Stocks
Cleaning up NSE has Barely Begun
The National Stock Exchange (NSE), a phenomenal commercial success, was considered a template...
Premium Content
Monthly Digital Access

Subscribe

Already A Subscriber?
Login
Yearly Digital+Print Access

Subscribe

Moneylife Magazine Subscriber or MSSN member?
Login

Yearly Subscriber Login

Enter the mail id that you want to use & click on Go. We will send you a link to your email for verficiation
Cyber Attacks: SEBI Questions NSDL’s Speed of Reporting 10th October Attack
Cyber attacks and security issues are something that all technology-intensive companies have to be at war with, all the time. Constant vigilance, monitoring and technology upgrades, at huge cost, are a fact of life. But cyber attacks still happen and, when they do, companies that house large amounts of consumer data, especially financial data, often, try and suppress details of the attack for fear of eroding public confidence.
 
All countries and their regulators have stringent requirements for instant reporting of cyber attacks, so that a regulator can take a call on the seriousness of the incident and take measures to mitigate the damage across an industry or warn other entities that may be similarly vulnerable.
 
India has the Computer Emergency Response Team (CERT- In) as the apex body which tackles cybercrime-related issues. Then there are sector-specific financial regulators, such as the Reserve Bank of India (RBI) or the Securities & Exchange Board of India (SEBI), that have stringent reporting requirements. 
 
On 10 October 2016, a blog called alphaideas in posted this image indicating that the website of the National Securities Depository Limited (NSDL) had been hacked. Fortunately, from the public perspective, there was almost no damage at all and the website was restored. However, a detailed inquiry by SEBI into the attack on India’s biggest depository reveals that NSDL has not been fully compliant with SEBI’s policies and several specific circulars on audit and risk containment were ignored. In fact, even the recovery effort did not meet SEBI’s specifications. 
 
Since NSDL holds most of our shares and investments in dematerialised form and its sister entity handles our tax information and other data, it is important for readers to be aware of SEBI’s findings.
 
The cyber attack that happened on 10th October was directed at the website http://nsdl.co.in. The depository has told SEBI that this is merely a public website that only contains information about the organisation, its products and services and downloadable forms. Although NSDL is a large, technology-intensive organisation, this website is hosted and managed by a third-party data centre—provider, known as Ctrl-S, which operates outside NSDL’s depository system. NSDL says no confidential data was compromised by the attack, nor was any service provided by NSDL to clients affected. This is good news and indeed true. 
 
The problem, according to SEBI and its technical advisory committee (TAC), is with the many flaws and lapses that have been thrown up by the incident which indicate that NSDL is not taking SEBI’s circulars as seriously as it should.  For instance, let’s start with how the attack was reported. NSDL was prompt in reporting the incident as a ‘major cyber attack’ to CERT-In (the apex regulator). However, it decided to wait and conduct a detailed review of the incident and reported the attack to SEBI only on 19th October, after a lapse of nine days. 
 
Having failed in reporting to the regulator, NSDL almost sounds defiant in its explanation for the delayed reporting. It says, this was not considered an attack on its own system, and there was “no impact on the information of any client held by NSDL or the services provided by NSDL to its clients.” Hence, the depository appears not to have felt the need to report the incident to SEBI immediately. Instead, it decided to first conduct a detailed review and verify details by engaging with Ctrl-S. In an email to the regulator, it says: “However, once the (SC) initial analysis was done, it was in any case planned to inform SEBI.” 
 
On the face of it, this seems like a perfectly reasonable explanation, especially since there was no attack on NSDL’s confidential database or investor data. The problem is that NSDL’s unilateral action violates a slew of very specific instructions and circulars that have been issued by SEBI to market intermediaries. No regulatory system can function if every intermediary begins to second-guess the regulator and decide the seriousness of issues or when to report them, on its own. It is also strange that NSDL reported the attack to CERT-In as a ‘major’ incident but took its time communicating with the market regulator. Here is an analysis of the incident, based on SEBI’s investigation and assessment. 
 
A set of guidelines, issued by SEBI on 6 July 2015, require market intermediaries such as NSDL to ensure similar level of IT security measures as its own data centre, at outsourcing entities such as Ctrl-S. However, SEBI has found that Ctrl-S had “very weak securities controls.” The report of the cyber attack incident revealed basic issues such as weak passwords and improper hardening of systems among the reasons for the hacking incident. This is a direct violation of the SEBI guidelines.
 
That is not all. A SEBI circular of 9 December 2015, which specifically deals with ‘outsourcing by depositories’, required NSDL to ensure that a risk impact analysis is undertaken before outsourcing any activity and appropriate risk mitigation measures, like a back-up and restoration system, are in place. It also had to ensure real-time monitoring of outsourced activities with a clear policy framework and audit of outsourced activities. NSDL, reportedly, failed to ensure these standards of IT and cyber security at Ctrl-S which had been outsourced the job of maintaining NSDL’s website. 
 
The SEBI circular requires market intermediaries to ensure that a cyber security and resilience policy document is prepared which is approved by the board of directors and reviewed, at least, annually. Further, an IT strategy committee of depositories is expected to review this policy on a quarterly basis and set goals for improving and strengthening cyber resilience. 
SEBI says that “a critical element of the cyber security and resilience framework, i.e., risk emanating from the outsourced activity of third-party service providers/vendors, was not appropriately assessed and mitigated” by NSDL, at the level of its chief information security officer, or the management, the IT strategy committee or the board of directors. Further, there has to be an annual system audit of the depository is supposed to audit ‘access policy and controls as well as general access controls’. However, SEBI has discovered that Ctrl-S, which hosted NSDL’s website, was not even covered by the annual system audit process. 
 
Finally, the hacking incident has exposed one more lapse. A SEBI circular, dated 22 July 2012, mandates a very specific recovery time objective (RTO) and a recovery point objective of not more than 30 minutes. On 4 September 2013, SEBI issued a circular which says that intermediaries should have a business continuity plan in place including a secondary site that incorporates all critical IT systems and can resume operations within two hours following a disruptive incident. This system should be designed to ensure that the intermediary can “complete settlement at the end of the day of disruption, even in the case of extreme circumstances.” And these back-up arrangements need to be regularly tested and be in order. 
 
NSDL’s own submission indicates that it failed in this regard. NSDL has confirmed that the cyber attack started at 7.30pm on 10 October 2016 and the website was completely restored on 11 October 2016. This would mean that it failed the RTO specified by SEBI, in this particular incident. NSDL may be supremely confident about its technology prowess and ability to deal with cyber attacks, but the utter disregard for SEBI regulations, especially the fact that NSDL did not bother to report the incident for nine days, should be a matter of concern.

User

COMMENTS

Mukund Rajamannar

9 hours ago

We need a dedicated government wing with power to prosecute and penalise focused only on cyber security. We cannot keep adding additional responsibility to existing entities like SEBI. Cyber Security is more than a full time responsibility and should be treated with seriousness.

Aditya G

4 days ago

To be honest, SEBI needs to do more. A lot more. It has a perception problem. And a big one at that. I fear there are worse stuff that we do not know yet.

Will Tax Terrorism Rear Its Head Once Again?
The 2017 Budget was finance minister Arun Jaitley’s first to have received fairly positive reviews. Some experts have suggested that the absence of major negatives, or experimentation with taxation, is the biggest positive. However, there is a growing sense of anxiety among taxpayers and business about the unbridled powers granted to tax officials under the guise of going after black money. A sensible government ought to listen to voices of concern; but when its strongest supporters also turn critical, it needs to listen even more carefully. There is still time for corrective action; but, going by the post-Budget statements of the prime minister and senior bureaucrats of the finance ministry, the government is showing no signs of listening. 
 
The worry over amendments to the Income-Tax (I-T) Act unleashing tax terrorism have been repeatedly voiced by chartered accountants after the demonetisation exercise began on 8 November 2016; the Union Budget has only brought the fears out in the open more vociferously. Sushil Chandra, chairman of the central board of direct taxes, attempted to allay fears after the Budget by saying, “There is no need to fear, for any genuine person. We will ensure there is no harassment to genuine persons.” But nobody seems to believe these assurances—not even the government’s strong supporters.
 
The amendment to sub-sections (1) and (1A) of Section 132 of the I-T Act is one that had caused serious panic; it has a retrospective effect going back to 1962. It says that the tax officers will not have to disclose “to any person, authority or the Appellate Tribunal” why it has “reason to believe” that there has been tax evasion and there is a basis for ordering and conducting a search and seizure operation. Further, sub-section (1) of Section 132A provides that the tax authority, based on suspicion or ‘reason to believe’, can “requisition from some other officer or authority to deliver books of account, documents or assets of the assessee to the income tax authority so authorised.” This change will have retrospective effect going back to 1 October 1975.
 
It does not require much sagacity to know that tax-dodgers, whose evasion runs into hundreds of crores of rupees, are experts at fixing the system to their advantage. Draconian powers in the hands of tax officials are more likely to harass honest taxpayers by disallowing genuine expenditure. In line with the NDA (national democratic alliance) government’s distrust of NGOs, the Union Budget has also extended the power of the tax officials to conduct search and seizure operations of charitable institutions. This is worrying, because we know that it will quickly turn into a tool of control and harassment by the government. 
 
The amendments regarding search and seizure are specifically aimed at overturning case law where the judiciary had prevented fishing expeditions by tax officials based on mere suspicion, or simply to hound people. The amendments ensure that the judiciary will not be able to question arbitrary actions or raids by tax officials. 
 
Senior advocate and tax expert Soli Dastur, speaking at a post-Budget seminar in Mumbai, said that this amendment, which allows raids and searches without disclosing ‘reason to suspect’, interferes with a person’s privacy and it cannot be allowed to happen in a democratic country like India. 
 
Senior editor Minhaz Merchant, a huge supporter of the Narendra Modi government, calls this a change that is “straight out of Orwellian dystopia” in a fiery article for the website Daily O. He also points to another draconian amendment in the I-T Act that permits the assessing officer to order attachment of the assessee’s property for six months after obtaining sanction from a senior officer. Specifically, the amendment will allow tax authorities to provisionally attach the property of an assessee for six months, either at the time of search and seizure or up to 60 days from that date. At present, property can only be attached after an assessee’s request for stay on attachment is rejected by an  I-T commissioner. A person also gets 30 days to apply for a stay. This power was widely misused, even against small companies, even prior  to the empowering  new amendment. 
 
One can only guess at the enormous blackmail and capricious actions by tax officials that will be unleashed after some crucial checks and balances have been removed, in the name of raising revenues and going after the crooked. It gives assessing officers the power to reduce individuals to penury in one stroke and also shut down businesses by the sheer ferocity of their actions. Most people will not even have the resources to seek judicial redress in our excruciatingly slow and expensive judicial system. Mr Merchant believes that the PM, who is “instinctively against such abuse that amounts to tax terrorism,” should step in and correct the damage; but it is hard to believe that the changes in the Budget have been introduced by the finance minister or bureaucrats without the express consent of the PM.  
 
Mohandas Pai, investor and former CFO of Infosys Ltd, who is a diehard supporter of the Modi government and its policies, has also lashed out at the ‘draconian powers’ being given to  I-T authorities after demonetisation and warned that this would only increase corruption. In a recent public speech, he says that people “have voted the NDA to power to prevent tax terrorism, improve tax administration and reduce tax disputes.” He calls the NDA government’s past two-and-half years ‘disappointing’ in this regard because corruption has not decreased much, tax administration has only partially improved, but tax disputes have increased ‘massively’.
 
Speaking at the Budget session of parliament, PM Modi deflected criticism about the frequent policy changes in the demonetisation period, saying that the government was agile in reacting to the situation, whether it was to alleviate the hardship faced by people or to cut off attempts to convert tax-evaded cash. 
 
In that case, what was the need for even more draconian changes in the Budget? Speaking about such ill-thought out policy changes at a post-Budget discussion, Dr Arvind Virmani, former chief economic advisor at the finance ministry, correctly said, “There don’t seem to be enough tax policy experts in the government” who can think in a comprehensive manner. Dr Virmani says, income-tax is very complicated and you have to think of a multitude of “macro and micro socio-economic relationships” while working on tax reforms. Unleashing tax terrorism in pursuit of a “moralistic obsession with black money”, he believes, will end up with the government “ignoring real economic issues that need to change.”
 
Actually, I believe that Pratap Bhanu Mehta is on the dot when he says that “the clamour for security, accountability and transparency is leading to unfettered increase in the power of the State,” through laws and technology that will eventually give the government single-point control over every individual. Unfortunately, very few Indians seem to understand the scary significance of these changes and, those who do, can do little about it. 

User

COMMENTS

vswami

5 days ago

Caution (given out of sheer compassion):
Not to gloss over, in the stride, Minhaz Merchant’ s cryptic critique of such development , of quite a serious nature, as one “straight out of Orwellian dystopia”.
For an intimate appreciation, recommend to look up:
https://genius.com/albums/George-orwell/Nineteen-eighty-four
Clue: “In this Genius edition of Orwell’s 1984 we break down the meaning and the importance of the enduring work, and get down to the root of the question, of whether we have managed to escape the nightmare Orwell so envisioned 66 years ago today.”
< “Ignorance Is Strength” –
That, at best, as is open to be gathered from wisdom gained in hindsight, is a vile illusion. However, the men in governance / the bureaucracy seem to believe in also have immense faith in that thing called ‘ignorance’; which, of course, is a commodity, forever free, in abundance.
Side Dish: http://www.thehindubusinessline.com/…/sa…/article9535236.ece

Kamal Garg

5 days ago

It is definitely draconian and nothing short of tax terrorism. This Govt is hell bent upon harassing citizens of this country who actually voted in their favour in 2014. Most of the acts of this Govt during the last less than 3 years are actually against the freedom of common citizens and harassment of common citizens. Look at demonetization. None of this objectives mentioned by PM in his speech on 8th Nov 2016 has been achieved except the horrendous harassment to common citizens of this country. Somebody told me that this is a "bhookhi-nangi" govt hell bent upon exercising a Hitler style of governance in this country. Common citizens are harassed every day in the name of so many tax related and non-tax related issues.

vswami

5 days ago

Sporadic jottings:
No doubt, 'terrorism' /-domestic- or cross border- terrorism, conceptually, is the most dreaded of all ; and has been, not just stray, but the common life- / place- experience for quite long now; and even in those very few once-upon-a-time peace-loving democracies ! Evidencing that , as largely realized, and conceded , 'evolution' of human being, so also of the thing called 'sanity', has not but been an ongoing process as ever !
Turning to specifics: (utterly, butterly) Common Sense Poser > Read through...- 'reason to suspect' ? In comparison, was 'reason to believe' - any better / or any less 'subjective' than... ?? Is Time up to re-frame- " 'discretion' is the better part of ...; or ... last refuge to ....???

Aditya

6 days ago

Well on the spot again from Money life ! This 'new' IT officers resemble to police in India which is toy for big shot and tormentor for less fortunate ones who do not enjoy that cult as former one do.Our economy already weakened by non-required demonetization should embrace to more job loss.It looks like current government has no road map for most of the policy and taking on the things as they come without much prudence or pondering.A huge scam like 2G does not hurt India much as its bureaucrats do.

SuchindranathAiyerS

6 days ago

Bhaskar Rao (I) is a classic example of Indian Governance. Unless those on public pay roll are held to account for performance and integrity. India will remain harassed. In one way or another.

Government needs to retrench three quarters of those on Public pay roll and cut down the laws and extortion to a point where a quarter of the staff will suffice. Then they need to abolish reservations and get tough on corruption make corruption an act of treason and a capital offence. Government needs to abolish all subsidies and pay a tax free monthly subsistence stipend to ALL citizens. Enabling people to work for more than just subsistence while maintaining equity and equality under law.


Above all, as I have frequently stated, nothing will change until:


(1) Inequality under law and exceptions to the rule of law (including “reservations” and special privileges for some religions at the expense of others) are expurgated from the Constitution and laws of India.


(2) Bribe Taking is defined as criminal extortion or treason and made a capital offense with special rules of evidence and special courts with summary powers (akin to a Military Court Martial).


(3) All court proceedings are video graphed and archived for public viewing and can be used as evidence to prosecute Judges and Magistrates at all levels under special laws and special courts with summary powers akin to a military Court Martial, for insouciance, negligence, tardiness, dereliction of duty, disregard for law and propriety, behaviour unbecoming of a Judge such as lack of etiquette and manners,


(4) every job on the "Public" i.e. Government Pay Roll has specific and unique Key Responsibility Areas, Key Performance Parameters and Objectives for which they are held accountable on pain of summary dismissal for non-performance or life imprisonment for treason for sabotage under special laws and special courts with summary powers akin to a military Court Martial and

(5) India creates an Ombudsman Service of reemployed and retrained military officers (Colonel and Below, JCOs and NCOs) who retire before 50 to serve as presiding officers, investigating/prosecuting and enforcement officers at the afore mentioned "Special Courts", one for every tehsil with powers to arrest, incarcerate, try and punish any and all from the President of India to a peon in accordance with the Special Laws framed therefor.

S A Narayan

6 days ago

Before this govt won the elections in 2014, many naysayers of the BJP had predicted certain fascist tendencies of the party and their leaders. Were they prophetic?

REPLY

Kamal Garg

In Reply to S A Narayan 5 days ago

Looks like. Prophets were correct this time. Hope they are proven wrong otherwise we are going in a very dangerous direction. "Economic emergency" is also akin to "political emergency" imposed by Indira Gandhi.

We are listening!

Solve the equation and enter in the Captcha field.
  Loading...
Close

To continue


Please
Sign Up or Sign In
with

Email
Close

To continue


Please
Sign Up or Sign In
with

Email

BUY NOW

The Scam
24 Year Of The Scam: The Perennial Bestseller, reads like a Thriller!
Moneylife Magazine
Fiercely independent and pro-consumer information on personal finance
Stockletters in 3 Flavours
Outstanding research that beats mutual funds year after year
MAS: Complete Online Financial Advisory
(Includes Moneylife Magazine and Lion Stockletter)