TelecomLive January-2019

Sebi Cybersecurity www.telecomlive.com 52 Telecom LIVE January 2019 tions, reasons should be provided in the policy document. They need to establish a reporting procedure to facilitate communication of unusual activities and events to the designated officer timely. Brokers and depository partici- pants will have to define responsi- bilities of its employees, outsourced staff, and employees of vendors, members and other entities, who may have privileged access to the networks. Further, such staff should also be subject to stringent supervision, monitoring and access restrictions. In case applications are offered to customers over the internet by market infrastructure Institutions (MIIs) such as NSE's NOW and BSE's BEST among others, the responsibility of ensuring cyber resilience on those applications reside with MIIs and not with the broker or depository participant. The cyber security policy of brokers trading through applica- tion programming interface (APIs) based terminal should consider the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organisation (NTRO). Sebi said that alerts generated from monitoring and detection systems need to be suitably investigated. S ebi put in place a stricter cybersecurity framework for stock brokers and depository participants amid concerns over possible data breaches. With the new norms, to be effective from Apr 2019, stock brokers and depository partici- pants would be required to define the responsibilities of individuals, including outsourced staff, who have privileged access to the networks. No person should have any intrinsic right to access confidential data by virtue of their rank or position. Sebi has asked brokers and depository participants to formu- late a comprehensive cybersecurity and cyber resilience policy document encompassing the framework. In case of devia- Sebi Cybersecurity Stricter framework for Brokers & Depositories bank account number, display only a portion of it, enough for the customer to identify, but useless to an unscrupulous party whomay covertly obtain it from the customer's screen. For instance, if a bank account number is “123 456 789”, consider displaying some- thing akin to “xxx xxx 789” instead of the whole number. This also has the added bene- fit of not having to transmit the full piece of data. 3. Analyse data and databases holistically and draw out meaningful and “silos” (phys- ical or virtual) into which different kinds of data can be isolated and cordoned off. For instance, a database with personal financial informa- tion need not be a part of the s y s t em or ne twork t ha t houses the public facing websites of the Stock Broker. They should ideally be in dis- crete silos orDMZs. 4. Implement strict data access controls amongst personnel, registeredwith Sebi. 4. Stock Exchanges andDeposito- ries shall: a) make necessary amend- men t s t o t he r e l evan t byelaws, rules and regula- tions for the implementa- tion of the above direction; b) bring the provisions of this circular to the notice of their members / participants and also disseminate the same on their websites; and c) communicate to Sebi, the status of implementation of the provisions of this circu- lar in theirMonthlyReport. Data security on customer facing applications 1. Analyse different kinds of sen- sitive data shown to the Cus- tomer on the front end applica- tion to ensure that only what is deemed absolutely necessary is transmitted and displayed. 2. Wherever possible, mask por- tions of sensitive data. For instance, rather than display- ing the full phone number or a 1. Rapid technological develop- ments in securities market have highlighted the need for maintaining robust cyber security and cyber resilience framework to protect the integrity of data and guard against breaches of privacy. 2. Since stock brokers and depos- itory participants perform significant functions in pro- viding services to holders of securities, it is desirable that these entities have robust cyber security and cyber resil- ience framework in order to provide essential facilities and perform systemically critical functions relating to securities market. 3. Accordingly, after discussions with Exchanges, Depositories and Stock Brokers' and Depos- itory Participants' associa- tions, a framework on cyber security and cyber resilience has been designed. The frame- work would be required to be complied by all Stock Brokers and Depository Participants Circular Citations