New Delhi: SEBI has issued guidelines for strengthening the existing cyber security and cyber resilience framework of market infrastructure institutions such as stock exchanges, clearing corporations and depositories.
“Market infrastructure institutions (i.e., stock exchanges, clearing corporations and depositories) are systemically important institutions as they, inter-alia, provide infrastructure necessary for the smooth and uninterrupted functioning of the securities market.
“As part of the operational risk management, these market infrastructure institutions (MIIs) need to have a robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in the securities market,” SEBI said.
It is also important that MIIs establish and continuously improve their information technology (IT) processes and controls to preserve confidentiality, integrity and availability of data and IT systems, the market regulator said.
With the change in market dynamics in the Indian securities markets, the interdependence among the MIIs has seen significant increase. Considering the interconnectedness and interdependency of the MIIs to carry out their functions, the cyber risk of any given MII is no longer limited to the MII’s owned or controlled systems, networks and assets, SEBI said.
As per the guidelines, MIIs shall maintain offline, encrypted backups of data and shall regularly test these backups at least on a quarterly basis to ensure confidentiality, integrity and availability.
MIIs shall maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
MIIs should explore the possibility of retaining spare hardware in an isolated environment to rebuild systems in the event starting MII’s operations from both primary data centre (PDC) and disaster recovery site (DRS) are not feasible.
The MIIs should also try to keep spare hardware in ready to use state for delivering critical services and such systems shall be updated as and when new changes (for example OS patches, security patches) are implemented in the primary systems. This spare hardware should regularly undergo testing in line with response and recovery plan of the MIIs.
MIIs should undertake regular business continuity drills to check the readiness of the organization and effectiveness of existing security controls at the ground level to deal with the ransomware attacks. One such drill scenario recommended to be tested is recovering from ransomware attack considering both PDC and DRS have been impacted. This would assess the effectiveness of people, process and technologies to deal with such attacks.
MIIs should also conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface, SEBI said.
Follow on Twitter | Posted by Mansoor Hameed | 
