Bombay Stock exchange - flickr

Markets regulator Securities and Exchange Board of India (SEBI) asked stock exchanges and other key entities to put necessary framework to safeguard systems, networks and databases from cyber attacks in place.

“Stock exchanges, depositories and clearing corporations are systemically important market infrastructure institutions (MIIs). As part of the operational risk management, these MIIs need to have robust cyber security framework to provide essential facilities and perform systemically critical functions relating to trading, clearing and settlement in securities market,”SEBI said in a circular. The regulator has asked these MIIs to put in place systems and also amend relevant by-laws within six months.

The regulator also added that once these cyber security policies are implemented by MIIs, it would review them every year. MIIs would also have to designate a senior official as chief information security officer whose function would be to assess, identify and reduce cyber security risks, respond to incidents and establish appropriate standards and controls.

The regulator also said that MIIs should send quarterly reports which contain information on cyber attacks and threats experienced by MII and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs, vulnerabilities and threats that may be useful for other institutions.

SEBI also mandated that stock exchanges should ensure records of user access are uniquely identified and logged for audit and review purposes. “Such logs should be maintained and stored in encrypted form for a time period not less than two years,” SEBI said.

Other security measures by SEBI

– In 2013, the Indian government decided to include SEBI and Reserve Bank of India (RBI) among agencies that get access to Call Data Records (CDR) to help them track economic offences including insider trading.

– In August 2011, SEBI had sent a formal request to the Department of Telecommunications to include the board in the list of law enforcement or investigating agencies which can seek e-mail and call records from telecom service providers.

– In April 2013, SEBI was also looking to issue guidelines to companies on the use of Facebook, Twitter and social media for the dissemination of information to client. SEBI also plans to hire staff to sift through social media for stock market tip offs that could impact the stock prices before official announcements.