SEBI: Commodity Exchanges Need CyberSec PolicySenior Management Must be Involved to Build Cyber Defences
The Mumbai-based Securities and Exchange Board of India has issued a directive to the country's commodity derivatives exchanges to deploy cybersecurity and cyber resilience framework and protect the commodity markets from growing cyber-threats.
The regulator issued a guidance on March 29, urging all commodity exchanges and market infrastructure institutions to implement a robust cybersecurity framework to provide essential facilities and perform systematically critical functions relating to trading, clearing and settlement in the derivatives market.
In July 2015, SEBI (See: SEBI Issues Risk Framework Guidelines) issued a similar circular to stock exchanges with guidelines to implement a risk framework and protect the securities market from cyber threats.
According to B J Dilip, general manager-Division of Inspection and Complaints against Exchanges Commodity Derivatives Market Regulation Department at SEBI, the circular will be applicable starting January 1, 2017.
SEBI plans to issue cybersecurity guidelines based on the recommendations of the Technical Advisory Committee for commodity derivative market along the lines prescribed for stock exchanges.
Security leaders believe such policy mandates will compel the boards and senior management of regulated organizations to get involved in cybersecurity matters and allow them to increase strategic focus on these critical issues.
"Since the commodity exchange markets are a part of national critical infrastructure, and the probability of a targeted attack is high, such a direction from the SEBI will help them develop expertise against growing threats," says Mumbai-based Narayan Neelakantan, AVP, Head IT Risk and Compliance & CISO at National Stock Exchange Infotech Services, a subsidiary of NSE.
According to SEBI, the sudden spate of sponsored cyber-attacks for financial gain by international hacktivists and their sophisticated methods of intruding into the network to access vital information has prompted the move.
The regulator says the major provisions/framework of cybersecurity and cyber resilience would envelope governance , identify critical assets, protection, monitoring and detection, responses and recovery, sharing of information, audit .
Organizations are asked to make necessary amendments to their policies to implement the framework. SEBI's TAC has advised market institutions to assess the adequacy of risk management frameworks before it lays down broad principles with which financial markets will have to comply.
Arun Gupta, former CIO of Cipla and IT Strategist, says it is a step in the right direction for ensuring the commodity markets stay secure.
"The biggest challenges are that actions are typically taken when something breaks, rather than as a design," says Gupta. "Any regulatory compliance gives it the needed attention to address the challenge."
While SEBI's directives emphasizes on the management and mitigation of 'Operational risk' - with market infrastructures identifying the plausible sources of operational risk, and mitigating their impact through the use of appropriate systems, policies, procedures and controls - security leaders are sceptical about the organizational capabilities.
Says Mumbai-based N D Kundu, CISO of Bank of Baroda, unlike the banking sector, the organizations of commodities exchange markets are still not security savvy: a lack of awareness about the evolving threat landscape with no information-sharing platform is an overarching challenge.
Chennai-based Sivakumar Krishnan, consultant for IT and systems audit for the banking sector, expresses a similar sentiment. He says these markets do not have a process or a mechanism in place to build a breach response or cybersecurity framework as skills are scarce. "Even detecting threats and vulnerabilities becomes a challenge, leave alone preventing them," says Krishnan.
SEBI's directives urge CISOs to design systems that can ensure a high degree of security and operational reliability and have adequate scalable capacity. But security critics are sceptical about the markets ensuring the same.
Mumbai-based Shiju Rawther, Assistant Vice President - Technology at Credit Information Bureau (India) Ltd., says that while Stock Exchanges have realized the importance of data security and implemented cybersecurity policies as per SEBI's directive last year, the commodity derivative markets are laggards in deploying best security practices.
"I believe these markets lack best practices; there's a dearth of focus and investments in security technology deployments which could be a big bottleneck in defending cyber-threats and protecting the integrity of the volumes of data it deals with," Rawther says.
Securing the Future
SEBI emphasizes that the markets should build their cybersecurity policy based on the principles prescribed by National Critical Information Infrastructure Protection Centre of National Technical Research Organization in identifying, protecting, detecting and responding to threats.
However, security experts say before even working out an elaborate framework, having certain basic security hygiene is critical as best practices.
Kundu says an appropriate certified team and implementing ISO270001 are mandatory; involving the senior management becomes critical while establishing a resilient framework.
Neelakantan says the commodity market should focus on:
- Strong governance controls to ensure strategic focus on cybersecurity;
- Minimum security baseline for the entire eco-system and more stringent controls for critical assets;
- Monitoring and detection mechanisms to identify potential security incidents;
- Comprehensive Incident response plan to handle breaches/incidents.
"Organizations should put together the requisite people, process and tooling for implementing this cybersecurity policy," he says.
Even before adhering to SEBI's recommendations and putting up a framework, the immediate step for commodity markets, Rawther says, is to have a designate senior official as CISO whose function would be to assess, identify and reduce cybersecurity risks and establish adequate standards and controls.
"The security team should identify critical assets based on their sensitivity and criticality for business operations, services and data management," Rawther says.
"It is critical to maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows to assess potential vulnerabilities that can result in an attack."