SEBI guidelines for MIIs regarding Cyber security and Cyber resilience

SEBI on August 29, 2023 has issued guidelines for Market Infrastructure Institutions(MIIs) regarding Cyber security and Cyber resilience. The following guidelines outline essential practices that MIIs should adopt to enhance their market infrastructure security:

1. Data Backup and Testing: MIIs must maintain offline, encrypted backups of data and regularly test these backups at least quarterly. This ensures the confidentiality, integrity, and availability of crucial information in the event of a cyber incident.
2. System Recovery Preparedness: MIIs should create and maintain up-to-date “gold images” of critical systems. These images include preconfigured operating systems and software applications, facilitating quick system rebuilding. This strategy helps in restoring operations swiftly, even in the face of a complete system failure.
3. Spare Hardware for Continuity: MIIs should explore the possibility of retaining isolated spare hardware to rebuild systems if both the primary data center and disaster recovery site are compromised. Keeping spare hardware up-to-date and regularly testing it aligns with the response and recovery plans of the institution.
4. Business Continuity Drills: Regular business continuity drills are essential to assess an organization’s readiness and effectiveness in responding to ransomware attacks. Simulating scenarios where both primary and backup systems are impacted helps identify vulnerabilities in people, processes, and technologies.
5. Vulnerability Scanning: MIIs should conduct regular vulnerability scanning to identify and address potential vulnerabilities, especially on internet-facing devices. By minimizing the attack surface, MIIs can reduce the risk of successful cyberattacks.
6. Software Patching and Updates: Regularly patching and updating software and operating systems to the latest versions is crucial for addressing known vulnerabilities. Quarterly reviews ensure timely implementation of necessary updates.
7. User Awareness and Training: Implementing a cybersecurity user awareness and training program helps educate employees on identifying and reporting suspicious activities like phishing. This proactive approach strengthens the human element of cybersecurity.
8. Email Gateway Filtering: Filtering out emails with known malicious indicators and blocking suspicious IP addresses and domains at the firewall enhances email security, reducing the risk of successful phishing attacks.
9. Endpoint Security: Ensuring that endpoint detection and response (EDR)/endpoint protection platform (EPP), antivirus, and anti-malware software are up-to-date on all IT systems helps in detecting and preventing malware threats.
10. Application Whitelisting: Using application directory whitelisting restricts software execution to authorized applications, minimizing the potential for unauthorized software installations.
11. Multi-Factor Authentication (MFA): Implementing MFA for all services enhances user authentication, adding an additional layer of security to protect against unauthorized access.
12. Least Privilege Principle: Applying the principle of least privilege ensures users only have access to the resources necessary for their roles. Solutions like Privileged Identity Management (PIM)/Privileged Access Management (PAM) further enhance control.
13. Configuration Management: Establishing a configuration management database helps inventory and understand IT assets, critical systems, and their interdependencies, enabling effective resource management.
14. Active Directory Security: Regularly reviewing Active Directory helps close potential backdoors and compromised service accounts, strengthening the security of the institution’s infrastructure.
15. Secure Domain Controllers: Strengthening security around domain controllers is crucial, involving timely patching, restricted access, and robust firewall configurations.
16. Delegated Access Review: Regularly reviewing and cleaning unused tokens and delegated access helps minimize the risk of unauthorized access.
17. Log Retention and Security: Securing and retaining logs from various sources, including security devices, applications, and network devices, helps in monitoring and investigating potential security incidents.
18. Network Segregation: Creating effective network segregation limits the spread of cyber incidents, minimizing the impact on business operations.
19. Secure Remote Access: Secure usage of Remote Desktop Protocol (RDP) with Multi-Factor Authentication (MFA) and whitelisted IPs ensures remote access is tightly controlled.
20. API Security: Implementing API security solutions and strict whitelisting for accessing MIIs via APIs helps safeguard services and data transfers.
21. DNS Filtering: Implementing DNS filtering services and Domain Name System Security Extensions (DNSSEC) enhances DNS security and communication.
22. Intranet Management: Critical server, application, and network management should be limited to the enterprise-identified intranet systems.
23. Incorporating IOCs and Alerts: Developing a system to manage and incorporate Indicators of Compromise (IOCs), malware alerts, and vulnerability alerts enhances threat detection and response.
24. Advisory Implementation: Implementing advisories from relevant government agencies within defined timeframes helps address emerging threats effectively.
25. Response and Recovery Testing: Regularly reviewing and testing response and recovery plans helps ensure preparedness for various cyberattack scenarios.
26. Disaster Recovery Architecture: Exploring dissimilar application architectures enhances high availability during disaster scenarios.
27. Dark Web Monitoring: Engaging dark web monitoring services helps identify potential brand abuse and data leaks.