed by the MII's board at least annually.
The policy should include the following processes to identify, assess and manage cybersecurity risk associated with processes, information, networks and systems.
- 'Identify' critical IT assets and risks associated with such assets;
- 'Protect' assets by deploying suitable controls, tools and measures;
- 'Detect' incidents, anomalies and attacks through appropriate monitoring tools / processes;
- 'Respond' by taking immediate steps after identification of the incident, anomaly or attack;
- 'Recover' from incident through incident management, disaster recovery and business continuity framework.
The policy should encompass the principles prescribed by National Critical Information Infrastructure Protection Centre of National Technical Research Organisation, Government of India, in the report 'Guidelines for Protection of National Critical Information Infrastructure' and subsequent revisions, if any, from time to time.
Exchanges and other MII must also submit quarterly reports to SEBI, containing information on cyber-attacks and threats experienced and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs, vulnerabilities and threats that may be useful for other MII.
The focus is on governance, identity, protection, physical security, network security management, data security, vulnerability assessment, monitoring and detection, information sharing, training,response and recovery, periodic audits, among others.
While security practitioners consider SEBI's policy comprehensive, which market institutions cannot ignore, they foresee some challenges in implementation.
The biggest challenge, says A K Viswanathan, senior director-Enterprise Risk, Deloitte, is scarcity in resources and talent and in setting the right expectations from business.
"It also means a holistic approach in understanding key risk processes and managing stakeholder expectations while designing a cybersecurity framework," says Vishwanathan.
Raghu finds the challenge of market institutions lies in being up-to-date in deploying compliance frameworks and technologies that enable business transformation, and leveraging the public private partnership model to establish security systems maturity.
Says Mumbai-based Suresh A Shan, head, innovation and future technologies, Mahindra & Mahindra Financial Services, "The major challenge is to be up-to-date in the latest technology and upgrade systems to protect data against threats and adhere to SEBI guidelines."
N D Kundu, head, security, Bank of Baroda, foresees an increase in investments by market institutions and making a few internal alignments.
Gurgaon-based Manikant Singh R, CISO, Orbis Financials, a non-banking financial institution, says the limited number of security professionals in the market is a shortcoming.
"Budgetary constraints are inevitable in investing on new resources; besides, creating documental evidence in prescribing security policies is an issue," says Singh.
Arun Gupta, former CIO of Cipla Ltd and now a consultant, is of the opinion that the timeline of six months is a short one for smaller market institutions to have an operational framework and the right team to support it. Some may also require intermediation of existing solutions deployed, he says.
Developing a Risk Framework
The question also is whether security heads of these institutions can come up with an effective cybersecurity framework.
ISACA's Raghu recommends that institutions deploy ISO27001 as part of the IT Act -- that can help develop a suitable model. "These companies must implement all the 114 controls prescribed by the ISO standard which can help meet SEBI guidelines," he says.
Deloitte's Viswanathan too believes exchanges developing a globally acceptable framework and deploying the 114 controls of ISO27001 a good start. "The initiative must be viewed as a program, not a project; as a business requirement, not a security mandate."
SEBI's guidelines present an opportunity to put in controls which will not only protect them today, but will make them future ready. Gupta believes institutions should consider adopting new age concepts like software defined perimeter which are designed for superior security.
Singh says CISOs must take the board into confidence in prescribing the cybersecurity framework. "The risk framework should ensure that apart from managing risks, it should capture information against adverse situations with a complete step by step implementation procedure, he says.
As SEBI says MII should also encourage its third-party providers such as service providers, stock brokers, depository participants, etc., to have similar standards of Information Security, Raghu underscores a point when he says, "CISO should leverage the public private partnership model effectively in recommending ideal standards and help in risk profiling, besides having an information sharing mechanism in place to understand best practices."