Just as RBI has issued a cyber security framework for Banks, NBFCs, PPI issuers etc., SEBI has also formulated a Cyber Security Framework applicable for Brokers and Depositories. The guideline issued on December 3, 2018 has suddenly gained some traction and attracting discussions.
E Trading is similar to E Commerce or E banking in terms of risks and the need for security. However, the stakes are extremely high in the stock transactions because the value of transactions and the speed with which they take place in real time add their own risks.
E Trading which SEBI oversees includes Futures and Options as well as commodities including Gold and Metals. Only currency trading operations fall under the supervision of RBI.
In the pasts we have seen frauds some of which are pure financial cheating instances. But there have been a hint that there have been more sophisticated frauds involving technology where “Pump and Dump Frauds”, “Broker or Broker Employee related frauds” where piggy back trades are booked over customer’s genuine transactions etc. Most of the large brokers today directly allow apps and computer based trading software to be used by customers to place orders with a variety of conditionalities built in in terms of stop loss, triggers, margin trades etc and hence the scope for frauds of different kinds are high.
In the past there have also been reports of the Stock Exchange servers being manipulated for deriving time advantage in receiving price data disseminated by the trading platform so that some milli seconds advantage is obtained by one broker over the other which enable them to make unfair profits.
Taking all these into consideration, a proper information security over sight was over due. With the advent of the concept of “Sensitive Personal Information Protection” under the Data Protection legislation, it was necessary for the brokers to also realize the need to upgrade their security culture and infrastructure to meet the modern day demands.
The published Cyber Security Framework of SEBI therefore requires a close look. A Copy can be accessed here: CLICK HERE
The main requirements are
a) Draft a comprehensive Cyber Security and Cyber Resilience Policy approved by the management and reviewed annually
b)Policy should be Risk Assessment based with clear policies for incident detection, response and recovery.
c) Thee policy should conform to “Guidelines for Protection of national Critical Information Infrastructure” from the Government.
d) Appoint a compliance official supported by an internal technology committee of experts.
e) Necessary access control measures need to be implemented .
f) Sub brokers and customers need to be included in the overall policy
g) Physical and other Network security measures need to be implemented.
h) Encryption should be used in data transit and storage.
i) Brokers should ensure that the products used for trading are adequately certified for security.
j) People involved need to be adequately trained
k) measures like audit need to be implemented.
Overall, an entire system of information security has to be implemented by the brokers and depositories.
Though for Data protection professionals, this requirement is not new and with the Section 43A of ITA 2000/8 already being available and PDPA 2018, in the anvil, it was expected that data security was recognized as a responsibility of the stock broking community.
It would be interesting how the industry players adopt to the demands. But any negligence or complacence will render the stock broker and the depositories liable as “Intermediaries” under the ITA 2000/8