Cybersecurity Compliance Under Scrutiny: SEBI Fines Anand Rathi ₹10 Lakh

By G. Lekhan

Introduction 

Anand Rathi penalised ₹10 Lakh due to cybersecurity infringements by SEBI: An Advocate for All Market Intermediaries Indoors. Indian Capital Markets have undergone major transformations in common terms during the last ten (10) years arising from advancement in technology affecting trading, settlement & investment services; therefore more than 10 Million investors who rely on the digital platform provided by stockbrokers/depositories/exchanges have gained both efficiency of use & access to Market Service; however, along with those changes the risk or downside of using these platforms has also increased with respect to cyber & operational risk. 

Source: Indian express

In this context, the recently issued regulatory sanction against Anand Rathi Share & Stock Brokers Limited by the Securities and Exchange Board of India (SEBI) is a significant indication of the role that cyber resilience will play in the future of the Financial Market. Anand Rathi was penalised by SEBI to the sum of ₹10 Lakh due to negligent cyber protection controls and was found to have contravened numerous regulatory requirements. To date, it continues to serve as a reminder to Financial Institutions regarding the regulator’s focus on increasing their technology governance within the Capital Market system. This article will discuss the facts, regulatory environment, the nature of the violations found by SEBI, and broader financial institution &amp investor considerations. 

Case Background 

The Securities and Exchange Board of India (SEBI) performed a thematic inspection on Anand Rathi Share and Stock Brokers to verify their compliance with SEBI's Cyber Security and Cyber Resilience framework. The inspection took place over 18 months, covering all transactions executed at Anand Rathi from 1 April 2023 to 31 August 2024. The purpose of this inspection was to ensure that Anand Rathi had put in place sufficient technological safeguards and risk management processes to protect both market infrastructure and the data of investors. 

After conducting its thematic inspection, SEBI identified non-compliances by Anand Rathi in relation to their Cyber Security framework generally and to SEBI (Stockbroker) Regulations 1992 specifically. The non-compliances identified during the inspection led SEBI to determine that Anand Rathi's systems, policies, and operative processes failed to meet SEBI's requirements for the protection of market infrastructure and investor data. As a result of this determination, SEBI imposed a monetary penalty of ₹10,00,000 on Anand Rathi and required that they pay this penalty to SEBI within 45 days of notification of this penalty.

 Cybersecurity Issues Identified- The examination of the firm's cybersecurity practices demonstrated several technological and operational lapses, also described as cybersecurity deficiencies (note: those terms are colloquially interchangeable). These deficiencies represent types of risks that regulators are attempting to mitigate, given the realities of a digital-based financial ecosystem. 

Weak Password Control- Weak Password Policy Implementation- One of the more significant (<50%) observations noted by SEBI was the lack of a consistent process for implementing a password policy. Operationally sound password control is an integral requirement to create barriers against unauthorised access to critical systems and client data. If a firm has weak password practices, it will increase the likelihood that systems or identity theft will occur. 

No Multi-factor Authentication (MFA)- SEBI also noted that many users did not have MFA enabled on the firm's systems. Multi-factor authentication (MFA) is now widely considered to be one of the most basic cyber safeguards, because MFA requires that multiple records of identity verification be captured that go beyond just a password. 

If MFA is not used, there are considerably greater levels of vulnerability for systems to be hacked and for credentials to be compromised. 

 Source: Stockphoto

 Insufficient Capacity Monitoring- Another area noted by SEBI was the absence of an adequate monitoring mechanism for monitoring any of the firm's capacities. All financial intermediaries must monitor their IT Infrastructure's overall performance and the capacity of their IT systems to maintain stability during periods of high-volume trading. 

Without an adequate monitoring analysis of total capacity, a trader may experience significant delays in service or outages, which may result in disruptions to their trading operations and ultimately their investors' confidence. Missing Controls for Data Leakage Prevention 

The report also noted the absence of strong controls for preventing the unauthorised transmission or disclosure of confidential information, such as client financial information, by brokers, creating an operational risk given brokers’ handling of sensitive financial information. 

Insufficient Vulnerability Assessment and Penetration Testing- Vulnerability assessments and penetration tests are also inadequately covered. VAPT is critical to any cybersecurity management program and helps identify any weaknesses in systems prior to them being exploited by threat actors. As threat actors continue to grow in number and sophistication, financial institutions must conduct these trials at least annually to protect themselves from a potential cyber threat. 

Late Reporting of Cyber Incidents- The other significant issue noted in the report includes the late reporting of the unauthorised access incident. Based on the SEBI Cybersecurity Framework, stockbrokers were required to report cybersecurity incidents to the relevant exchanges within six hours. However, an unauthorised access incident was reportedly not reported in the six-hour time frame. This is a violation of regulatory norms, which delays the ability to mitigate the incident within a reasonable timeframe. 

 Source: Outlook money.com

SEBI has put in a Cybersecurity and Cyber Resilience Framework that is meant to help broker-dealers and other participants in the capital markets with their cybersecurity and resilience efforts. This framework was developed to enhance the overall security of financial institutions and protect the integrity of the capital markets in the country. 

As part of the framework, broker-dealers and all other market participant entities are required to implement a significant number of specific cybersecurity controls as part of their compliance with the Cybersecurity and Cyber Resilience Framework, including: Effective and reliable means of authenticating customer identities, Frequent vulnerability assessments and system tests, Constant monitoring of IT infrastructure for performance and security issues, A process to report any cyber incidents.  

Protecting customer data and keeping their privacy protected 

These specified cybersecurity requirements will help to ensure the ability of each financial institution to effectively identify and respond to cyber threats. The reliance of the capital markets on digital technologies has made the regulation of the cybersecurity practices of financial institutions a key part of regulations governing the financial markets. 

Conclusion 

The ruling of ₹ 10 lakh levied by the Securities and Exchange Board of India against Anand Rathi Share and Stock Brokers is a reflection of the increasing significance of having strong cybersecurity governance in the current day and age of financial landscapes. The case highlights certain factors, such as having poor authentication frameworks, inadequate monitoring activities, and slow reporting of cyber incidents, that can lead to financial establishments being subjected to regulatory sanctions. 

As India’s capital markets continue advancing through digitisation and expansion, technology becomes intrinsically linked to the delivery of financial services. Cybersecurity thus needs to be regarded as a strategic imperative rather than something administrators can merely pay attention to after all other business concerns have been satisfied. Consequently, it is incumbent upon every financial institution to institute an effective governance framework, implement proactive risk management processes, and continuously monitor the evolution of new cyber threats.