Data PrivacyData Security Concerns in the Capital Market: Learning from Past Mistakes

INTRODUCTION

Numerous cases of cyber attacks have been witnessed in the recent past including illegal trading in the Capital Market such as the National Stock Exchange, (hereinafter referred to as “NSE”’) co-location scam, the alleged Chinese intelligence attack on NSE, malware attack on Central Depository Services (India) Limited (hereinafter referred to as “CDSL”).

In fact, it was observed that the co-location scam was undetected for many years and after a complaint made by the whistle blower, it was unveiled. NSE filed a defamation case with hefty damages rather than addressing the lack of appropriate governance and IT infrastructure to protect its data.

These attacks, in itself, pose a serious threat to the data privacy of all the stakeholders in the capital market and although mitigation should be the priority, there has been an increase in insider trading after cases of capital market data breaches. As per the survey conducted by International Organization of Securities Commissions (hereinafter referred to as “IOSCO”), almost half of the world’s securities exchanges have experienced some form of cyberattack..

Let us understand the utmost need for protecting capital market data, the major vulnerabilities, the responsibilities of the regulatory bodies and a way ahead.

IMPORTANCE OF CAPITAL MARKET DATA

It is needless to say that all industries, let alone capital market, runs on data. The stock market, especially, functions on the time and sales data of the stocks. The market data constitutes pricing, market size, bid and ask, etc. at a given time. There is other data involved such as market tips, recent business developments and government compliance notifications that affect the decision-making process.

The said data is further collected by the stakeholder to assess the information it provides, convert it into knowledge and accordingly strategic investment decisions are undertaken. The faster the assessment is, the higher the chances are of financial gains and hence latency is important.

However, A critical concern pertains to the direct correlation between the expeditious retrieval of data by stakeholders and the heightened probability of making beneficial investment decisions. Any malpractices in retrieving data before other can cause crippling losses to other potential investors.

The sustainability of listed companies substantially relies on the steady operations of the capital market. Inadequate cybersecurity and data protection measures poses direct risks to its operations and is unfairly disadvantageous to various stakeholders. Due to the increased adoption of information technology structure after digital revolution the capital market is more vulnerable to data breach caused by either external threats or internal vulnerabilities.

ROLES OF THE CAPITAL MARKET REGULATORY AND OTHER NODAL BODIES

1. Securities and Exchange Board of India (hereinafter referred to as “SEBI”) was created by the Ministry of Finance by introducing the Securities and Exchange Board of India Act, 1993 (hereinafter referred to as “SEBI ACT”), to govern any stock exchange activities within India.

The SEBI Act, in its preamble, states to protect the interests of the investors, develop and regulate the securities market. It essentially has the responsibility of upholding and protecting the constitutional values by ensuring fair competition within the industry. It also has the power to make rules and regulations for the anyone associated with the market, the market itself and its intermediaries and further call in for inquiries or audits, whenever deemed appropriate.

2. Reserve Bank of India (hereinafter referred to as “RBI”) is the central bank managing the entire financial system of India. Although, RBI does not directly regulate in the manner SEBI does; its policies influence the capital market.

For example: RBI has the responsibility of regulating the clearing and settlement process in the stock market.

3. NSE is a biggest stock exchange of India registered under the Securities Contract Regulations Act, 1956 with the responsibility of providing a platform for transparent securities trading and maintaining the international standards followed for capital market.

4. The Indian Computer Emergency Response Team (hereinafter referred to as “CERT-IN” ’) is an organisation of Ministry of Electronics and Information Technology, Government of India, with the objective of securing Indian cyber space.

CERT-In is designated as the National Nodal Agency for Incident Response under Section 70(B) of the Indian Information Technology Act 2000 (hereinafter referred to as “IT Act”). In the IT Amendment Act 2008, CERT-In has been designated to perform the following functions in the area of cyber security:

• Collection, analysis and dissemination of information on cyber incidents.
• Forecast and alerts of cyber security incidents.
• Emergency measures for handling cyber security incidents.
• Coordination of cyber incident response activities.
• Issue guidelines, advisories, vulnerability notes and whitepapers relating to information security practices, procedures, prevention, response and reporting of cyber incidents.

DATA SECURITY CONCERNS IN THE CAPITAL MARKET

Major data security concerns arise either from external threats or internal vulnerabilities. It can reasonably be said that external threats only have the power to hamper the capital market when there are vulnerabilities in the IT infrastructure upon which the capital market runs on and internal vulnerabilities are determined by the workforce of the institution.

1. Direct relation of external threats and infrastructural vulnerabilities

• The digital revolution has significantly made the capital market industry more accessible to anyone with a phone. Investing in the stock market could not be any easier due to technological advancement. However, during the ride, safety and security were overlooked due to prioritisation of ease over protection. India has recorded to the be biggest victim of risk events including cyberattacks ranking top 3 globally as per reports.
• Organised cyber-attacks on various financial institution in India has alarmed the need for strengthened safety and security IT infrastructure in the capital market industry. Few of the famous cases involves the alleged Chinese Intelligence attack on NSE servers, the Malware attack on CDSL, the data breach of the stock trading company Upstox.
• In the case of alleged Chinese Intelligence attack on NSE servers, the entire stock exchange came to a halt due to the cyber-attack on co-location facilities of NSE. Later, the Government issued a press statement addressing high possibility of Chinese intelligence invasion in the present case. it is only reasonable to accuse that the co-location facility of NSE severely lacks appropriate safety and security measures to address sophisticated cyberattacks as there have been multiple violation of data privacy in various other cases.
• In the case of data breach of Upstox, there was a data leak of 2.5 million users comprising of personal details including Aadhaar Card information. It a common trend that the data obtained through such cyberattacks are often sold on the dark web. The present case is a prime example of improper and weak cyber security system.
• In the case of malware attack on CDSL, due to the inadequate safety and security infrastructure of CDSL, its depository functions came to a halt and various settlement operations were delayed due to malware in their internal machines. Malware as a type of cyberattack is either targeted at a company with weak IT infrastructure or with workforce vulnerabilities.

2. Direct relation of internal vulnerabilities and the workforce

• With the adaption of the new and extremely efficient technical system in place, most of the tasks is being undertaken by the machines than humans. However, the management of these machines require appropriate training of the workforce. The addition of human element creates potential instances that can negatively affect the capital market industry such accidental or mistakenly sharing of data and maliciously obtaining and manipulating data for undue gains while having access to the IT infrastructure.
• In the NSE co-location scam, it has been alleged that NSE personnel provided unauthorised access to the supportive servers of the co-location facility of NSE to various privileged stock brokers leading to undue advantage. They had the first access to important market data that would deem crucial for sound investment decisions before any other broker in the field.

This case reflects that manipulation of advanced technology ought to cause unfair trade practises lead to unauthorised access to data if proper checks and balances aren’t kept into place. Hence, appropriate system to manage the workforce with ethical training can protect from corrupt activities. Furthermore, the IT infrastructure with better security can be installed to ensure any authorised access is immediately notified and enquired.

AMLEGALS REMARKS

Ironically, capital market in India is vulnerable to cyberattacks due to wrongly prioritised investment in advancement without appropriate safety and security measures. However, active efforts have been undertaken by the Government institutions such as NSE’s ‘Cyber Swachhta Kendra’ initiative to provide free of cost cleaning of computer to get rid of any malware. Furthermore, SEBI has provided a cyber security framework to address and prevent cases of cyberattacks in its Circular No.: SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018. The latest development is the efforts of NSE and BSE incorporating a competent disaster recovery system.

However, the advancement and sophistication of cybercrimes tend to be ahead of the curve due to their motives to harm and gain undue advantage. It is advised to the stakeholders engaged in the capital market to invest in better IT architecture for data protection and utilise the technology to further reduce the instances of human error and manipulation by data governance and encryption, and identity access management and control.

Expert tech organisations suggests the integrated 3S approach wherein first step is to simplify and choose a top-down approach where risk tolerance is determined based on the sensitivity of the data in possession, the second step is to secure data by installing safety measures in line by adhering to compliance mandates and security program governance and lastly find sustenance by having partnership for various securities platform. Furthermore, incorporation of ethical training can assist in understanding the importance of data protection and the potential violation of fundamental right to privacy.

-Team AMLEGALS assisted by Ms. Devyani Mishra (Intern)

For any query or feedback, please feel free to get in touch with dataprivacy@amlegals.com or tanmay.banthia@amlegals.com or mridusha.guha@amlegals.com