SEBI brings guidelines for MIIs regarding cyber security and cyber resilience
SEBI has issued guidelines for strengthening the existing cyber security and cyber resilience framework of market infrastructure institutions such as stock exchanges, clearing corporations, and depositories.
“Market infrastructure institutions (i.e., stock exchanges, clearing corporations, and depositories) are systemically important institutions as they, inter-alia, provide the infrastructure necessary for the smooth and uninterrupted functioning of the securities market.
“As part of the operational risk management, these market infrastructure institutions (MIIs) need to have a robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing, and settlement in the securities market,” SEBI said.
It is also important that MIIs establish and continuously improve their information technology (IT) processes and controls to preserve confidentiality, integrity, and availability of data and IT systems, the market regulator said.
With the change in market dynamics in the Indian securities markets, the interdependence among the MIIs has seen a significant increase. Considering the interconnectedness and interdependency of the MIIs to carry out their functions, the cyber risk of any given MII is no longer limited to the MII’s owned or controlled systems, networks, and assets, SEBI said.
As per the guidelines, MIIs shall maintain offline, encrypted backups of data and shall regularly test these backups at least on a quarterly basis to ensure confidentiality, integrity, and availability.
MIIs shall maintain regularly updated “gold images” of critical systems in the event they need to be rebuilt. This entails maintaining image “templates” that include a preconfigured operating system (OS) and associated software applications that can be quickly deployed to rebuild a system, such as a virtual machine or server.
MIIs should explore the possibility of retaining spare hardware in an isolated environment to rebuild systems in the event starting MII’s operations from both the primary data centre (PDC) and disaster recovery site (DRS) is not feasible.
The MIIs should also try to keep spare hardware in a ready-to-use state for delivering critical services and such systems shall be updated as and when new changes (for example OS patches, security patches) are implemented in the primary systems. This spare hardware should regularly undergo testing in line with the response and recovery plan of the MIIs.
MIIs should undertake regular business continuity drills to check the readiness of the organization and the effectiveness of existing security controls at the ground level to deal with ransomware attacks. One such drill scenario recommended to be tested is recovering from a ransomware attack considering both PDC and DRS have been impacted. This would assess the effectiveness of people, processes, and technologies to deal with such attacks.
MIIs should also conduct regular vulnerability scanning to identify and address vulnerabilities, especially those on internet-facing devices, to limit the attack surface, SEBI said.
[With Inputs from IANS]
PGurus is now on Telegram. Click here to join our channel and stay updated with all the latest news and views
For all the latest updates, download PGurus App.
- ICICI Lombard stock plummets after company receives GST show cause notice of Rs.1728 cr - September 28, 2023
- Indian economy will double in 10 years: Tata Chemicals CEO - September 28, 2023
- Deepotsav in Ayodhya: Eyeing to create another record, Yogi govt to light 24 lakh diyas - September 28, 2023