From the perspective of governance, risk, and compliance Clause 49 of Listing requirements states companies to lay down procedures to inform Board of Directors about the risk assessment, risk minimization procedures and it’s periodic review. On the same lines SEBI has directed all the concerned on the subject vide their Circular no. SEBI/HO/MIRSD/CIR/PB/2018/147 dated December 03, 2018 to build a powerful focus on Cyber Security and recovery process. The directions majorly require:
- DP to prepare comprehensive – annual review in the Board meetings
- Make a senior designated officer
- Half-yearly review by Internal technology committee
- Define the responsibilities of vendor, employees, outsources staff, etc.
- Identify cyber risks and control measures
The person(s) in-charge of governance should ensure proper implementation of the policy framed in compliance with latest business governance framework like COBIT 5.
Access control
- Two-factor security
- User access log of at least 2 years
- Review access of privileged users
- Access deactivation of people leaving the organisation
- Physical Security
- Access to critical systems – restriction – accompanied by staff
- Use of Security Guard, CCTV, cards, etc.
- Network Security Management
- Establish Baseline standards, secured LAN and wireless networks
- Measures for servers running algorithmic trading applications
- Network security devices such as Firewalls, proxy servers, IDS
- Controls for Virus/malware/ransomware attack
- Data Security
- Identification of critical data – use of strong encryption for data in motion
- Control over open ports
- Application security in customer-facing applications
- Application authentication security, password policies, two-factor authentications
- Certification of off-the-shelf products
- Standardisation Testing and Quality Certification, intensive regression testing, configuration testing, etc.
- Patch Management
- Patch management procedures including identification, categorisation and prioritisation of patches and updates
- Rigorous testing procedures of patches before deployment
- Disposal of data, systems and storage devices
- Suitable policy including crypto shedding, degauss or such other procedures
- Data disposal and data retention policy
- Vulnerability Assessment and Penetration Testing (VAPT)
- Conduct assessment and detect security vulnerabilities
- Penetration testing of services available over the internet
- Reporting of gaps and remedial actions
- Monitoring and detection
- Monitoring security events, alerts and timely detection of unauthorised activities, changes, copying or transmission of data
- Ensuring high resilience, high availability and detection of attacks on system exposed over internet
- Response and recovery
- Response to alerts received to prevent the expansion of incident, mitigation and eradication of incident
- Restoration plan according to SEBI circulars
- Defined roles and responsibilities
- Sharing of information
- Quarterly reporting of cyber issues to Stock exchanges / SEBI within 15 days from the end of the quarter
- Training and education
- Make staff aware of IT issues, increasing awareness, focus on non-technical staff
- System managed by vendors
- Adherence to Cybersecurity policy and self-certifications
Periodic Audit requirement
The DPs and stockbrokers need to implement above IT-related policies from 1st April 2019. The systems need to be audited by CERT-IN empanelled auditor or in independent CISA/CISM qualified auditor on annual basis. The report so issued by him will his detailed check on the above areas and management comments on non-compliance areas.
Timelines
The annual audit report needs to be submitted within three months from the end of financial year. SEBI has recently extended due date of submission of system audit report from 30th June 2020 to 31st July 2020 vide its circular no. SEBI/HO/MIRSD/DOP/CIR/P/2020/62 dated April 24, 2020
Conclusion
In the world of uncertainties, growing cyber risks, it’s high time that all the organisations design and maintain internal controls with best of business practices. This will always add value to the business and will go a long way in business uninterrupted business growth.
The author can also be reached at saurabh.gupta@gsandco.in
CAclubindia
