Cybersecurity Challenges in India’s Financial Market
Since the beginning of this decade, India has undergone further rapid strides in retail investing. There were over 40 million active demat accounts in 2020, which has ballooned to over 150 million now. In the same year, it was also reported that 1 in 5 Indian households channel their savings into the financial market. This increased participation entails that people are having more confidence in our markets.
The role of stock brokers, custodians and depository participants in these markets is crucial to maintaining this confidence. Stock brokers facilitate the buying & selling of securities, custodians manage the securities of institutional investors and depository participants serve as intermediaries between investors and depositories, facilitating electronic storage & transfer of securities. They all have to facilitate millions of transactions daily, with the responsibility of keeping sensitive investor data safe. Negligence in carrying out this responsibility, even for a single transaction, could be highly detrimental in the face of increasing cyberattack attempts aimed at the sector. According to the 2023 Kaspersky Cybersecurity Report, India experienced a 25% increase in malware attacks on financial institutions last year.
SEBI’s Cybersecurity & Cyber Resilience Framework (CSCRF) Overview
Therefore, continuous monitoring for threats, combined with consistent improvement of security posture becomes crucial in upholding investor confidence and maintaining the sector’s upward trajectory. To that end, SEBI recently released the Cybersecurity & Cyber Resilience Framework (CSCRF) on August 20, 2024, which has several mandates for regulated entities (REs) including stock brokers, custodians and depository participants.
A major component of CSCRF, which helps in both continuous monitoring and strengthening your organization’s security posture, is the requirement of a 24x7x365 Security Operations Centre (SOC) to monitor, prevent, predict, detect, investigate and respond to cyber threats. This blog talks about the various SOC requirements you have to undertake as part of the framework, including incorporation of advanced audits like vulnerability assessment & penetration testing (VAPT).
It is important to note here that you will have specific CSCRF requirements based on what RE classification your organization falls under. There are 5 categories in the framework, shown in decreasing order of requirements: Market Infrastructure Institutions (MIIs), qualified REs, mid-size REs, small-size REs and self-certification REs.
Stock Brokers: CSCRF SOC Requirements Based on Active Client
For stock brokers, the classification is based on the number of active clients you have:
(Note: As per CSCRF guidelines, client-based stock brokers having less than 100 clients do not require a SOC.)
Self-Certification REs | Small-size REs | Mid-size REs | Qualified REs |
Less than or equal to 10,000 active clients without providence of IBTs or algo trading facility | Less than or equal to 10,000 active clients if providing IBTs/algo trading, if not, they should have active clients between 10,000 and 50,000 | Between 50,000 to 5 lac active clients | Over 5 lac active clients |
Custodians: Meeting CSCRF Mandates Based on AUC
For custodians, the distinction is made keeping assets under custody (AUC) as the consideration:
Small-size REs | Mid-size REs | Qualified REs |
Less than 1 lakh crores | Between 1 lakh cr. and 10 lakh cr. | Over 10 lakh cr. |
Finally, for depository participants, it is dependent on type:
Mid-size REs | Qualified REs |
Non-institutional depository participants | Institutional depository participants |
SOC Options Under CSCRF: Choosing the Right Fit
Being cognizant of the fact that setting up an in-house SOC could lead to great difficulties for smaller REs, CSCRF provides three SOC options: your own/group SOC, a market SOC (implemented mandatorily by NSE & BSE and optionally by NSDL & CDSL) and a third-party managed SOC, like the state-of-the-art solution we at iValue possess. It is important to note here that small-size and self-certification REs are mandated to be on-boarded to the aforementioned Market SOC. It is also noteworthy that Qualified REs must measure the functional efficacy of their SOC every 6 months, while all other REs having managed SOC must do it on a yearly basis. (Should you opt for our SOC solution, we will make this process extremely streamlined for your organization.)
The scope of your SOC with regards to your IT infrastructure shall cover but not be limited to: networks, endpoints, activities of third parties, physical environments, malicious code and monitoring of unauthorized personnel, devices, connections and software. Here are the key SOC functions as mandated by the framework:
- Continuous Monitoring: Constantly keeping an eye on all the aforementioned vectors, and immediately notifying relevant authorities whenever there is an instance of abnormal or suspicious behavior.
- Log management: Aggregating and correlating data from various networks, endpoints, apps, firewalls, OS, etc. to establish a baseline for normal behaviour. These logs will come in handy for your various audits, including VAPT which we will get to soon.
- Threat response: Acting as a ‘first responder’ during incidents, isolating endpoints and limiting the fallout with as little disruption to your business as possible. We have a robust incident management policy in the rare case of an incident occurring while adopting our SOC.
- Alert Management: Monitoring all the alerts issued by the diverse tools of your cybersecurity package and closely analyzing each to discard false positives & determine potential impact of threats.
- Root Cause Investigation: Post incident occurrence, SOCs are responsible for analyzing all logs to identify the root cause and prevent its reoccurrence.
Additionally, for all REs except small-size and self-certification REs, SOCs are designed keeping in mind future capacity requirements (for data storage, processing power and communications capacity) to ensure future business objectives are met.
Vulnerability Assessments & Penetration Testing (VAPT): A Key Audit
Furthermore, to constantly measure the effectiveness of your SOC, cybersecurity audits must be regularly conducted. One essential audit is vulnerability assessment & penetration testing (VAPT), which has to be undertaken prior to commissioning new systems part of your critical infrastructure and after every major release of your applications or software. Vulnerability asssessments scan systems, networks and apps for outdated software, missing patches, misconfigurations and insecure settings, while penetration testing simulates real-world attacks to test your security controls. For qualified REs, red teaming has to be undertaken on top of VAPT.
VAPTs have to be undertaken yearly, starting in the beginning of the financial year, for all REs except those identified as protected systems by NCIIPC – they have to do it twice a year. Additionally, self-certification REs are required to conduct VAPT audits through CERT-In empanelled auditing organizations. Stock brokers and depository participants must submit the report to their respective stock exchanges and depositories with the following timeline:
- The report has to be submitted 1 month after completion of VAPT activities.
- Closure of findings identified during the activities must be completed within 3 months of VAPT submission
- Revalidation to be completed within 5 months of submission
We know this sounds like a lot, and we also know that your prime focus should be on providing value for your investors. Therefore, by opting for iValue’s SOC solution, you free up time to do what you do best, with the confidence of knowing that our state-of-the-art suite will help minimize threats and maximize your security posture.
Our suite includes the following cutting-edge solutions:
- Continuous monitoring solutions including Splunk Observability for tracking network activity, Opentext ITOM for system performance monitoring, Zabbix for identifying potential security threats and Tenable for managing vulnerabilities effectively.
- Threat detection through SIEM solutions like Google Chronicle, Splunk, ArcSight and InnSpark for real-time monitoring, log management and correlation of security events. Additionally, we use threat intelligence platforms like Recorded Future, Anomali and Google Threat Intel to gather & analyze threat intelligence data, enhancing your response to threats.
- Incident response through SOAR solutions incorporating various security tools like Google Siemplify and Splunk Phantom to coordinate responses and ensure timely resolution of incidents. This is done by having predefined playbooks for the same.
- Root cause analysis through EnCase, which aids in remediation of incidents.
- VAPT solutions through a mix of tools like Nessus, Qualys and OpenVAS, combined with our strict adherence to CSCRF PT requirements.
All these myriad processes can be effortlessly kept tabs on using our unified dashboard that simplifies and streamlines the vast amounts of data received from these programs. It will aid you vastly in keeping track of your CSCRF requirements, while minimizing the chance of an incident. It’s a win-win for your organization, and if you want to check out the magic for yourself, click here for a demo of our SOC.