SEBI The Securities and Exchange Board of India has proposed biometric authentication investors and for traders when they buy and sell stocks by accessing mobile applications.
In a note which was recently shared with stock exchanges and brokers at improving cyber security, this is part of a long list of recommended dos and don’ts compiled by the market regulator.
A person who was familiar with the topic said, “The draft note says that in case of applications installed on mobile devices such as smartphones and tablets, a cryptographically secure biometric twofactor authentication mechanism may be used.”
If the proposal is implemented, it would need retail investors use touch ID-enabled smartphones for trading and sharing biometric features like eye scan or fingerprint to access their demat or the trading accounts. Offered as an option to accountholders by some of the private sector banks, the mechanism involves the handheld device carrying out one step of the authentication instead of the service provider.
According to the Sebi note, after a given number of failed log-in attempts, the customer’s account should be ‘locked’ till fresh authentication is done by sending a random one-time password or an email to the customer.
The paper asks brokers to ensure that no individual by virtue of position or rank has any right to access confidential data, applications, facilities or system resources. Then they should formulate an internet access policy to monitor and regulate the usage of internet and the services which are internet-based like social media sites and cloud-based internet storage sites within a broker’s critical IT infrastructure.
The note said, “For algorithmic trading facilities, adequate measures should be taken to isolate and secure the perimeter and connectivity to the servers running algo trading applications.”
One of the recommendations says that employees and outsourcing staff (like employees of vendors or service providers) who might have authorised access to a broker’s critical system should be subject to stringent monitoring.
A regulatory officer said, “Sebi has sought comments from different people and will have to examine the preparedness of brokers before implementing it. We have done categorisation. The proposals will be implemented in phases.”
Some of the recommendations in the draft note can be onerous for small brokers who operate on waferthin margins and low-cost structure.
One brokerage official said, “For instance, one of the suggestions is that off-the-shelf products being used for core business functionality, such as back office applications, should bear Indian common criteria for evaluation assurance level 4. Any technology person will admit this is a very demanding requirement as there are only one or two labs from where such certification can be obtained. The telecom department had attempted this in the past.”
According to an person from the industry, keeping in mind smaller brokers who cannot afford the cost, the regulator may explore the possibility of one of the stock exchanges managing the security setup for these entities.
While the Sebi draft paper is a compilation of suggestions from an expert committee, it has been circulated at a time when two well-known brokers serving retail and high networth investors faced cyber-attacks.
One of the intermediaries informed clients about the breach involving unauthorised access to customer information; in the other case, a virus found its way into a few back office servers and PCs, and even though there was no data breach or trading interruption, the brokerage concerned had to run some of the back office processes manually for a day or two till those servers were brought back online after a clean-up.
The attack on stockbrokers follows malware attacks on some of the Indian banks and credit card data bases over the past few years.
