Sebi Steps up Effort to Tackle Cyber Crime
Following reports of cyber security threat in the Indian banking system, the Securities and Exchange Board of India (Sebi) has initiated an urgent review of the overall risk management and has decided to set up a high-level committee to ensure prudent response and quick, corrective measures for any cyber threat.
The move follows the damage-control exercise that the government, the Reserve Bank of India and banks initiated after a cyberattack that put 3.2 million bank debit cards at risk. While State Bank of India blocked 600,000 cards — which the bank will replace free of cost and send to customers — other banks such as Axis Bank, HDFC Bank and ICICI Bank have asked their customers to change the security codes or replace the cards.
A senior Sebi officer said although the securities market systems were being upgraded constantly, it was decided to constitute a high-level committee to ensure fullproof security. The committee will be headed by a whole-time member of Sebi and will tackle unforeseen circumstances and also oversee the implementation of the regulatory policies across markets in the area of cyber security.
Sebi’s team would comprise experts from the information technology (IT) sector. The regulator will also ask stock exchanges to create internal task forces that will essentially send alerts to this committee and take measures to safeguard their systems, networks, and databases from cyberattacks, said the official cited above.
Sebi has come across a few cases of technical glitches hitting one of the stock exchanges and other financial institutions in the recent past. In August, software viruses were found in three personal computers at the BSE, which were identified and formatted, though the viruses did not have any impact on the working of the BSE or any of its departments. However, the regulator has apprehensions that the problem at these institutions could be due to cyberattacks.
Sebi had in July 2015 issued a set of guidelines for the stock exchanges and other market infrastructure institutions (MIIs) to safeguard their systems. Sebi had said MIIs need to have robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in the securities market.
The mechanism of cyber security and cyber resilience would include governance, identify, protection monitoring and detection, responses and recovery, sharing of information, training and periodic audit, Sebi had said in the circular. The same circular was issued early this year for commodity market as well.
According to cyber law experts, the regulator will have to enforce the law rather than having advisory and guidelines. “This is a reactive action after the cyber attack in the banking industry, which has already taken place. Such a committee will not deter any future cyberattack. The law itself is deficient as there is no dedicated cyber security law in the country. So, consequently, the roles and duties of intermediaries are not at all defined,†said Pavan Duggal, a cyber law specialist. He added there’s a need to enforce strict accountability on organisations, which do not follow cyber security standards.
Equity and commodity futures exchanges have huge repository of information and sensitive data. Therefore, they have to make cyber security a top priority, say experts.
“The mandate of implementing cyber security comes through law, and not through advisory or guidelines. To begin with, the regulator must have teeth of law which ensures compliance or they face severe consequences,†added Duggal.
According to security experts, cyber criminals typically use proxy servers with the help of technology to hide their footprints. Trails of such attacks are often encrypted. The International Organization of Securities Commissions, whose member include 120 securities regulator including Sebi, had surveyed 89 exchanges in 2014, which showed more than half of the securities exchanges had been on the receiving end of such attacks.