FinTechSEBI Guidelines for Regulated Entities: A Step Towards resilient Cybersecure Platform

INTRODUCTION

The rapid growth in technology, profound customer demand, higher tech savvy personnel, enabling framework policy, and Digital India Initiative has resulted in inclusion of more and more people within the ambit of this digital world, resulting in shifting of everything towards Digitalization.

However, with the rise in shift towards Digitalization, fueling the growth of Digital Economy in India. The concern with respect to data breach and cyber-crimes also rises. Data breaches and cyber-attacks have become quite rampant in India.

As per reports from the Ministry of Electronics and Information Technology (“MeitY”), nearly thirteen lakh cases of cyber-attacks were reported in 2022, which shows none of the sector is immune from the dangers of Cybersecurity. Therefore, data protection is of paramount importance in India

The Securities and Exchange Board of India (“SEBI”) considering the increase in cyber attacks, and lack of comprehensive and agile regulatory framework to handle such rapid advancement in the cyber crime, data theft and compromise of data has issued advisory vide circular dated 22.02.2023 for the Regulated Entities (“REs”) based on the report of Indian Computer Emergency Response Team (“CERT-In”).

In this article we attempt to discuss about the best practices to be undertaken for protection against cyber fraud, what was the need for such guidelines and how it will help create a safer and secured digital framework for India. 

THE NEED

The advancement and growth in the Internet have brought various benefits. However, growth and advancement eventually result into an increase in concerns. One such factor is causing people to become increasingly concerned: Data Privacy. The issue of data privacy becomes much more pressing for the Regulated Entities, wherein data security and trust are the base for client relationships.

India currently does not have a standalone codified law, so far as Data Protection and Privacy are concerned. Thus, with regard to Data Protection, the Industry is primarily governed by the IT Act and the IT Rules, 2011. However, the SEBI considering the rapid increase in cyber attacks have introduced the advisory/guidelines for its REs to have preventive measures in place against the Cyber attacks.

In present times data is the new gold and naturally most companies require atleast a basic amount of personal data before their goods or services can be sought. Due to the large amount of such information collected and stored through ITeS technology the private information of a majority part of the population becomes vulnerable to online Cyberattacks.

RISK MITIGATION GUIDELIENS

Once a hacker or malware program gains access to a critical system it is extremely difficult to avoid all damage, even before the breach is noticed an external program can retrieve gigabytes of personal information, thus the safest way to ensure security is to avoid breach in the first place.

Thus, SEBI has also issued certain guidelines which are specifically focus on mitigation of risk, which are as follows:-

1. Role and responsibilities of a Chief Information Security Officer (CISO)

Internet dependence as well as rapid globalisation has seen profitable local businesses grown into massive multi-billion-dollar MNC’s. To keep up with the demand such companies usually have hundreds if not thousands of employees, with many having access to sensitive corporate data.

Thus, one of the major issues of faced by large corporations is the lack of technical knowledge by non-technical staff such as those in management, sales, HR etc. The role of a CISO should be not only to create and implement an effective security policy but also to educate the staff and other executives in laymen terms the ways to follow this policy and ways to avoid falling victim to cyber security threat actors.

2. Phishing attacks/ websites:

Phishing is the practice of falsely luring a user into interacting with a seemingly legitimate URL, email, advert or third-party applications but once clicked on it redirects the user to third-party, malicious websites through which ransomware, malware and trojans can enter the user’s device. Phishing has become one of the most widely used manner of infiltrating systems by hackers. According to Symantec Corp India is the leader in Phishing attacks across the globe.

The directions mention that RE’s must proactively monitor and blacklist phishing websites and email ID’s as well as report them to CSIRT-Fin/CERT-In for taking appropriate action.

3. Patch Management and Vulnerability Assessment and Penetration Testing (VAPT)

The directions stress the importance of keeping all the operating systems and applications updated with the latest patches on a timely basis to ensure system protection against the latest form of malicious programs. Further the directions also require the RE’s to ensure all the programs and applications required for daily functioning such as Microsoft office, Dropbox, Zendesk etc., are downloaded only from legitimate sources.

A Security audit / Vulnerability Assessment and Penetration Testing (“VAPT”) of the application should be conducted at regular basis to test the system’s internal protection mechanisms.

4. Log retention

The Directions mention the importance of having in place a strong log retention, which refers to the practice of maintaining and archiving logs of all events done on company systems, especially those activities which are related to internet access.

The RE’s are directed to be monitor all logs of events and incidents to identify unusual patterns and behaviours and also to be updated with the various advisories issued by CERT-In in relation to the same. REs are also advised to audit that all logs are being collected.

5. Outsourced agency risk concentration

Outsourcing of IT services is heavily practiced across bigger corporations to save time, improve reliability, and increase productivity. However, it has been noticed that a few companies have come to be used by multiple RE’s due to their popularity and economic viability in the industry.

This leaves a gaping risk for security breach as such companies do not abide by strict security norms but possess critical information on multiple RE’s. Thus, it has been directed to prescribe specific cyber security controls, including audit of their systems and protocols from independent auditors, to mitigate such concentration risk.

6. Data Protection 

The RE’s are to submit their cybersecurity audit report and are also directed to follow these directions advisories in letter and spirit which should be implemented promptly as and when received. Cybersecurity and The RE’s are also to abide by the Annual System Audit Framework Cyber Resilience framework as well as any other Directions or Guidelines issued to them. Additional compliances relating to Data Protection and Data Breach include:

• • REs are advised to prepare detailed incident response plan.

• • Enforce effective data protection, backup, and recovery measures.

• • Encryption of the data at rest should be implemented to prevent the attacker from accessing the unencrypted data.

• • Identify and classify sensitive and Personally Identifiable Information (PII) data and apply measures for encrypting such data in transit and at rest.

• • Deploy data leakage prevention (DLP) solutions / processes.

7. Audit and ISO certification  

The REs should conduct external audit by independent auditors empanelled by CERT-In in compliance with SEBI’s instructions. They are also advised to go for ISO certification as the same provides a reasonable assurance on the preparedness of the RE with respect to cybersecurity.

8. Privilege management

Privilege management refers to the undue concentration of access privilege in internal workforce of a company or entity. It is common practice for talented individuals in such organisations to be promoted to higher positions which may also involve cross department transfers.

This often results in such individuals having continued access to systems and digital infrastructure from earlier departments which substantially increases the risk of severe damage if such individual are somehow compromised.

Thus, the directions suggest implementation of the principle of ‘least privilege’ approach to provide security for both on-and off-premises resources (i.e., zero-trust models). Zero Trust is rooted in the principle of “trust nothing, verify everything.“

9. Password Policy and Authentication Mechanism

Reliance on web applications and internet-based services are essential for modern day institutions involved in oversight and logistics. Thus, to mitigate chances of breach due to such activities the directions lay out certain cybersecurity controls:

• • Institute web and email filters on the network

• • Block the malicious domains/IPs after diligently verifying them without impacting the operations

• • Install host-based firewall

• • Whitelist trusted ports which have been scrutinized by the firewall instead of blacklisting of a few ports

The directions also suggest way to improve password practices such as implementation of strong passwords, periodic review of accounts of ex-employees and prevention of using same passwords across multiple accounts. The directions also suggest implementation of Multi Factor Authentication (MFA) for all users of all critical applications and Maker and Checker Framework for the same.

THE IMPLICATIONS

The Advisory/Guidelines issued by the SEBI are aimed towards establishing a risk mitigating system in the REs, in order to ensure that such REs have in place a system to take preventive steps to safeguard itself from Cyber attacks and protect the interest of its investors.

These directions will result in increasing the compliance for all such entities but at the same time tremendously bolstering the security of the assets and information of the Investors stored with such REs. The directions will increase awareness about the importance and roles of CISO’s, increase awareness about the modus operandi of digital attacks like phishing, ransomware and malware.

AMLEGALS REMARKS

India has witnessed an alarming number of cybersecurity and data theft related incidents in recent years. A direct result of these data breaches and incidents is that Indian users personal data is available to third parties over the Internet for nefarious use. Therefore, there was a high need of such directions to be implemented to address such cybersecurity issues in an effective and stringent manner.

Up to 75% of global consumers use fintech services for various purposes such as contactless payments, internet enabled mobile banking, micro-investing, online lending and these Fintech companies are regulated by many of the RE’s.

The RE’s have come to rely heavily on IT/ITeS elements to increase ease-of-access and promote swift execution. Naturally, increasing number of financial crimes are reliant upon exploitation of such critical digital infrastructure. These guidelines are a welcome step in laying down the procedure mitigation of security breaches as well as resolving the same in case of occurrence.

However, neither the circular itself nor the empowering Section 11 of the SEBI Act contains any penal provisions or provisions mandating disciplinary action. There is likelihood that without fear of oversight or repercussions the guidelines are going to act as mere statements which is a serious cause for concern in an industry where a single critical breach can result into serious financial setbacks for the government and grave injury to the investors.

– Team AMLEGALS, assisted by Mr. Jason James (Intern)

For any query or feedback, please feel free to get in touch with tanmay.banthia@amlegals.com or himanshi.patwa@amlegals.com.