NSE advisory for SEBI Regulated Entities (REs) regarding Cyber Security best practices

NSE vide Circular dated June 09, 2023 has issued an advisory for SEBI Regulated Entities (REs) regarding Cyber Security best practices in furtherance of SEBI circular dated February 22, 2023. All trading members are advised to submit compliance status to the Exchange latest by September 30, 2023.

The following are the significant measures suggested as best practices:

Measures against Phishing Attacks/Websites:

  1. Proactive monitoring of cyberspace to identify phishing websites related to the organization’s domain and reporting them to the appropriate authorities for action.
  2. Implementing security awareness campaigns to educate employees about the risks of clicking on links and attachments in emails. Referring to advisories issued by CERT-In/CSIRT-Fin for conducting exercises on public awareness.

Patch Management and Vulnerability Assessment and Penetration Testing (VAPT):

  1. Regularly updating operating systems and applications with the latest patches. Considering virtual patching as an interim measure for zero-day vulnerabilities and where patches are not available.
  2. Conducting security audits and VAPT of applications in accordance with SEBI’s circulars. Resolving any observed gaps within the prescribed timelines.

Measures for Data Protection and Data Breach:

  1. Preparing a detailed incident response plan.
  2. Enforcing effective data protection, backup, and recovery measures.
  3. Implementing encryption for data at rest to prevent unauthorized access.
  4. Identifying and classifying sensitive and Personally Identifiable Information (PII) data and applying encryption measures for data in transit and at rest.
  5. Deploying data leakage prevention (DLP) solutions/processes.

Log Retention:

  1. Implementing a strong log retention policy in compliance with SEBI regulations, CERT-In requirements, and the IT Act 2000.
  2. Auditing the collection of all logs and monitoring them to identify unusual patterns and behaviors.

Password Policy/Authentication Mechanisms:

  1. Implementing a strong password policy, including periodic review of ex-employee accounts, prohibiting password reuse, and avoiding storage of password lists on systems.
  2. Enabling multi-factor authentication (MFA) for all users, particularly for online/internet connections, virtual private networks, webmail, and critical systems.
  3. Implementing a Maker and Checker framework for modifying user rights and enabling MFA for user accounts accessing critical applications.

Privilege Management:

  1. Implementing a Maker-Checker framework for modifying user rights in internal applications.
  2. Implementing a “least privilege” approach to mitigate insider threats and provide security for both on- and off-premises resources.

Cybersecurity Controls:

  1. Deploying web and email filters on the network to scan and block known bad domains, sources, and addresses.
  2. Blocking malicious domains/IPs after verification and referring to CSIRT-Fin/CERT-In advisories for the latest information.
  3. Restricting the execution of “powershell” and “wscript” in enterprise environments, using the latest version of PowerShell with enhanced logging, and utilizing host-based firewalls to limit attack activities.
  4. Whitelisting business-essential ports at the firewall level and blocking all other ports by default.

Security of Cloud Services:

  1. Checking the public accessibility of all cloud instances to prevent inadvertent data leakage.
  2. Ensuring proper security of cloud access tokens, avoiding their exposure in website source code or configuration files.
  3. Implementing appropriate security measures for testing, staging, and backup environments hosted on the cloud and keeping them segregated from the production environment.
  4. Considering hybrid data security tools that operate in a shared responsibility model for cloud-based environments.