The Securities and Exchange Board of India (Sebi) is putting in place a cyber security framework for smaller brokers that will help mitigate data leaks, online fraud, identity theft and hacking of trading accounts, said two people familiar with the matter.
A committee comprising officials from the regulator, exchanges and the broking community has been formed to implement this framework.
“Intermediaries such as brokers have a lot of data available with them. It is their duty to ensure that this data is protected and other risks related to cybercrime are mitigated, so that clients do not incur unwarranted losses,” said one of the committee members. “We are trying to work out a framework that results in better security and data protection, yet protects interests of smaller brokers in terms of costs and ease of implementation.”
The framework may take about a year to develop and brokers will be on-boarded in a phased manner. Brokers will be classified into three categories – A, B and C – depending on criteria such as net worth and average daily volumes. “The A category consists of large brokers that have a lot of data and do sizeable volumes. These already have their own software and framework in place to provide cyber security. It is the B and C categories that need to be covered,” said the person quoted above.
The framework would be based on three key aspects: vulnerability assessment and penetration testing (VAPT), 58 criteria for cyber security as defined by the regulator and cyber audit. “The cyber audit and reporting system, as well as the scope and assets to be covered under cyber security, will be spelt out under the new framework,” the person said.
An email sent to Sebi did not get a response.
In June, the regulator asked stock brokers to report all cyber attacks, threats and breaches within six hours of detecting such incidents. The quarterly reports containing information on such attacks and threats, and measures taken to mitigate the vulnerabilities, have to be submitted to the exchanges and depositories within 15 days from the end of every quarter.
“Until now, every broker was required to look at cyber security and market integrity on his own. Going forward, the advancement of technology will enable shared infrastructure to be created on the cloud for this purpose. This would mean servers, security devices, network systems and other IT infrastructure would be on a cloud and there would be a common set of cyber security standards for brokers,” said Deven Choksey, managing director, KRChoksey Shares and Securities.
This will make life much easier for smaller brokers and reduce costs. Even a shared infrastructure will increase the cost of doing business and brokers’ pricing model will have to evolve going forward to take this into consideration, Choksey said.
“Since we work in the trust industry, it is crucial to have a robust cyber security framework, the best safety solutions, the most recent technology installed, a firewall and other preventative measures in place. Many of the large brokerage firms have already implemented these procedures. Smaller brokers, however, will find it challenging to incorporate such a system on their own,” said Deepak Singh, chief business officer at Reliance Securities.
Zerodha, for instance, has Cloudflare in front of all public endpoints that provides web app firewall, bot and DDoS protection. Different systems are located on different networks to isolate them from each other. Its internal employee systems are on VPN and require two-factor authentication to access.
At ICICI Direct, every new application is subjected to application security life cycle testing. Periodic audits are conducted by the internal audit group covering network security, database security and web servers.
Last year, hackers had breached security systems at Upstox and stole KYC and other data of about 2.5 million customers, which prompted the broker to update its security systems after consulting a global cybersecurity firm.
Sebi in 2018 first laid out a broad framework on cyber security and cyber resilience for stock brokers.
A few days back, Sebi chairperson Madhabi Puri Buch said the regulator was working on a system to mitigate the risk of cyber attacks on the stock exchanges.