SEBI Creates Cybersecurity PanelExperts Size Up Whether New Committee Will Make a Difference
With an aim to safeguard capital markets from cyberattacks, the Securities and Exchange Board of India has set up a committee on cybersecurity to provide guidance. But some security practitioners stress that the panel will prove effective only if its recommendations are actually carried out.
The committee will advise SEBI on developing and maintaining cybersecurity and cyber resilience requirements aligned with global best practices and industry standards, keeping in mind the needs of Indian capital market.
Back in 2016, SEBI announced plans to set up a panel of experts to make recommendations and put in place detailed guidelines to be followed by the capital markets in securing their IT infrastructure. It had asked all exchanges, clearing corporations and depositories to put in place a robust cybersecurity framework to provide essential facilities and perform systematically critical functions relating to trading, clearing and settlement in the derivatives market (see: SEBI: Exchanges Need Risk Framework).
After issuing the necessary guidelines to the capital markets in building a risk framework, SEBI also announced hiring a CISO to help protect securities market late last year. As a sequential process, the regulator felt the need to appoint a panel to set the direction for the CISO and the organization in building a cybersecure ecosystem (see: SEBI to Hire CISO to Help Protect Securities Markets)
The four-member committee will be chaired by Madhabi Puri Buch, member at SEBI. The other members are: S. V. Murali Dhar Rao, executive director at SEBI; Sanjay Bahl, director general at Indian Computer Emergency Response Team-ICERT; and H. Krishnamurthy, principle research scientist at the Bangalore-based Indian Institute of Science, or IISC.
The Panel's Agenda
The panel will identify measures to improve cyber resilience and related business continuity and disaster recovery processes in the Indian securities market. It also will:
- Study major cyberattack incidents related to financial markets in domestic and global markets and identify gaps in the existing cybersecurity and resilience framework;
- Periodically review the functioning of Security Operations Centers and guide SEBI in setting up a cyber center of excellence for the securities market;
- Engage in continuous dialogues with relevant external agencies, including CERT-In, National Cyber Coordination Centre, Department of Telecommunications, Ministry of Electronics and Information Technology and leading academic institutions;
- Provide recommendations for strengthening of processes to audit cyber security and cyber resilience setups in Indian securities market.
Will It Make a Difference?
One security practitioner, who asked not to be named, offered an assessment of the panel's potential impact: "We have to see if the recommendations are actually followed and out to practice. It's very easy to form such a panel, but one has to ensure that panel members keep themselves abreast with latest developments in this space."
A risk officer from a leading insurance company, who asked to remain anonymous, says the new panel's agenda is comprehensive. "Sanjay Bahl and H. Krishnamurthy are known names in the industry, and with them in the panel I expect the committee to be proactive," he adds.
But the key factor, he says, is whether securities companies are willing to adopt changes. "The panel can only recommend. Ultimately, firms need to make sure that things are put in place," he says.
Nevertheless, some experts feel the regulator is uniquely positioned to build a robust framework that looks at cybersecurity holistically from a systemic risk perspective rather than in silos.
What More Can Be Done?
Due to sensitivity of financial data and its value to cybercriminals, financial organizations will likely remain prime targets for cyberattacks. Implementing the most up-to-date technologies could make a difference when it comes to cybersecurity, says Rajesh Maurya, regional vice president, India and SAARC, at Fortinet.
"Firms should be asked to conduct simulations and tests on a regular basis," Maurya says. "Threat intelligence has become important, but SEBI should ensure that are educated enough to take timely actions."
Maurya adds that as cloud adoption grows, SEBI should make sure that organizations apply security policies consistently "regardless of the location of that data."
There has been a paradigm shift in cybersecurity countermeasures within the exchange market, which is moving beyond prevention and having a focus on detecting, response and recover, says Mumbai-based Narayan Neelakantan, co-founder and CEO at Block Armour, and former CISO of the National Stock Exchange.
Because early detection of attacks is essential to minimize the impact, the panel has to issue guidelines on building an early warning system in collaboration with various agencies and market institutions as part of the risk management strategy, Neelakantan says. "This would provide actionable cyber intelligence and enable the market intermediaries to respond in a timely and effective manner to cyberattacks," he says.
Neelakantan says priorities for the panel should be:
- Reviewing the current level of cyber preparedness of the entire ecosystem, including exchanges, depositories and brokers;
- Prescribing measures to augment the cybersecurity and cyber resilience capabilities of these institutions;
- Developing a framework to enable collaboration and information sharing on cybersecurity matters between various institutions to ensure that the market ecosystem is geared up to deal with new attack forms.