Decoding the data protection mandates in the Indian securities market

0
705

Since the COVID-19 lockdown was imposed, cyberattacks are increasing in India. Therefore protecting sensitive business data has become more important than ever before. This is particularly true for securities and investment businesses that collect and manage a huge amount of personal data of their clients. Nearly 45% of Asia-Pacific organizations experienced a violation or failed a compliance audit in the last year.

 Considering the increasing cybersecurity threats SEBI, India’s markets regulator has issued clear data protection mandates to be followed by Indian Stock Brokers, Depository Participants, Asset Management Companies, and Mutual Fund Companies. SEBI mandates, the practice of data encryption and key management that is also recommended by almost all data protection regulators. The Indian regulators like the Unique Identification Authority of India (UIDAI) as well as Reserve Bank of India (RBI) have again issued circulars ordering the adoption of data encryption along with key management. Additionally, the Personal Data Protection Act also mandates the same for protecting sensitive data.

Data encryption solutions help organizations to shield sensitive data and at the same time, it also helps them to consistently fulfill the mandates from multiple data protection regulators. Encrypting sensitive data wherever it resides becomes supreme to enterprise-wide data protection with various applications spread across on-premises, cloud, and virtual environments. Encryption keys progress through multiple phases like generation, registration, distribution, rotation, archival, backup, revocation, and destruction during their existence by managing these keys, securely and efficiently at each phase becomes elemental to the protection of data. Finally, encryption keys should be separated from encrypted data to guarantee that the encryption keys don’t fall in the wrong hands.

 In case of failure to meet the terms of the data protection mandate will cause huge damages such as heavy penalties. The Personal Data Protection Act in India recommends a rigid penalty of Rs. 15 crores or 4% of the company’s global turnover; whichever is higher, for non-compliance to the data protection guidelines. Encrypting sensitive data and securely managing the encryption keys moderate data breach risks and helps organizations to stick to the data protection mandates.