Download presentation
Presentation is loading. Please wait.
Published byValentine Parks Modified over 6 years ago
1
Cyber Security Central Depository Services (India) Limited
Hong KONG th NOVEMber, 2017
2
CDSL Group Businesses Central Depository Services (India) Limited
13.6 million customer accounts covering 94% PIN codes, 589 DPs operating across 17,338 service locations, 10,217 issuing companies CAS services sending 1.2 million statements per month e-Voting Services (4,300+ companies, 15,500+ e-voting instances) eLocker Services Go Green Services for DPs Online Will Services Central Depository Services (India) Limited National Academic Depository (NAD) KYC Registration Agency (PAN based KYC) 1st and largest KRA with over 16.5 million KYCs Holding 65% of the total PAN based KYC User Agency for UIDAI (Aadhaar based eKYC and eSign) GSP services CDSL Ventures Limited IR Services facilitates policyholders to hold insurance policies in electronic form Holding 0.32 million, 60% of total eIA accounts CDSL Insurance Repository Limited Commodity Repository facilitates issuance, holding, deposits, withdrawals and transacting of warehouse receipts CDSL Commodity Repository Limited
3
Regulatory and Government Guidelines on Security
The Indian regulator (SEBI) has circulars recommending Information Security policies and Cyber Security framework guidelines to be adopted by systemically important MIIs (Exchanges, Clearing Corporations, Depositories). Accordingly CDSL has adopted Information Security and Cyber Security policies. CDSL and other market intermediaries are invited to the Technical Advisory committee and Cyber security sub committee meetings which are held periodically to discuss and deliberate on policy formulation before circulars are issued. Formation of NSCS and NCIIPC by Prime Minister’s Office (PMO) The Government of India under direct supervision of the PMO has instituted the National Security Council Secretariat (NSCS). CDSL and all market intermediaries were invited by NSCS to present the state of infrastructure and security in the organization. CDSL is registered with National Critical Information Infrastructure Protection Center (NCIIPC), the operational entity under NSCS CDSL gets regular advice / updates from NCIIPC and shares incidents and updates with them for cyber security threats. International Organization of Securities Commissions (IOSCO) Guidelines The regulator has also recommended that the cyber resilience guidelines for Financial Market Infrastructures issued by IOSCO to be followed. CDSL is in compliance with IOSCO guidelines.
4
Cyber security is a Business Issue
Digital transformation With enterprises becoming more and more connected with the increasing adoption of digital technologies, the safeguarding of the company’s digital assets has become extremely complex and challenging. The constantly changing digital technology landscape needs fast adoption of newer and sophisticated cyber security solutions. The senior management team and IT need to keep the security aspect at the top of mind as they make decisions about new products and services. Security first should be the mantra along with Digital first. Risks Management Committee The risk management committee nowadays get involved in understanding and mitigating cyber security risk as much as they get involved in operational, financial or other risks. New project initiatives or process changes with any element of security risk are deliberated before being taken up.
5
Cyber security is a Business Issue
Security practices of partners and intermediaries With the prevalence of outsourcing of services, our suppliers and partners need to also follow good security practices. There are defined outsourcing policies which are as per regulator guidelines. There is a recent initiative by the regulator to enforce certain minimum cyber security practices to be followed by the market intermediaries (depository participants and brokers), and have the depository oversee the compliance. Cybersecurity is everyone’s responsibility While the role of IT has traditionally been of being an enabler of businesses, the equally important role is of protecting and securing the businesses from cyber threats. IT with the support of senior management must create a security culture in the organization by facilitating regular user awareness training and to recognize that a careless employee can cause a cyber security breach. Cybersecurity is really a business issue not only an IT responsibility as it exceeds the boundaries of IT, and cyber risk needs to be managed with as much discipline as financial risk or operational risk.
6
Board oversight and involvement
Cyber threat is today one of the biggest organizational risk Cyber threats have emerged as a growing risk to companies across industries with the potential of causing serious financial and reputation damage to organizations. Boards understand that cyber security is a risk management issue that affects the entire organization and requires board oversight. Security risks to the board need to be conveyed in business terms to help the board understand how cybersecurity impacts the company directly. Active board involvement is imperative Strong corporate governance requires that the board of directors actively engage on the issue and is kept informed on cybersecurity readiness of the organization. Boards must ensure there is executive ownership ideally at the top starting with the CEO. Cyber risk related insurance coverage is now being offered by insurance companies. The security maturity of the organization can reduce the cost of the premium.
7
Concerns and areas of improvement
Incident sharing While some security companies have formed partnerships and are collaborating to share cyber incidents to help them strengthen the solutions that they offer, there is no organized sharing among user companies so they can learn from other’s incidents. In BFSI, the practice to share incidents with the regulator is mandatory within stipulated time, and the regulator is expected to share the same with the other organizations masking the victim organization’s identity. The victim organization is often reluctant to share incidents to protect its reputation and there is thus a huge under reporting of incidents. Hackers collaborate While companies do not, attackers often collaborate to attack the enterprise. Cost of protection is disproportionately higher than cost of attacking. The hacker with very little financial resource can penetrate enterprises who do not continuously secure themselves.
8
Concerns and areas of improvement
Resource shortage There is an acute shortage of skilled security resources and organizations are finding it very difficult to attract talent and competing with security organizations. The optimum mix of in-house and vendor resources need to be deployed, especially to run a centralized Security Operations Center (SOC). Skilled and trained resources are required to ensure that solutions procured are implemented with proper configuration to ensure that they work as expected. Increased security spends in an increasingly connected world With multiple security vendors offering overlapping solutions, and most companies having existing security solutions in place, the selection of new solutions is very complex and challenging. Integrated security tools working together in a seamless automated way can streamline the process of detecting and mitigating threats. The major security vendors have introduced the concept of a fabric layer which can integrate with other vendor solutions. While protecting the enterprise with sophisticated solutions and tools is expensive, there is really no guarantee that the enterprise is fully secure.
9
Security Landscape Reference Model
Operations Asset & Config management Incident management Vulnerability & Patch management Change management Access management Event monitoring & management Application Platforms Data Protection Applications Antispam DB Activity Monitoring WAF App Sec APT Data Classification Data Encryption VPN / SSL DRM Host Security Mobile / Laptop Access / Authentication Endpoints Antivirus / HIPS Patch Mgmt Config Mgmt IDM / PIM VA / PT DLP NAC MDM 2FA SSO Infrastructure Network DLP DDoS Protection Firewall / IPS SIEM / SOC DCIM Web Proxy Wireless
10
Executive Director and Group CTO
THANK YOU Joydeep Dutta Executive Director and Group CTO
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.