SEBI: Exchanges Need Risk FrameworkSecurity Task Force to Develop Recommendations
The Mumbai-based Securities and Exchange Board of India has issued a directive to the country's stock exchanges to create a risk-based framework to help combat cyber-attacks on capital markets.
The regulator plans to set up a task force of experts to make necessary recommendations and put in place detailed guidelines to be followed by the capital markets in securing their IT infrastructure.
Security experts say this is a smart move. To support it, they recommend the exchanges adopt an appropriate incident response team, an information sharing policy, effective risk assessment tools and awareness and training programs to mitigate cyberthreats.
"Given the rise in the data breaches and hacking by international hacking groups, it is time capital market institutions take a holistic view of the security architecture and deploy controls which can tighten their IT processes and risk framework," says S N Sunder Krishnan, chief information security officer at the Mumbai-based Reliance Capital Ltd.
SEBI is worried about the sudden spate of sponsored cyber-attacks for financial gain by international hacktivists and believes that attackers are using sophisticated methods of intruding into the networks and accessing vital information.
According to a media statement, SEBI believes there is a need to create awareness in the market about the recent data breaches and increasing cyber-attacks from international groups.
At a recent Cyber Security & Resilience conference organized by SEBI and BSE in Mumbai, SEBI Chairman U K Sinha said, "There are worries that the vulnerability in markets is increasing which demands a creation of a security framework to make the securities market more resilient to fight cyber-attacks."
With the attacks centered on financial institutions, there is a need to adopt new technologies and build awareness among the teams to build resilience.
According to the media statement, a senior official at SEBI says, "The move is aimed at securing the data, applications, database, operating systems and network layers of financial market infrastructures against various forms of cyber-attacks such as denial-of-service attacks, phishing, hacking, man-in-the-middle attacks, sniffing, spoofing, key-logging and malware attacks."
SEBI, along with its Technical Advisory Committee, has urged institutions to assess the adequacy of risk management frameworks before it lays down the broad principles that financial markets would be required to comply with. SEBI urges institutions to consider various steps and measures to secure their systems, while designing and implementing their IT and cybersecurity policy.
Security experts welcome SEBI's decision. However, some also hold concerns.
One major concern is that most institutions do not have a dedicated security and risk team in place, or even an IT team. Thus, having a robust cybersecurity mechanism as an immediate measure may be too ambitious.
"The main concern is to leverage expertise in the security domain, given the acute shortage of experts, when it comes to deploying emergency response teams and risk assessment professionals," says S N Ravichandran, member of the Coimbatore-based Association of Cyber Society of India.
Delhi-based cyber law expert Neeraj Aarora, who deals with financial markets, reiterates that the recent hacking of Sony, JP Morgan and Target clearly indicate the emerging threat from international hacking groups, which have been targeting information and data for financial gain.
"As unethical hackers adopt advance techniques and unfair practices to meet their nefarious activities, the SEBI, government and stock exchanges are required to develop effective risk assessment tools and impart adequate training and awareness within the organization to help combat cyber-attacks," Aarora says.
Krishnan remarks that most capital markets have been working in silos or depending on third-party security frameworks that will not address process-oriented risks within the organization. Such guidelines would require a complete overhaul of the security framework and sufficient investments.
Ways to Secure
As per SEBI's directive, most organizations would plan to beef up their teams of officers, develop data-mining and intelligence tools and go for security audits. But experts say a systematic approach is essential in securing the framework.
Aarora encourages deployment of the ISO 27001 standard as an immediate measure to protect data and information as per the Rule 2011 IT Act, which assures reasonable security practices and procedure to protect personal data.
Krishnan recommends three vital aspects as part of risk assessment strategy:
- Adopt proactive methods to assess risks based on three principles: collaborative, combative and dynamic methods;
- Secure buy-in from the board or stakeholders in security investment decisions and adopt compliance standards;
- Set up a structured mechanism for information exchange between experts and CERT-In to understand cyber-threat.
But Ravichandran cautions: "As most institutions in this domain depend on private parties, it is important to develop good evaluation methods and monitoring standards involving in-house response teams that can help in pre-empting threats."