legaleraonline.com 2018-12-10 11:24:00
View PDF Recognizing the need for a robust Cyber Security and Cyber Resilience framework at Market Infrastructure Institutions (MIIs), i.e., Stock Exchanges, Clearing Corporations, and Depositories, the Securities and Exchange Board of India (SEBI) issued a Circular presenting a detailed regulatory framework on cyber security and cyber resilience.The Circular states:1. This Circular is being issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992 and Section 19 of the Depositories Act, 1996 to protect the interests of investors in securities and to promote the development of and to regulate the securities market.2. With the view to further strengthening the aforesaid framework, particularly in respect of monitoring of cyber threats and cyber resiliency, the matter was discussed with SEBI's Technical Advisory Committee (TAC), SEBI's High Powered Committee on Cyber Security (HPSC-CS), and the MIIs.3. Accordingly, it has been decided that MIIs shall have a Cyber Security Operation Center (C-SOC) that would be a 24x7x365 set-up manned by dedicated security analysts to identify, respond, recover, and protect from cyber security incidents.4. The C-SOC shall function in accordance with the framework specified in SEBI Circular CIR/MRD/DP/13/2015 dated July 06, 2015. Illustrative list of broad functions and objectives to be carried out by a C-SOC are mentioned hereunder:4.1. Prevention of cyber security incidents through proactive actions:(a) Continuous threat analysis,(b) Network and host scanning for vulnerabilities and breaches,(c) Countermeasure deployment coordination,(d) Deploy adequate and appropriate technology at the perimeter to prevent attacks originating from external environment and internal controls to manage insider threats. MIIs may implement necessary controls to achieve zero trust security model.4.2. Monitoring, detection, and analysis of potential intrusions / security incidents in real time and through historical trending on security-relevant data sources.4.3. Response to confirmed incidents, by coordinating resources and directing use of timely and appropriate countermeasures.4.4. Analysis of the intrusions / security incidents (including Forensic Analysis and Root Cause Analysis) and preservation of evidence.4.5. Providing situational awareness and reporting on cyber security status, incidents, and trends in adversary behavior to appropriate organizations including to CERT- In and NCIIPC.4.6. Engineer and operate network defense technologies such as Intrusion Detection Systems (IDSes) and data collection / analysis systems.4.7. MIIs to adopt security automation and orchestration technologies in C-SOC to automate the incident identification, analysis and response as per the defined procedures.5. Further to the above, the C-SOC of MII shall, at the minimum, undertake the following activities:5.1. In order to detect intrusions / security incidents in real time, the C-SOC should monitor and analyze on a 24x7x365 basis relevant logs of MII's network devices, logs of MII's systems, data traffic, suitable cyber intelligence (intel) feeds sourced from reliable vendors, inputs received from other MIIs, inputs received from external agencies such as CERT-In, etc. The cyber intelligence (intel) feeds may include cyber news feeds, signature updates, incident reports, threat briefs, and vulnerability alerts.5.2. To this end, appropriate alert mechanisms should be implemented including a comprehensive dashboard, tracking of key security metrics and provide for cyber threat scorecards.5.3. The C-SOC should conduct continuous assessment of the threat landscape faced by the MII including undertaking periodic VAPT (Vulnerability Assessment and Penetration Testing).5.4. The C-SOC should have the ability to perform Root Cause Analysis, Incident Investigation, Forensic Analysis, Malware Reverse Engineering, etc. to determine the nature of the attack and corrective and/or preventive actions to be taken thereof.5.5. The C-SOC should conduct periodic (at the minimum quarterly) cyber attack simulation to aid in developing cyber resiliency measures. The C-SOC should develop and document mechanisms and standard operating procedures to recover from the cyber-attacks within the stipulated RTO of the MII. The C-SOC should also document various scenarios and standard operating procedures for resuming operations from Disaster Recovery (DR) site of MII.5.6. The C-SOC should conduct periodic awareness and training programs at the MII and for its members / participants / intermediaries with regard to cyber security, situational awareness and social engineering.5.7. The C-SOC should be capable to prevent attacks similar to those already faced. The C-SOC should also deploy multiple honey pot services which are dynamic in characteristics to avoid being detected as honey pot by attackers.6. As building an effective C-SOC requires appropriate mix of right people, suitable security products (Technology), and well-defined processes and procedures (Processes), an indicative list of areas that MIIs should consider while designing and implementing a C-SOC are as follows:6.1. The MII shall ensure that the governance and reporting structure of the C-SOC is commensurate with the risk and threat landscape of the MII. The C-SOC shall be headed by the Chief Information Security Officer (CISO) of the MII. The CISO shall be designated as a Key Managerial Personnel (KMP) and relevant provisions relating to KMPs in the SEBI Securities Contracts (Regulation) (Stock Exchanges and Clearing Corporations) Regulations, 2012 and the subsequent circulars issued by SEBI relating to KMPs, shall apply to the CISO.6.2. While the CISO is expected to work closely with various departments of MIIs, including MII's Network team, Cyber Security team and Information Technology (IT) team, etc., the reporting of CISO shall be directly to the MD & CEO of the MII.6.3. The roles and responsibilities of CISO may be drawn from Ministry of Electronics and IT notification No. 6(12)/2017-PDP-CERT-In dated March 14, 2017.6.4. The C-SOC should deploy appropriate technology tools of adequate capacity to cater to its requirements. Such tools shall, at the minimum, include Security Analytics Engine, Malware detection tools, Network and User Traffic Monitoring and Behavior Analysis systems, Predictive Threat Modelling tools, Tools for monitoring of System parameters for critical systems / servers, Deep Packet Inspection tools, Forensic Analysis tools, etc.6.5. Each MII is advised to formulate a Cyber Crisis Management Plan (CCMP) based on its architecture deployed, threats faced and nature of operations. The CCMP should define the various cyber events, incidents and crisis faced by the MII, the extant cyber threat landscape, the cyber resilience envisaged, incident prevention, cyber crisis recognition, mitigation and management plan. The CCMP should be approved by the respective Standing Committee on Technology / IT- Strategy Committee of the MIIs and the governing board of the MII. The CCMP should also be reviewed and updated annually.6.6. The C-SOC should have well-defined and documented processes for monitoring of its systems and networks, analysis of cyber security threats and potential intrusions / security incidents, usage of appropriate technology tools deployed by C-SOC, classification of threats and attacks, escalation hierarchy of incidents, response to threats and breaches, and reporting (internal and external) of the incidents.6.7. The C-SOC should employ domain experts in the field of cyber security and resilience, network security, data security, end-point security, etc.6.8. The MIIs are also advised to build a contingent C-SOC at their respective DR sites with identical capabilities w.r.t. the primary C-SOC in line with the SEBI Circular CIR/MRD/DMS/12/2012 dated April 13, 2012 read with SEBI Circular CIR/MRD/DMS/17/2012 dated June 22, 2012. Additionally, the MIIs should perform monthly live-operations from their DR-C-SOC.6.9. The C-SOC should document the cases and escalation matrices for declaring a disaster.7. In view of the feedback received from MIIs, it has been decided that MIIs may choose any of the following models to set-up their C-SOC:(i) MII's own C-SOC manned primarily by its internal staff,(ii) MII's own C-SOC, staffed by a service provider, but supervised by a full time staff of the MII. (Refer to 7.3)(iii) C-SOC that may be shared by the MII with its group entities (that are also SEBI recognized MIIs), (iv) C-SOC that may be shared by the MII with other SEBI recognized MII(s).7.1. The responsibility of cyber security of an MII, adherence to business continuity and recovery objectives, etc. should lie with the respective MII, irrespective of the model adopted for C-SOC.7.2. The respective risk committee(s) of the MII should evaluate the risks of outsourcing the respective activity. 7.3. The MII may outsource C-SOC activities in line with the guidelines as given in Annexure-A. 8. A report on the functioning of the C-SOC, including details of cyber-attacks faced by the MII, major cyber events warded off by the MII, cyber security breaches, data breaches should be placed on a quarterly basis before the board of the MII. 9. The system auditor of the MII shall audit the implementation of the aforesaid guidance in the annual system audit of the MII. The Scope and/or Terms of Reference (ToR) of the annual system would accordingly be modified to include audit of the implementation of the aforementioned areas.10. Further, in continuation to the requirement specified at para 52 of the Annexure A to the aforementioned SEBI Circular dated July 06, 2015, the C-SOC shall share relevant alerts and attack information with members / participants / intermediaries of the MII, other MIIs, external cyber response agencies such as CERT-In, and SEBI.11. MIIs are directed to take necessary steps to put in place appropriate systems and processes for implementation of the Circular, including necessary amendments to the relevant bye-laws, rules and regulations, if any, within six months from the date of the Circular. In case wherein a MII currently has a C-SOC set-up that is different from that mentioned at para 7(i) - 7(iv), such MIIs are directed to adopt and transit to one of the models mentioned at para 7(i) - 7(iv) within a period of one year from the date of issuance of this Circular.The Annexure presented in the Circular provides detailed explanation on the Level of support definitions for outsourcing/in-house: Security Analyst Level 1 (L1): This function may be mostly outsourced; Security Analyst Level 2 (L2): Combination of Outsource / In-House; Security Analyst Level 3 (L3): Combination of Outsource / In-House; SOC Manager (L4): In-house; and Security Subject Matter Expert for Security technologies: In-house with reliance on external expertise.The Circular also provides information on Illustrative Training Requirements.To view the Official Circular in detail, please view the file attached herein.
legaleraonline.com 2018-12-04 13:13:00
View PDF On December 03, the Securities and Exchange Board of India (SEBI) issued a Circular, in exercise of the powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, to the Managing Directors of all Recognized Stock Exchanges and Depositories providing them with a Cyber Security & Cyber Resilience framework in order to protect the interests of investors in securities and to promote the development of and to regulate the securities market.Notably, the guidelines annexed with this circular shall be effective from April 1, 2019.The Circular stated, "Rapid technological developments in securities market have highlighted the need for maintaining robust cyber security and cyber resilience framework to protect the integrity of data and guard against breaches of privacy. Since stock brokers and depository participants perform significant functions in providing services to holders of securities, it is desirable that these entities have robust cyber security and cyber resilience framework in order to provide essential facilities and perform systemically critical functions relating to securities market."It added, "Accordingly, after discussions with Exchanges, Depositories and Stock Brokers' and Depository Participants' associations, a framework on cyber security and cyber resilience has been designed. The framework would be required to be complied by all Stock Brokers and Depository Participants registered with SEBI."The Circular also specified the relevant functions that should be performed by the Stock Exchanges and Depositories, which are as follows:a) make necessary amendments to the relevant byelaws, rules, and regulations for the implementation of the above direction; b) bring the provisions of this Circular to the notice of their members/participants and also disseminate the same on their websites; and c) communicate to SEBI, the status of implementation of the provisions of this circular in their Monthly Report.Regarding the Governance perspective, the Circular states: 1. Cyber security framework includes measures, tools and processes that are intended to prevent cyber-attacks and improve cyber resilience. Cyber Resilience is an organization's ability to prepare and respond to a cyber-attack and to continue operation during, and recover from, a cyber-attack.2. As part of the operational risk management framework to manage risk to systems, networks and databases from cyber-attacks and threats, Stock Brokers / Depository Participants should formulate a comprehensive Cyber Security and Cyber Resilience policy document encompassing the framework mentioned hereunder. In case of deviations from the suggested framework, reasons for such deviations, technical or otherwise, should be provided in the policy document.The policy document should be approved by the Board / Partners / Proprietor of the Stock Broker / Depository Participants. The policy document should be reviewed by the aforementioned group at least annually with the view to strengthen and improve its Cyber Security and Cyber Resilience framework.3. The Cyber Security Policy should include the following process to identify, assess, and manage Cyber Security risk associated with processes, information, networks and systems:a) 'Identify' critical IT assets and risks associated with such assets.b) 'Protect' assets by deploying suitable controls, tools and measures.c) 'Detect' incidents, anomalies and attacks through appropriate monitoring tools/processes.d) 'Respond' by taking immediate steps after identification of the incident, anomaly or attack.e) 'Recover' from incident through incident management and other appropriate recovery mechanisms.4. The Cyber Security Policy of Stock Brokers trading through APIs based terminal / Depository Participants should consider the principles prescribed by National Critical Information Infrastructure Protection Centre (NCIIPC) of National Technical Research Organization (NTRO), Government of India (titled 'Guidelines for Protection of National Critical Information Infrastructure') and subsequent revisions, if any, from time to time.5. Stock Brokers trading through APIs based terminal / Depository Participants may refer to best practices from international standards like ISO 27001, COBIT 5, etc., or their subsequent revisions, if any, from time to time.6. Stock Brokers / Depository Participants should designate a senior official or management personnel (henceforth, referred to as the "Designated Officer") whose function would be to assess, identify, and reduce security and Cyber Security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the Cyber Security Policy.7. The Board / Partners / Proprietor of the Stock Brokers / Depository Participants shall constitute an internal Technology Committee comprising experts. This Technology Committee should on a half yearly basis review the implementation of the Cyber Security and Cyber Resilience policy approved by their Board / Partners / Proprietor, and such review should include review of their current IT and Cyber Security and Cyber Resilience capabilities, set goals for a target level of Cyber Resilience, and establish plans to improve and strengthen Cyber Security and Cyber Resilience. The review shall be placed before the Board / Partners / Proprietor of the Stock Brokers / Depository Participants for appropriate action.8. Stock Brokers / Depository Participants should establish a reporting procedure to facilitate communication of unusual activities and events to the Designated Officer in a timely manner.9. The Designated officer and the technology committee of the Stock Brokers / Depository Participants should periodically review instances of cyber-attacks, if any, domestically and globally, and take steps to strengthen Cyber Security and cyber resilience framework.10. Stock Brokers / Depository Participants should define responsibilities of its employees, outsourced staff, and employees of vendors, members or participants and other entities, who may have privileged access or use systems / networks of Stock Brokers / Depository Participants towards ensuring the goal of Cyber Security. The Circular also provides details on: "¢ IDENTIFICATION"¢ PROTECTION - Access controls; Physical Security; Network Security Management; Data security; Hardening of Hardware and Software; Application Security in Customer Facing Applications; Certification of off-the-shelf products; Patch management; Disposal of data, systems, and storage devices; Vulnerability Assessment and Penetration Testing (VAPT)"¢ MONITORING AND DETECTION
legaleraonline.com 2018-12-04 12:18:00
December 04, 2018 SEBI: Deadline extended for Transfer of securities only in demat form The Securities and Exchange Board of India (SEBI) on December 03 issued a Press Release regarding the extension of the date of transfer of securities only in demat form till April 1, 2019.The Release stated, "The Board, on March 28, 2018, decided that except in case of transmission or transposition of securities, requests for effecting transfer of securities shall not be processed unless the securities are held in the dematerialized form with a depository. This measure was to come into effect from December 5, 2018."It concluded, "Subsequently, SEBI has received representations from shareholders for extension of the date of compliance. In view of the same, the deadline has been extended and the aforesaid requirement of transfer of securities only in demat form shall now come into force from April 1, 2019." Related Post
Avantis WebGroup is a property of Avantis Regtech Private Limited, an Indian Company registered under the Companies Act, 2013 having its registered office at 302A and 302B, Citi Tower, Sangamwadi, Pune – 411 001, Maharashtra, India.
Information we collect
Contact information. We might collect your name, email, mobile number, phone number, street, city, state, pincode, country and IP address.
Payment and billing information. We might collect your billing name, billing address and payment method when you buy our:
Information you post. We collect information you post in a public space on our WebGroup or on a third-party site belonging to Avantis WebGroup.
Demographic information. We may collect demographic information about you, events you like, events you intend to participate in, tickets you buy, or any other information provided by you during the use of our WebGroup. We might collect this as a part of a survey also.
Other information. If you use our WebGroup, we may collect information about your IP address and the browser you're using. We might look at what site you came from, duration of time spent on our website, pages accessed or what site you visit when you leave us. We might also collect the type of mobile device you are using, or the version of the operating system your computer or device is running.
We collect information in different ways.
We collect information directly from you. We collect information directly from you when you register for availing the services of Products. We also collect information if you post a comment on our WebGroup or ask us a question through phone or email.
We collect information from you passively. We use tracking tools like Google Analytics, Google Webmaster, browser cookies and web beacons for collecting information about your usage of our WebGroup and the Products.
We get information about you from third parties. For example, if you use an integrated social media feature on our WebGroup. The third-party social media site will give us certain information about you. This could include your name and email address.
Use of your personal information
We use information to contact you: We might use the information you provide to contact you for confirmation of a purchase on our WebGroup or for other promotional purposes.
We use information to respond to your requests or questions. We might use your information to confirm your registration for an event or contest.
We use information to improve our products and services. We might use your information to customize your experience with us. This could include displaying content based upon your preferences.
We use information to look at site trends and customer interests. We may use your information to make our WebGroup and Products better. We may combine information we get from you with information about you we get from third parties.
We use information for security purposes. We may use information to protect our Company, our Customers, or our WebGroup.
We use information for marketing purposes. We might send you information about special promotions or offers. We might also tell you about new features or Products. These might be our own offers or Products, or third-party offers or Products we think you might find interesting. Or, for example, if you buy Products from us, we will enroll you in our newsletter.
We use information to send you transactional communications. We might send you emails or SMS about your account or a Product purchase.
We use information as otherwise permitted by law.
Sharing of information with third-parties
We will share information with third parties who perform services on our behalf. We share information with vendors who help us manage our online registration process or payment processors or transactional message processors. Some vendors may be located outside of India.
We will share information with the event organizers. We share your information with event organizers and other parties responsible for fulfilling the purchase obligation. The event organizers and other parties may use the information we give them as described in their privacy policies.
We will share information with our business partners. This includes a third party who provide or sponsor an event, or who operates a venue where we hold events. Our partners use the information we give them as described in their privacy policies.
We may share information if we think we have to in order to comply with the law or to protect ourselves. We will share information to respond to a court order or subpoena. We may also share it if a government agency or investigatory body requests. Or, we might also share information when we are investigating potential fraud.
We may share information with any successor to all or part of our business. For example, if part of our business is sold, we may give our customer list as part of that transaction.
We may share your information for reasons not described in this policy. We will tell you before we do this.
You can opt out of receiving our marketing emails. To stop receiving our promotional emails, please email firstname.lastname@example.org. It may take about ten days to process your request. Even if you opt out of getting marketing messages, we will still be sending you transactional messages through email and SMS about your purchases on our WebGroup/ Products.
Third party sites
In accordance with Indian Information Technology Act, 2000 and rules made there under, the name and contact details of the Grievance Officer are provided below:
Mr. Rishi Agrawal
302A and 302B, City Tower,
Boat Club Road, Sangamwadi, Pune – 411 001
If you have any questions about this Policy or other privacy concerns, you can also email us at email@example.com.
Updates to this policy
We may change our privacy practices from time to time. We will notify you of any material changes to this Policy as required by law. We will also post an updated copy on our WebGroup. Please check our WebGroup periodically for updates.