SEBI Releases Advisory for Regulated Entities to Deal with Rise in Cyber Incidents

In view of the increasing number of cyber-attacks encountered by financial entities and the extent of complexity involved therein, the Securities and Exchange Board of India (SEBI) has issued a circular dated February 22, 2023, urging the SEBI Regulated Entities (REs) such as stock exchanges, stock brokers, merchant bankers, etc. to implement the practices specified in the circular.

The board emphasized that conventional means would prove inadequate in dealing with cybersecurity threats in the technologically advanced world. Hence, a necessity was felt to come up with an adequate mechanism to deal with such threats and minimize the risks involved. In this regard, the Financial Computer Security Incident Response Team (CSIRT-Fin) has put forth several suggestions and submitted a report to SEBI. The entities regulated by SEBI have been urged to adhere to these recommendations which have been reiterated in the circular, as an advisory. Further, the measures taken by the REs in compliance with said advisory have to be submitted along with the cybersecurity audit report.

Some of the practices enlisted in the advisory are as follows: –

  • Identification of phishing websites (through cyberspace monitoring) and reporting of said websites to CSIRT-Fin;
  • Conduction of security awareness campaigns to raise awareness about measures that could be taken to prevent phishing attacks, etc.;
  • Regular updating of operating systems and applications with the latest security patches;
  • Carrying out security audit or Vulnerability Assessment and Penetration Testing (VAPT) of the application on a regular basis;
  • Ensuring encryption of sensitive data, implementation of data protection measures, and devising detailed incident response plans;
  • Monitoring of all logs of events and incidents so that unusual patterns and behaviours can be identified;
  • Adoption of an optimized password strategy;
  • Setting down cybersecurity controls when availing services of third-party vendors.