Capital market regulator SEBI has directed stock exchanges to ensure that additional security measures are taken by brokers offering internet based trading (IBT) and securities trading using wireless technology (STWT).
In a circular on Thursday, SEBI said that brokers should capture the internet protocol address (a unique address that shows the location of origin of an order) for all IBT and STWT orders.
“This would help brokers to capture the exact location from where a client is placing orders,” said Mr Subhash Sharma, Senior VP Operations, Gupta Equities. “The administrator terminal located at a broker's place would recognise only the IP address that is captured by the trading software (for exe based internet trading) as the IP address would be static in nature and reduces the risk of hacking or impersonation.”
Experts said that use of static IP address was more secure than the use of variable IP address.
SEBI said that brokers should have built-in high system availability to address any single point failure. The system should secure data transmission using end to end encryption {using secure standardised protocol (SSP)} and a procedure of mutual authentication between the servers of the broker and his client.
SEBI has also asked for systems to have adequate safety features against internal and external attacks and has asked brokers to have an alternative channel of communication with clients that has adequate capabilities to identify and authenticate clients
SEBI has advised brokers to use two factor authentications for a login session, one to get into the system and the other to execute a transaction, where the two factors used should not be the same.
Further they have also been told to use digital signatures supported by government certified agencies.
Systems should log out automatically in case there is no activity by the client during a session to ensure safety, said SEBI. Brokers have been asked to implement these within nine months from the date of this circular.
SEBI has also asked brokers to have disaster recovery centres at another location so that brokers are able to deliver on-site as well as from their remote sites.
Exchanges have been directed to have a system that monitors complaints on unauthorised access using IBT and make necessary amendments to their bye-laws, rules and regulations.
They have also been asked to inform all member brokers, put up the circular on their Web site and communicate the implementation status to SEBI.