The CERT-in advisory said that financial sector organisations may be advised to protect such critical data using "layered defence approach and seamless protection against external or insider threat".
The standard operating procedure (SOP) covers procedures and timelines for obtaining information from investors, processing investor claims, review of claims and timeline for declaration of a trading member as a defaulter.
The Securities and Exchange Board of India (Sebi) has asked financial sector organisations to ensure compliance with a CERT-In advisory regarding software as a service (SaaS)-based solutions. “It is advised to ensure complete protection and seamless control over the critical systems at your organisations by continuous monitoring through direct control and supervision protocol mechanisms while keeping the critical data within the legal boundary of India,” Sebi said.
The markets regulator referred to an advisory issued by the Indian Computer Emergency Response Team (CERT-in) for financial sector organisations.
Sebi, through a circular issued on Tuesday, asked stock brokers, depository participants and direct intermediaries to report compliance of the advisory in the half-yearly report.
Providing a list of certain data types, CERT-in noted that if such data sets fall in the hands of adversary or cyber attacker, it may lead to unprecedented increase in the attack surface area and weakening of the Indian financial sector infrastructure’s overall resilience.
The CERT-in advisory said that financial sector organisations may be advised to protect such critical data using “layered defence approach and seamless protection against external or insider threat”.
Among others, they were also advised to ensure complete protection and seamless control over their critical system by continuous monitoring through direct control and supervision protocol mechanisms while keeping such data within the legal boundary of India.
The advisory shall be effective with an immediate effect, Sebi said. It had come after observing risks associated with availing SaaS-based solutions for managing the organisations’ governance, risk and compliance functions.
Sebi said the Ministry of Electronics and Information Technology told the regulator that financial sector institutions are availing or thinking of availing SaaS-based solutions for managing their governance, risk and compliance functions for improving their cyber security posture.
However, as per the ministry’s observation, though SaaS may provide ease of doing business and quick turnaround, it may also bring significant risk to the health of the financial sector.
Many a time risk and compliance data of the institution moves beyond the legal and jurisdictional boundary of India due to nature of shared cloud SaaS, thereby posing risk to the data safety and security, it added.