SEBI: Firms Must Disclose FraudListed Companies Urged to Report Incidents Within 24 Hours
Mumbai-based Securities and Exchange Board of India has issued a directive urging listed companies to disclose to stock exchange(s) all events/information regarding fraud, compliance, financial loss and material loss no later than 24 hours after occurrence.
Security practitioners welcome SEBI's decision. However, they believe that a strong governance, risk and compliance policy and a structured risk management framework are needed to fulfill SEBI's objective.
"SEBI's move to seek specific details of any fraud or incident, including financial losses through a stringent disclosure, will improve the security of the nation's privately owned critical infrastructure," says Sharat Airani, director-IT and chief information security officer at Pune-based Intellinet Datasys Pvt. Ltd.
Behind the Mandate
In a statement shared with the media, SEBI sources say the board has reviewed the requirements related to disclosures made by listed entities on a continuous basis to enable investors to make well-informed investment decisions. The mandate issued under SEBI's regulations has been approved by the board.
The board says these disclosure norms will help curb selective leaks of market-sensitive information related to listed companies, besides protecting investor interest.
"Companies will be required to inform stock exchanges about the nature of fraud or default or arrest," said the statement.
The new norms suggest that companies make disclosures at the time of an occurrence of a fraud, default or an arrest of key managerial personnel, and also declare the nature of fraud or default or arrest.
The mandate also prescribes rules for sharing intricate details about the actual impact of the incidents on its financials and corrective measures taken on account of such a default.
In addition to making a disclosure at the time of occurrence and after the cessation of the event, updates of disclosure on material developments should also be made on a regular basis until the event/information is resolved/closed with explanations.
Also, the board of the listed entity should frame a policy for determining the materiality or fraud, which will be disclosed on its website. Non-compliance would call for penal actions.
Referring to the Sarbanes-Oxley Act of 2002, a United States federal law that set new standards for public accounting, Gurgaon-based Sriram Natarajan, chief risk officer-retail banking & cards at Quattro, says, "India needs such a norm, compelling firms to report on incidents for better accountability."
What it Means to CISOs
Security practitioners already comply with SEBI's norms for public accountability of such incidents. However, the challenge, say some CISOs, is a lack of a standard information sharing norm or structured format.
According to a recent study by SEBI, India accounts for only 12.8 percent of the incidents reported publicly. Natarajan says it's because Indian firms lack a structured risk management division; in most cases, companies rely on auditors to detect and report fraud. "SEBI's move will indirectly help establish a culture of information sharing among enterprises and compel them to comply with its regulations."
Encouraged by SEBI's directive, Delhi-based Rajiv Nandwani, chief information security officer at Innodata, says if the fraud incidents have caused a major loss to the company, they may be reported even as part of the risk reporting under Clause 49 of the Stock Exchange Listing Agreement. However, he says, "The ill-effect is that most organizations do not comply with the security guidelines prescribed by the RBI in case of the banking sector, and IRDA in case of insurance firms, and don't feel compelled to report incidents. This mandate will help companies improve their financial and security health."
CISOs propose measures to build a resilient enterprise from an incident reporting standpoint.
Quattro's Natarajan suggests a formal compliance and risk unit should be put in place so any employee can report an incident or update.
"A structured risk management framework with a clear reporting structure is needed, besides encouraging a strong GRC culture," Natarajan says.
Nandwani recommends having a risk management and compliance team responsible for investigating fraud, which also would enable the process to detect one as it occurs.
"Enterprises must put stringent security controls in reviewing high-value transactions, where detecting frauds becomes easy and the reporting structure gets better," Nandwani says. "Insider trading demands a sign-off from employees handling financial data before it is made public. This could take care of the hygiene factor in preventing fraud."
Airani suggests aligning security with compliance. "The juxtaposition of the two functions will reduce the cost and increase the effectiveness of compliance policies in an organization," he says.