India’s Securities and Exchange Board (SEBI) appears to have sent a circular to stock exchanges that calls for market participants to upgrade information security as bad actors seek to take advantage of the financial services industry’s move to working from home.
SEBI appears not to have made its document public, but India’s National Stock Exchange – the nation’s largest - plus the Bombay Stock Exchange (BSE) and Multi Commodity Exchange of India (MCX) all late last week published the same 14-point security guidelines that say SEBI has called for market participants to implement a security baseline on the computers their staff use when working from home (NSE doc here, BSE here MCX here [PDF]).
The documents say the new standard is needed because COVID has seen the industry send many staff to work from home, which has “resulted in cyber criminals using this opportunity to target ‘Users’ and ‘Information Communication Technologies’.” The documents say SEBI has therefore “advised us to ensure that Members / Participants, implement prescribed measures.”
Among the requirements are for multi-factor-authentication, use of virtual private networks locked to devices’ MAC addresses and even periodic photography of users combined with image recognition to identify users.
Indian government labels itself ‘evasive’ over privacy details of national COVID-19 contact-tracing appREAD MORE
“It is suggested that the intermediary may consider running a mandatory monitor on the device that … at random intervals pops up and prompts biometric authentication with a timeout period of a few seconds. If there is a timeout, this is flagged on the intermediary server as a security event.”
“Remote access has to be monitored continuously for any abnormal access and appropriate alerts and alarms should be generated to address this breach before the damage is done,” the advice adds, continuing: “For on-site monitoring, the intermediary shall implement adequate safeguard mechanism such as cameras, security guards, nearby co-workers to reinforce technological activities.”
The guidance also calls for testing of backup, restore and archiving capabilities as a precaution for those whose remote users touch core internal systems. There’s also a suggestion to “exercise sound judgement and discretion while applying patches to existing hardware and software and apply only those patches which were necessary and applicable.”
Market participants are also told to have logs gathered by their security operations centres (SOCs) analysed from a remote location.
It is suggested to run a mandatory monitor on the device that at random intervals pops up and prompts biometric authentication
“Alerts and alarms generated should also be analyzed and appropriate decisions should be taken to address the security concerns,” the advice continues. “The security controls implemented for the Remote Access requirements need to be integrated with the SOC Engine and should become a part of the overall monitoring of the security posture.”
The advice ends by saying that the measures it requires are to become future standard operating practice.
It is unclear if SEDI or India’s bourses have noticed any odd trades or patterns of trades because of lax work-from-home security, or if this new guidance is precautionary.
Whatever the cause, welcome to the new normal of random webcam snaps to make sure that’s really you in your home office. ®