Cyber Security & Cyber Resilience framework for Stock Brokers and Depository Participants

Cyber Security & Cyber Resilience framework for Stock Brokers and Depository Participants

From the perspective of governance, risk and compliance Clause 49 of Listing requirements states companies to lay down procedures to inform Board of Directors about the risk assessment, risk minimization procedures and it’s periodic review. On  the same lines SEBI has directed all the concerned on subject vide their Circular no. SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 to build a strong focus on Cyber Security and recovery process. The directions majorly require:

  • DP to prepare comprehensive – annual review in Board meeting
  • Make a senior designated officer
  • Half yearly review by Internal technology committee
  • Define responsibilities of vendor, employees, outsources staff etc
  • Identify cyber risks and control measures

The persons in-charge of governance should ensure proper implementation of the policy framed in compliance with latest business governance framework like COBIT 5. The policy and scope of audit is summarised as under.

  • Access control
    • Two-factor security
    • User access log of atleast 2 years
    • Review access of privileged users
    • Access deactivation of people leaving the organisation
  • Physical Security
    • Access to critical systems – restriction – accompanied by staff
    • Use of Security Guard, CCTV, cards, etc.
  • Network Security Management
    • Establish Baseline standards, secured LAN and wireless networks
    • Measures for servers running algorithmic trading applications
    • Network security devices such as Firewalls, proxy servers, IDS
    • Controls for Virus/malware/ransomware attack
  • Data Security
    • Identification of critical data – use of strong encryption for data in motion
    • Control over open ports
  • Application security in customer-facing applications
    • Application authentication security, password policies, two factor authentications
  • Certification of off-the-shelf products
    • Standardisation Testing and Quality Certification, intensive regression testing, configuration testing, etc.
  • Patch Management
    • Patch management procedures including identification, categorisation and prioritisation of patches and updates
    • Rigorous testing procedures of patches before deployment
  • Disposal of data, systems and storage devices
    • Suitable policy including crypto shedding, degauss or such other procedures
    • Data disposal and data retention policy
  • Vulnerability Assessment and Penetration Testing (VAPT)
    • Conduct assessment and detect security vulnerabilities
    • Penetration testing of services available over internet
    • Reporting of gaps and remedial actions
  • Monitoring and detection
    • Monitoring security events, alerts and timely detection of unauthorised activities, changes, copying or transmission of data
    • Ensuring high resilience, high availability and detection of attacks on system exposed over internet
  • Response and recovery
    • Response to alerts received to prevent expansion of incident, mitigation and eradication of incident
    • Restoration plan according to SEBI circulars
    • Defined roles and responsibilities
  • Sharing of information
    • Quarterly reporting of cyber issues to Stock exchanges / SEBI within 15 days from the end of quarter
  • Training and education
    • Make staff aware of IT issues, increasing awareness, focus on non technical staff
  • System managed by vendors
    • Adherence to Cyber security policy and self certifications

Periodic Audit requirement

The DPs and stock brokers need to implement above IT related policies from 1st April 2019. The systems need to be audited by CERT-IN empanelled auditor or in independent CISA/CISM qualified auditor on annual basis. The report so issued by him will his detailed check on above areas and management comments on non-compliance areas.


The annual audit report needs to be submitted within three months from the end of financial year. SEBI has recently extended due date of submission of system audit report from 30th June 2020 to 31st July 2020 vide its  circular no. SEBI/HO/MIRSD/DOP/CIR/P/2020/62 dated April 24, 2020


In the world of uncertainties, growing cyber risks, it’s high time that all the organisations design and maintain internal controls with best of business practices. This will always add value to the business and will go a long way in business uninterrupted business growth.