Sebi Issues 12-Point Cybersecurity Advisory For Mutual Funds, Stock Exchanges & Other Entities—Check Details

The Securities and Exchange Board of India (Sebi) has issued a 12-point advisory for the regulated entities (REs) in view of rising cybersecurity threats faced by stock exchanges, depositories, mutual funds, and other financial entities in the country.
Sebi said the latest advisory should be adhered to in conjunction with other relevant applicable circulars it issued from time to time, directing the REs to file compliance report as per the existing reporting mechanism for cybersecurity audit.
In its circular on Wednesday, the capital market regulator noted that cybersecurity incidents are growing in frequency and sophistication. 

Given the interdependency of the financial entities for their functions, “the cyber risk of any given entity is no longer limited to the entity’s owned or controlled systems, networks and assets, it said.

It further observed that many traditional approaches to risk management and governance that worked in the past may not be “comprehensive or agile enough” to address the rapidly evolving new threats. Therefore, Sebi has called for effective response to limit any financial stability risks faced by the REs. 

The fresh advisory has been issued under Section 11 (1) of the Sebi Act, 1992, which empowers the regulator to take action to protect the interests of investors and regulate the securities market.

The 12 points in the advisory include:

Roles and responsibilities of chief information security officer (CISO): REs have been advised to define roles and responsibilities of CISO, and reporting and compliance requirements.

Measures against phishing attacks: The REs must proactively monitor the cyberspace to identify phishing websites and report the same to CSIRT-Fin/CERT-In for taking appropriate action.
Patch management and vulnerability assessment and penetration testing (VAPT): All operating systems and applications should be updated with the latest patches besides frequent VAPT audit. 
Measures for data protection and data breach: REs are advised to prepare detailed incident response plan to enforce effective data protection, backup, and recovery measures.

Log retention: REs must implement robust log retention policy as per SEBI regulations and CERT-In and IT Act 2000.
Password policy & authentication mechanisms: Must implement a strong password policy, including review of accounts of ex-employees Passwords should not be reused or stored on the system.
Privilege management: Maker-Checker framework must be implemented to modify user’s right in internal applications.
Cybersecurity controls: REs must deploy web and email filters on the network to scan for known bad domains, sources, and addresses, and block them before receiving and downloading messages. 

Security of cloud services: Check public accessibility of all cloud applications in use to ensure no server is inadvertently leaking data due to inappropriate configurations.

Implementation of CERT-In/ CSIRT-Fin advisories: The advisories issued by CERT-In should be implemented in letter and spirit by the regulated entities. Additionally, the advisories should be implemented promptly as and when received.
Concentration risk on outsourced agencies: Need for identify such organisations and prescribe specific cybersecurity controls, including system audit and protocols from independent auditors.

Audit and ISO certification: External audit of REs by independent auditors empanelled by CERT-In should be complied with.