In view of the increasing cybersecurity threat to the securities market, the Securities and Exchange Board of India (“SEBI”) vide its circular dated February 22, 2023 (“Circular”), has issued an advisory to all Regulated Entities (“REs”) on cybersecurity best practices. REs including stock exchanges, depositories and mutual funds have been advised to implement these cybersecurity practices as recommended by Financial Computer Security Incident Response Team (CSIRT-Fin) for an efficient and effective response to and recovery from a cyber-incident. The compliance of the advisory shall be provided by the REs along with their cybersecurity audit report. The compliance shall be submitted as per the existing reporting mechanism and frequency of the respective cybersecurity audit.
SEBI has laid down twelve recommendations to be implemented by REs in order to better tackle cybersecurity threats, which inter alia include measures to deal with phishing attacks, data breaches, concentration risks from outsourced agencies and cyber risks from cloud services.
To protect data and prevent data breach, SEBI suggests REs to adopt following measures:
To combat phishing attacks REs have been advised to proactively monitor the cyberspace to identify phishing websites with respect to the REs’ domain and report the same to CSIRT-Fin/CERT-In for taking appropriate action. Additionally, security awareness campaigns that stress the avoidance of clicking on links and attachments in email have been advised to help tackle such attacks. Certain important cybersecurity controls have also been recommended, such as scanning all emails, attachments, and downloads both on the host and at the mail gateway with a reputable antivirus solution, blocking malicious domains/IPs and restricting the execution of “powershell” and “wscript” in enterprise environment, if not required, etc.
SEBI has advised REs to define roles and responsibilities of Chief Information Security Officer (CISO) and other senior personnel. REs have also been directed to maintain a strong log retention policy and password policy and also enable multi factor authentication (MFA) for all users. To keep cloud services secure, checking public accessibility of all cloud instances in use has been recommended.
SEBI has noted that availing services from single third-party vendors creates concentration risks as any cyber-attack at such organizations could have systemic implication on the REs. To mitigate such risks, SEBI has advised REs to prescribe specific cyber security controls for such vendors including audit of their systems and protocols from independent auditors.
SEBI has specified in the Circular that the advisories issued by CERT-In, as well as SEBI’s instructions on external audit of Res by independent auditors, should be implemented in letter and spirit by the regulated entities. Res are also advised to go for ISO certification as the same provides a reasonable assurance on the preparedness of the RE with respect to cybersecurity.
Please find a copy of the Circular, here.
Read our thought paper on the CERT-IN`s six-hour reporting rule for cyber security incidents, here.
This update has been contributed by Vinod Joseph (Partner) and Paridhi Jain (Associate).
Argus Knowledge Centre is now on WhatsApp! Send us a message on +91 8433523504 to receive updates from our Knowledge Centre.
7A, 7th Floor, Tower C, Max House,
Okhla Industrial Area, Phase 3
New Delhi – 110020
The rules of the Bar Council of India do not permit advocates to solicit work or advertise in any manner. This website has been created only for informational purposes and is not intended to constitute solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work in any manner. By clicking on 'Agree' below, you acknowledge and confirm the following:
a) there has been no solicitation, invitation, advertisement or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
b) you are desirous of obtaining further information about us on your own accord and for your use;
c) no information or material provided on this website is to be construed as a legal opinion and use of this website will not create any lawyer-client relationship;
d) while reasonable care has been taken in ensuring the accuracy of the contents of the website, Argus Partners shall not be responsible for the results of any actions taken on the basis of information provided in this website or for any error or omission in the website; and
e) in cases where the user has any legal issues, the user must seek independent legal advice.