National Stock Exchange has recently released a new circular on cyber security and cyber resilience, mandating an audit to be conducted for their trading members. The objective of the same is to possess a comprehensive cyber security policy document encompassing the circular’s framework to prioritize cyber security and resilience.
Few Cyber Breach Incidents in Stock Exchange segment in India
There have been several high-profile cyber breaches in India affecting NSE, NSDL & BSE. Here are a few examples:
- In 2017, the NSE faced a data leak that exposed the sensitive information of around 7,000 users. The data leak reportedly occurred due to a vulnerability in the exchange’s security system.
- In 2018, NSE launched an investigation into a cyber-attack on one of its departments. The cyber-attack targeted the Market Regulation Department, and the hackers had reportedly gained access to sensitive data.
- In 2020, BSE faced a data breach that exposed the personal information of around 3,000 investors. The data breach reportedly occurred due to vulnerability in one of the exchange’s third-party systems.
- In the same year, cyber criminals targeted NSDL’s IT system, which led to the exchange suspending its e-voting facility temporarily.
These breaches highlight the crucial importance of prioritizing cyber security and implementing robust security measures to prevent such incidents. As a result, regulatory bodies like NSE and BSE have put in place cyber security guidelines to ensure better cyber resilience across the industry.
Inline with the same SEBI had released a circular ref no. SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 (as amended from time to time) regarding Cyber Security & Cyber Resilience framework for Stock Brokers / Depository Participants respectively. In accordance with the requirement of SEBI circular and various Exchange circulars, Members are required to conduct Cyber Security & Cyber Resilience Audit periodically and submit report to the Exchange.
In view of the above, Exchange has recommended to conduct independent Cyber Security Audit/System Audit of Trading Members. The scope of audit will be similar to terms of reference as per Annexure D of Exchange Circular no. NSE/INSP/56734 dt. May 17, 2023 pertaining to Cyber Security & Cyber Resilience Audit Report Submission and Annexure E NSE/INSP/56731 dt. May 17, 2023 pertaining to System Audit of Trading Members.
Key Pointers of the NSE New Circular on Cyber Security Audit
1.Cyber Resilience Audit: NSE mandates all trading members to conduct an independent cyber security & cyber resilience audit annually, at a minimum, to identify and mitigate potential cyber risks.
2.Reporting: The trading members must report the results of the audit, including any gaps or risks identified and mitigation plan to NSE within a specific timeframe.
3.Cyber Security Policy: Trading members are required to have a comprehensive cyber security policy in place that covers all aspects of cyber risk management, including identifying and managing cyber threats, implementation of security controls and procedures, monitoring cyber activity, and responding to incidents.
4.Security Awareness Training: Trading members are advised to provide regular security awareness training to their employees to help prevent cyber threats.
5.Vendor Management: Trading members should periodically review and assess the cyber security posture of their vendors and ensure that the vendors they engage with have adequate cyber security controls in place.
6.Incident Response: Trading members must have a robust incident response plan in place to respond effectively to any cyber incidents and minimize the damage.
7.Proper Access/Authorization Limitations: Trading members should implement access and authorization limitations on systems, networks, and data, based on the principle of least privilege, to reduce the risk of unauthorized access.
8.Business Continuity Plan: Trading members must have in place a robust business continuity plan that can be activated in case of any cyber incident to ensure that their operations continue seamlessly.
The new NSE circular emphasizes the need for trading members to take a proactive approach towards cyber security and resilience and ensures that trading members take all necessary steps to protect their systems, networks, and data from potential cyber threats.
Key Benefits of NSE New Circular for Trading House
Adhering to the recent NSE Circular on Cyber Security & Cyber Resilience Audit will have several benefits for trading houses as follows:
1.Improved Cyber Security: Adhering to the circular’s guidelines can improve trading house’s cyber security posture, making it more challenging for cyber criminals to penetrate and safeguard the mission critical data.
2.Enhanced Compliance: Compliance with the circular can demonstrate a trading house’s commitment to data security and can help firms avoid expensive penalties for non-compliance.
3.Increased Customer Confidence:By prioritizing cyber security, a trading house can build trust and confidence with its clients.
4.Comprehensive Strategy:With a comprehensive cyber security strategy, trading houses can identify and manage cyber risks and can have proactive incident response strategies.
5.Competitive Edge: Adhering to the NSE Circular can give trading firms a competitive edge by reducing the likelihood of cyber-attacks that can disrupt business operations and tarnish the brand reputation.
Furthermore, non-adherence to the circular can have several implications to the trading houses and the same is illustrated in the next sections.
Consequences of not following the New NSE Circular
Non-compliance with the NSE Circular on Cyber Security & Cyber Resilience Audit, there can bevarious consequences by the trading housed, including:
1.Penalties: Trading members could be fined for non-compliance with the NSE Circular.
2.Reputation damage: Failure to comply with the circular could damage the reputation of the trading member, leading to a loss of customer confidence.
3.Legal liabilities: In the event of a cyber-attack or breach, trading members that have failed to comply with the guidelines in the circular could face legal liabilities.
4.Operational disruptions: Cyber-attacks can be costly and disruptive, leading to downtime and financial losses for the business.
5.Regulatory scrutiny: Trading members that do not comply with the NSE Circular could face regulatory scrutiny from authorities, leading to additional complications and legal exposure.
Non-compliance with the NSE Circular on Cyber Security & Cyber Resilience Audit may have significant consequences for trading members, and hence it is essential for businesses to prioritize cyber security governance and stay up to date to prevent potential risks.
In effect conducting 3rd party assessment by a CERT-In empanelled auditor can add lot of values not only from compliance point of view, but also to have recommendations to be incorporated for an improved cyber security posture.
In case you need any assistance, Prime Infoserv can assist and perform a cyber security and resilience audit for your systems, identifying vulnerabilities and provide recommendations to mitigate which shall ensure the utmost protection of your valuable data and operations.
Contact us at info@primeinfoserv.com or call us at +9133 4008 5677 for any expert advice from the expert Cyber Defender.
