SEBI & Cyber Security
Most of us are familiar with the stock markets, mutual funds and the investments here within, especially those who invest in securities. Now it is very important to have someone who can regulate the securities market and for matters connected therewith. Securities and Exchange Board (SEBI) is the one who takes care of all this. SEBI was established on April 12, 1992, in accordance with the provisions of the Securities & Exchange Board of India Act, 1992.
Cyber-attacks have impacted the entire globe very hard in the recent decade. The primary reason behind this is the evolution of hackers by the time which is much ahead and above the existing security levels used by online merchants. Therefore, an important need for strict guidelines on cybersecurity was realized by the SEBI for brokers who are major game changers in the securities investments.
SEBI Guidelines for Stock-brokers & Sub-brokers on Cyber Security
As per SEBI- The stockbroker and sub-broker shall be bound by all the rules & regulations of SEBI and relevant notifications issued by the government from time to time. Given below are some of the key highlights from SEBI for brokers on cyber-security:
- The stockbroker shall ensure that all ECNs (Electronic Communication) sent through the e-mail shall be digitally signed, encrypted, non-tamper able and in compliance with the provisions of the IT Act, 2000. In case, ECN is sent through e-mail as an attachment, the attached file shall also be secured with the digital signature, encrypted and non- tamper able form, to enable bulk digital signatures, today the market is flooded with Document Signing Software, which eases the burden of bulk documents signing.
- The stockbroker would be responsible for keeping a backup of all the ECN in a soft and non-tamper able form as per the compliance provisions of the IT Act, 2000 and as per the rules/regulations/guidelines issued by SEBI from time to time. The log report generated by the system at the time of sending the contract notes shall be maintained by the stockbroker for the specified period under the extant regulations of SEBI/stock exchanges. The log report would act as a storage for emails that are not delivered to the client or bounced back.
- If the ECNs have not been delivered to the client or has been rejected by the e-mail ID of the client, the stock broker shall send a physical contract note to the client within the stipulated time under the extant regulations of SEBI/stock exchanges and maintain the proof of delivery of such physical contract notes.
- A stockbroker is eligible for providing Internet-based trading (IBT) and securities trading using wireless technology that shall include the use of devices such as mobile phone, laptop with a data card, etc. which use Internet Protocol (IP). The stockbroker shall comply with all requirements applicable to internet-based trading/securities trading using wireless technology as may be specified by SEBI & the Exchanges from time to time.
- The broker shall bring to the notice of client the features, risks, responsibilities, obligations, and liabilities associated with securities trading through wireless technology/internet/smart order routing or any other technology should be brought to the notice of the client by the stockbroker.
The much-required course of Action
India will continue to face increasingly sophisticated and destructive cyber threats. Cyber-attacks use techniques and tools that help criminals evade detection with increasing refinement, and this has led the government to recognize cybersecurity as a “strategic domain” and devise strategies aimed at deepening cooperation at the international level. At a national level, some of the future key initiatives to be undertaken to further strengthen our cybersecurity maturity level are as follows:
Cyber threat intelligence center
Cyber workforce development
R&D product development
Security standards, Frameworks & Audit
Cybercriminals have modernized their techniques to take advantage of the gap between the adoption of digital technology and the implementation of effective security controls. There are ever-changing and emerging technologies that bring new conveniences and abilities to individuals and companies, but these also offer new opportunities and channels for attackers to commit their crimes. Being prepared in advance is the best defense against a fraud or cybersecurity attack.