Cyber attacks and security issues are something that all technology-intensive companies have to be at war with, all the time. Constant vigilance, monitoring and technology upgrades, at huge cost, are a fact of life. But cyber attacks still happen and, when they do, companies that house large amounts of consumer data, especially financial data, often, try and suppress details of the attack for fear of eroding public confidence.
All countries and their regulators have stringent requirements for instant reporting of cyber attacks, so that a regulator can take a call on the seriousness of the incident and take measures to mitigate the damage across an industry or warn other entities that may be similarly vulnerable.
India has the Computer Emergency Response Team (CERT- In) as the apex body which tackles cybercrime-related issues. Then there are sector-specific financial regulators, such as the Reserve Bank of India (RBI) or the Securities & Exchange Board of India (SEBI), that have stringent reporting requirements.
On 10 October 2016, a blog called alphaideas in posted this image indicating that the website of the National Securities Depository Limited (NSDL) had been hacked. Fortunately, from the public perspective, there was almost no damage at all and the website was restored. However, a detailed inquiry by SEBI into the attack on India’s biggest depository reveals that NSDL has not been fully compliant with SEBI’s policies and several specific circulars on audit and risk containment were ignored. In fact, even the recovery effort did not meet SEBI’s specifications.
Since NSDL holds most of our shares and investments in dematerialised form and its sister entity handles our tax information and other data, it is important for readers to be aware of SEBI’s findings.
The cyber attack that happened on 10th October was directed at the website http://nsdl.co.in
. The depository has told SEBI that this is merely a public website that only contains information about the organisation, its products and services and downloadable forms. Although NSDL is a large, technology-intensive organisation, this website is hosted and managed by a third-party data centre—provider, known as Ctrl-S, which operates outside NSDL’s depository system. NSDL says no confidential data was compromised by the attack, nor was any service provided by NSDL to clients affected. This is good news and indeed true.
The problem, according to SEBI and its technical advisory committee (TAC), is with the many flaws and lapses that have been thrown up by the incident which indicate that NSDL is not taking SEBI’s circulars as seriously as it should. For instance, let’s start with how the attack was reported. NSDL was prompt in reporting the incident as a ‘major cyber attack’ to CERT-In (the apex regulator). However, it decided to wait and conduct a detailed review of the incident and reported the attack to SEBI only on 19th October, after a lapse of nine days.
Having failed in reporting to the regulator, NSDL almost sounds defiant in its explanation for the delayed reporting. It says, this was not considered an attack on its own system, and there was “no impact on the information of any client held by NSDL or the services provided by NSDL to its clients.” Hence, the depository appears not to have felt the need to report the incident to SEBI immediately. Instead, it decided to first conduct a detailed review and verify details by engaging with Ctrl-S. In an email to the regulator, it says: “However, once the (SC) initial analysis was done, it was in any case planned to inform SEBI.”
On the face of it, this seems like a perfectly reasonable explanation, especially since there was no attack on NSDL’s confidential database or investor data. The problem is that NSDL’s unilateral action violates a slew of very specific instructions and circulars that have been issued by SEBI to market intermediaries. No regulatory system can function if every intermediary begins to second-guess the regulator and decide the seriousness of issues or when to report them, on its own. It is also strange that NSDL reported the attack to CERT-In as a ‘major’ incident but took its time communicating with the market regulator. Here is an analysis of the incident, based on SEBI’s investigation and assessment.
A set of guidelines, issued by SEBI on 6 July 2015, require market intermediaries such as NSDL to ensure similar level of IT security measures as its own data centre, at outsourcing entities such as Ctrl-S. However, SEBI has found that Ctrl-S had “very weak securities controls.” The report of the cyber attack incident revealed basic issues such as weak passwords and improper hardening of systems among the reasons for the hacking incident. This is a direct violation of the SEBI guidelines.
That is not all. A SEBI circular of 9 December 2015, which specifically deals with ‘outsourcing by depositories’, required NSDL to ensure that a risk impact analysis is undertaken before outsourcing any activity and appropriate risk mitigation measures, like a back-up and restoration system, are in place. It also had to ensure real-time monitoring of outsourced activities with a clear policy framework and audit of outsourced activities. NSDL, reportedly, failed to ensure these standards of IT and cyber security at Ctrl-S which had been outsourced the job of maintaining NSDL’s website.
The SEBI circular requires market intermediaries to ensure that a cyber security and resilience policy document is prepared which is approved by the board of directors and reviewed, at least, annually. Further, an IT strategy committee of depositories is expected to review this policy on a quarterly basis and set goals for improving and strengthening cyber resilience.
SEBI says that “a critical element of the cyber security and resilience framework, i.e., risk emanating from the outsourced activity of third-party service providers/vendors, was not appropriately assessed and mitigated” by NSDL, at the level of its chief information security officer, or the management, the IT strategy committee or the board of directors. Further, there has to be an annual system audit of the depository is supposed to audit ‘access policy and controls as well as general access controls’. However, SEBI has discovered that Ctrl-S, which hosted NSDL’s website, was not even covered by the annual system audit process.
Finally, the hacking incident has exposed one more lapse. A SEBI circular, dated 22 July 2012, mandates a very specific recovery time objective (RTO) and a recovery point objective of not more than 30 minutes. On 4 September 2013, SEBI issued a circular which says that intermediaries should have a business continuity plan in place including a secondary site that incorporates all critical IT systems and can resume operations within two hours following a disruptive incident. This system should be designed to ensure that the intermediary can “complete settlement at the end of the day of disruption, even in the case of extreme circumstances.” And these back-up arrangements need to be regularly tested and be in order.
NSDL’s own submission indicates that it failed in this regard. NSDL has confirmed that the cyber attack started at 7.30pm on 10 October 2016 and the website was completely restored on 11 October 2016. This would mean that it failed the RTO specified by SEBI, in this particular incident. NSDL may be supremely confident about its technology prowess and ability to deal with cyber attacks, but the utter disregard for SEBI regulations, especially the fact that NSDL did not bother to report the incident for nine days, should be a matter of concern.