NSDL’s Negligence In Reporting Cyber Breach Irks SEBI

NSDL’s Negligence In Reporting Cyber Breach Irks SEBICyber security as a part of Indian policy is still not widely recognised. This is true regarding not only drafting of cyber security policies and laws in India but also the actual implementation of whatever scarce provisions we have in this regard. For instance, we have no cyber breach disclosure norms in India as on date and the cyber law of India is grossly deficient on this front. Different regulators and authorities have specified their own guidelines and rules in this regard that have further complicated this situation. Companies and individuals do not find these guidelines and regulations deterrent enough to even take notice of the same. Of course, actual compliance with these regulations is expecting moving of a mountain by companies and individuals.

Recently there were many media reports that the website of Ministry of Home Affairs was cracked by unknown crackers. Website defacement is a very common phenomenon in India and is not a very serious threat. The real threat is use of stealth malware by our cyber adversaries that cannot be detected for months and years. Contemporary cyber security products and services are ineffective against such malware. And till the time we react against such malware and corresponding cyber breaches, the irreparable damage is already done.

Indian companies and their directors are notoriously insincere in reporting cyber crimes and cyber breaches. As a result remedial cyber actions cannot be taken on time and consumer interests are jeoparadised. Take the recent example in this regard.  On 10 October 2016, it was reported that the website of the National Securities Depository Limited (NSDL) had been hacked. A detailed inquiry by SEBI into the attack on India’s biggest depository reveals that NSDL has not been fully compliant with SEBI’s policies and several specific circulars on audit and risk containment were ignored. In fact, even the recovery effort did not meet SEBI’s specifications.

This lax attitude is not acceptable in contemporary times and under the digital India project that is already insecure. On the one hand Indian government is contemplating separate CERT for financial sector and on the other hand we see this attitude of NSDL. Perry4Law Organisation (P4LO) strongly recommends that Indian government must investigate this issue and take appropriate action against those guilty of non compliance with the cyber breach disclosure requirements of SEBI and other laws. We also recommend that cyber security infrastructure of India must be strengthened.

Since NSDL holds most of our shares and investments in dematerialised form and its sister entity handles our tax information and other data, it was important for NSDL to immediately inform SEBI in this regard. However, NSDL failed to do so not only in a timely manner but also in great disregard of the cyber security and cyber law due diligence (pdf) requirements. NSDL has told SEBI that only the public website was affected and it only contains information about the organisation, its products and services and downloadable forms. NSDL also informed that no confidential data was compromised by the attack, nor was any service provided by NSDL to clients affected.

This assertion of NSDL may be true but the problem, according to SEBI and its technical advisory committee (TAC), is with the many flaws and lapses that have been thrown up by the incident which indicate that NSDL is not taking SEBI’s circulars as seriously as it should.  There are also inconsistencies in the versions of NSDL regarding cyber breach reporting to CERT-In and SEBI respectively. For instance, although NSDL reported the incident as a “major cyber attack” to CERT-In yet it decided to wait and conduct a detailed review of the incident and reported the attack to SEBI only on 19th October, after a lapse of nine days.

Of course, NSDL has given an explanation for this delayed reporting to SEBI. NSDL claims that this cyber breach was not considered a cyber attack on its own system, and there was no impact on the information of any client held by NSDL or the services provided by NSDL to its clients. Hence NSDL did not report the incidence to SEBI immediately and reported the same only after a detailed investigation conducted in association with the hosting provider.

What NSDL has failed to understand in this case is that NSDL must choose an outsourcing or hosting service provider that must comply with the cyber security standards as prescribed by SEBI. According to the guidelines issued by SEBI on 6 July 2015, market intermediaries like NSDL must ensure similar level of IT security measures as its own data centre, at outsourcing entities such as hosting service providers. However, SEBI has found that the hosting service provider in this case had “very weak securities controls”. The report of the cyber attack incident revealed basic issues such as weak passwords and improper hardening of systems among the reasons for the hacking incident. This is a direct violation of the SEBI guidelines.

Further, a circular issued by SEBI on 9 December 2015, which specifically deals with “outsourcing by depositories”, required NSDL to ensure that a risk impact analysis is undertaken before outsourcing any activity and appropriate risk mitigation measures, like a back-up and restoration system, are in place. It also had to ensure real-time monitoring of outsourced activities with a clear policy framework and audit of outsourced activities. NSDL, reportedly, failed to ensure these standards of IT and cyber security at hosting service provider level which had been outsourced the job of maintaining NSDL’s website.

The SEBI circular requires market intermediaries to ensure that a cyber security and resilience policy document is prepared which is approved by the board of directors and reviewed, at least, annually. Further, an IT strategy committee of depositories is expected to review this policy on a quarterly basis and set goals for improving and strengthening cyber resilience.

SEBI says that “a critical element of the cyber security and resilience framework, i.e., risk emanating from the outsourced activity of third-party service providers/vendors, was not appropriately assessed and mitigated” by NSDL, at the level of its chief information security officer, or the management, the IT strategy committee or the board of directors. Further, there has to be an annual system audit of the depository is supposed to audit ‘access policy and controls as well as general access controls’. However, SEBI has discovered that the hosting service provider, which hosted NSDL’s website, was not even covered by the annual system audit process.

Above all, a SEBI circular, dated 22 July 2012, mandates a very specific recovery time objective (RTO) and a recovery point objective of not more than 30 minutes. On 4 September 2013, SEBI issued a circular which says that intermediaries should have a business continuity plan in place including a secondary site that incorporates all critical IT systems and can resume operations within two hours following a disruptive incident. This system should be designed to ensure that the intermediary can “complete settlement at the end of the day of disruption, even in the case of extreme circumstances.” And these back-up arrangements need to be regularly tested and be in order.

NSDL’s own submission indicates that it failed in this regard. NSDL has confirmed that the cyber attack started at 7.30pm on 10 October 2016 and the website was completely restored on 11 October 2016. This would mean that it failed the RTO specified by SEBI, in this particular incident. NSDL may be supremely confident about its technology prowess and ability to deal with cyber attacks, but the utter disregard for SEBI regulations, especially the fact that NSDL did not bother to report the incident for nine days, should be a matter of concern.

In the past it was decided that the Technical Advisory Committee (TAC) of SEBI would address cyber security issues as well. This move of SEBI aims at securing the data, applications, database, operating systems and network layers of (FMIs) from various forms of cyber attacks such as Denial of Service (DoS) attacks, phishing, hacking, man-in-the-middle attack, sniffing, spoofing, key-logging and malware attacks.

Cyber security and cyber resilience for financial market infrastructures is one of the core priority issues for governments and nations around the world. However, this is not an easy task to manage as it requires tremendous techno legal expertise that very few individuals and organisations possess these days. Even the regulatory and governing framework in this regard is still evolving at the international level. Indian government and SEBI are slow in this regard and the episode of NSDL shows that we are still far away from achieving this goal.