Debit Card Fraud: Sebi plans greater push to secure marketplace from cyber risks

Markets regulator Sebi is mulling a greater push to put in place strong safeguards against cyber threats to bourses, brokerages and other entities, amid concerns over the largest-ever banking data breach wherein 32 lakh debit cards are feared to have been 'compromised'.

The regulator will also look at the best global practices in this regard including through inputs from the regulatory authorities in advanced markets, while consultations will be held with government entities as well as with the information technology and cyber security experts, a senior official said.

While the Securities and Exchange Board of India (Sebi), which is mandated to regulate stock exchanges, clearing corporations, brokerages, portfolio managers, fund houses, rating agencies and a host of other entities in the capital market space, is already in the process of appointing a chief IT security officer to oversee various initiatives aimed at protecting the marketpace from cyber threats.

The regulator has further beefed up its efforts and wants to fast-track the work on a new and stronger policy framework in the areas of cyber security in the wake of the recent suspected compromise of 32 lakh debit cards across various banks, presumably due to a cyber malware attack in the ATM network systems of a private sector bank, the official said.

The matter assumes significance as the entire marketpace is closely linked and a cyber security threat in one segment of the capital markets can prove to be disastrous for other segments as well.

The offiicial said the regulator is looking to beef up its own surveillance and risk management systems, as also that of the market infrastructure entities to check any cyber threats, while various intermediaries would also be asked to strengthen their respective systems, networks and databases.

Given the dynamic nature of new technologies, the risk management systems would also need to keep evolving so as to keep pace with the newer kinds of threats that may come to fore, the official added.

Sebi will appoint a Chief Information Technology Security Officer, who will be responsible for strengthening its regulatory policy framework in the area of cyber security.

The Officer would oversee implementation of these regulatory policies across security markets and also help enhance capacity building at Sebi and various market participants with respect to cyber security.

Sebi would also develop stress testing mechanism to mitigate risk arising out of cyber attacks, while necessary framework would be put in place for taking corrective measures and prudent response in case of cyber attacks at the regulator or market participants. 

In a recent interaction, Sebi Chairman U K Sinha raised concerns about growing cyber security threat for markets.

"We have some guidelines in place but there is a need to revamp them. We are working with experts to address the gaps and appropriate action would be taken soon. There are some government agencies also looking into the aspects of cyber security from the perspective of national security and they have also given us some inputs," he said.

Earlier, Sinha had said cyber attacks are now occurring in a more sophisticated manner, while he had also raised concerns about state-sponsored cyber attacks from abroad.

"We are worried over state-sponsored cyber attacks. There are worries that the vulnerability in markets are increasing. We need to create a framework for future plan of action on securities market resilience," he had said.

Last year, Sebi had asked all exchanges, clearing corporations and depositories to put in place a robust cyber security framework for systemically critical functions of trading, clearing and settlement in securities market.

Sebi has also asked Market Infrastructure Institutions (MIIs) to restrict access controls, whenever necessary. "No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities.

"MIIs should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users)," Sebi said.