cybersecurity regulation for thai capital market ดร.กำพล ศรธนะรัตน์ ผู้อำนวยการฝ่ายเทคโนโลยีสารสนเทศ สำนักงานคณะกรรมการกำกับหลักทรัพย์และตลาดหลักทรัพย์

Cybersecurity Regulation for Thai Capital Market.
The First NIDA Business Analytics and Data Sciences Contest/Conference
วันที่ 1-2 กันยายน 2559 ณ อาคารนวมินทราธิราช สถาบันบัณฑิตพัฒนบริหารศาสตร์
https://businessanalyticsnida.wordpress.com
https://www.facebook.com/BusinessAnalyticsNIDA/
ดร.กาพล ศรธนะรัตน์ วทม. (NIDA) Ph.D.
ผู้อานวยการฝ่ายเทคโนโลยีสารสนเทศ
สานักงานคณะกรรมการกากับหลักทรัพย์และตลาดหลักทรัพย์
นวมินทราธิราช 4002 วันที่ 1 กันยายน 2559 10.15-11.15 น.

Cybersecurity Regulation for
Thai Capital Market
กำพล ศรธนะรัตน์
Kumpol Sontanarat
ICT Department Director, Thailand SEC
Board Member of Electronic Transaction Commission
Chairman of CIO16 Association
Chairman of Thailand IT Architect Association

Time Line
Initial: IT , Intermediaries Policy and Development Dept,
Investment Management Supervision and Inspection Dept,
Market Supervision Dept, Broker-Dealer Supervision and Inspection Dept
AUG 2014
MAR 2015
MAR 2015
Conduct 1st public hearing on on website
Conduct public hearing :1st Focus group ->Intermediaries , SET
Publish FAQ
Conduct GAP survey : Governance , Security and Fintech issuesJUN 2016
SEP 2016 Issue new regulation with 1 year grace period
Develop guideline for examinerQ3 2016
Conduct audit program through RBAAUG 2017
4

Knowledge Background
• Risk Framework and IT Best Practices
• IOSCO Principles
• Lessons Learned
5

Knowledge Background
Risk Framework and IT Best Practices
6

Current IT Risk Framework
• Time to review?
7

8
Current IT Risk Framework
• All of risks associated with authorization, completeness
and accuracy of transactionsIntegrity risk
• Risks associated with data restriction both overly
restrictive and not adequately restrictedAccess risk
• The risk that SI does not have the IT infrastructure to
run its business efficiently or cost-effective fashion
Infrastructure
risk
• Unavailability of important information when needed
threatens the continuity of critical SI’s critical
operations
Availability risk

IT Risk : Turning Business Threats into
Competitive Advantage
• Analysis of 134
surveys
• Empirical study
• IT risk pyramid
9

IT Risk Pyramid
Agility
Accuracy
Access
Availability
Future
capability
Present
capability
Hard to
quantify
Easy to
quantify
Source: IT Risk – Turning business threats into competitive advantage – George
Westerman, Richard Hunter, Harvard Business School Press
10

11
IT Risk Pyramid (Cont.)
• Poor IT-business relations
• Poor project deliveryAgility
•Applications do not meet business requirements
•Manual data integration required
•Significant implementation under way or recently completed
Accuracy
•Data not compartmentalized
•Applications need standardization
•Lack of internal controls in applications
•Network not reliable at all locations
Access
•High IT staff turnover
•Poor backup/recovery
•Infrastructure not standardized
•Poorly understood processes and applications
Availability

IT Risk : View of IT Risk in business term + GRC
• Emphasized on core
principles
– Well-structured
(Technology)
– Well-designed
(Process)
– Risk-aware culture
(People)
Agility
Accuracy
Access
Availability
Governance of Enterprise IT
Having integrated view of IT risks in
business term
12

What part is missing?
Integrity
Infrastructure
Access
Availability
Agility
Accuracy
Access
Availability
13

Intended Outcome
Next Step
- Develop audit checklist for
SEC’s auditor
- Build up sector-based
Incidence Response Plan
Industry-wide cyberdrill test
To 4A’s IT Risk Framework (Focus more on Business-IT Alignment)
Access Availability Accuracy Agility
Change from Current IT Risk Framework (Focus on IT Risk)
Access Availability Integrity Infrastructure
14

IT Best Practices Adoption
» COBIT 5 : Control Objectives for
Information and related
Technology - mainly contributed
by:-
• ITIL – Information Technology
Infrastructure Library
• ISO/IEC 27001 (Major contributor
for our new regulation)
15

Knowledge Background (Cont.)
• IOSCO Principles
16

Require risk
control from
ourselves
Regulator
Require risk
control from
regulated
entity
POC
Law & RegulationLaw & Regulation
IT governance toolIT governance tool
COBIT (IT GRC)COBIT (IT GRC)
IT best practiceIT best practice
ITIL
(service)
ITIL
(service)
ISO27001
(security)
ISO27001
(security)
……
Enterprise risk management standardEnterprise risk management standard
COSOCOSO Thai OAGThai OAG IOSCO PrinciplesIOSCO Principles
Peer RegulatorsPeer Regulators
Organization
Conduct Gap Analysis in compliance with
IOSCO Principles
SEC FrameworkSEC Framework IOSCO / Other RegulatorsIOSCO / Other Regulators
17

List of IOSCO Principles
Principles for Intermediaries
• IOSCO : Report on securities activity on the internet III, Oct 2003
• IOSCO : High-level principles for business continuity, Aug, 2006
• IOSCO : Principles for direct electronic access to markets, Aug 2010
• IOSCO : Cyber-Crime, Securities Markets and Systemic Risk, Jul 2013
• IOSCO : Report on social media and automation of advice tools survey, Jul 2014
• IOSCO : Market intermediary business continuity and recovery planning, consultation
paper, April, 2015
Principles for Exchange
• IOSCO : High-Level Principles for Business Continuity, Aug 2006
• IOSCO : Regulatory Issues Raised by the Impact of Technological Changes on Market
Integrity and Efficiency, Oct 2011
• IOSCO : Principles of Securities Regulation, Aug 2013 (revised)
• IOSCO : Principles for Financial Market Infrastructures (PFMI), Apr 2012 + Guidance
on Cyber Resilience for FMI (2015)
• IOSCO : Mechanisms for Trading Venues to Effectively Manage Electronic Trading
Risks and Plans for Business Continuity, Apr 2015
Legally binding agreement
Cyber governance
18

Samples: IOSCO Principles’ gap assessment
item Regulators should do Regulated entities should do
Principles for
direct electronic
access to markets,
Aug 2010
Principle 1 : minimum customer standards
- บล. ควรกำหนดให้ลูกค้ำที่จะใช้บริกำร DEA ต้องผ่ำนมำตรฐำนขั้นต่ำ โดยมีฐำนะทำงกำรเงินที่แข็งแกร่ง พร้อมทั้งมีกระบวนกำรให้
มั่นใจว่ำลูกค้ำมีบุคลำกรที่เชี่ยวชำญและคุ้นเคยกับ market rules + มีควำมรู้อย่ำงเพียงพอที่จะใช้ระบบ DEA
- market authority ควรมีเกณฑ์กำหนดให้ บล. ต้องจัดให้มี min. customer standard
Principle 2 : legally binding agreement
ควรมีสัญญำระหว่ำง บล. กับลูกค้ำ ซึ่งกำหนดข้อตกลงในกำรใช้บริกำร รวมถึงเชื่อมโยงควำมรับผิดชอบ
จำก บล. ไปสู่ลูกค้ำโดยตรง ทำให้ market authority สำมำรถเอำผิดลูกค้ำโดยตรงได้
Principle 3 : Intermediary's responsibility for trades
บล. ยังคงไว้ซึ่งควำมรับผิดทั้งหมดสำหรับทุกคำสั่งที่เกิดขึ้น (ซึ่งรวมถึงกรณีที่อนุญำตให้ sub
delegate) โดย บล. ควรให้ ultimate customers ปฎิบัติตำมมำตรฐำนที่ บล. กำหนดเช่นเดียวกับ
ลูกค้ำรำยอื่น ๆ ของบริษัท และควรจัดให้ DEA customers ต้องจัดทำ legally binding
agreements กับ ultimate customers ด้วยเช่นกัน
Principle 4 : Customer Identification :
บล. ควรเปิดเผย identity ของลูกค้ำต่อ market authority เมื่อได้รับกำรร้องขอ (เพื่อ facilitate
งำน market surveillance) ซึ่งกำรเปิดเผยดังกล่ำวรวมถึงกรณี sub delegate ด้วย
Principle 5 : Pre- and Post-Trade Information :
บล. ต้องสำมำรถเข้ำถึงข้อมูล pre / post trade info. แบบ real time เพื่อให้สำมำรถนำข้อมูล
ดังกล่ำวไปใช้ในกำรติดตำม + ควบคุมกำรบริหำรควำมเสี่ยงได้อย่ำงเพียงพอเหมำะสม
19

รายการ Regulators ควรทา Regulated entities ควรทา
Principles for direct
electronic access to
markets, Aug 2010
Principle 7 : Intermediaries
บล. ควรจัดให้มีกำรควบคุม ซึ่งรวมถึงกำรมี automated pre trade control ที่สำมำรถ
ป้องกันลูกค้ำส่งคำสั่งที่เกิน existing position / credit limit อย่ำงมีนัยสำคัญ
(โดยเฉพำะพวก algo หรือ HFT)
Principle 8 : Adequacy of systems :
บล. + market infra ทั้งหมด ควรมี operational and technical capability ที่จะบริหำร
จัดกำรควำมเสี่ยงที่อำจเกิดจำก DEA ได้ โดยต้องมั่นใจได้ว่ำทุกอย่ำงทำงำน properly
/ มี capacity เพียงพอ + scalable to volume
ทั้งนี้ market authority อำจกำหนดให้ บล.
• จัดให้มี capability estimates สำหรับระบบ automated order routing and
execution / market info. / trade comparison
• จัดทำ capacity stress test ตำมโอกำส เพื่อให้ทรำบถึงรูปแบบ / พฤติกรรม
ของระบบภำยใต้สภำวะที่แตกต่ำงกัน
• จัดให้มี independent review ระบบทั้งหมดว่ำ perform ได้อย่ำงเพียงพอ
และมีควำมมั่นคงปลอดภัย
• จัดให้มีนโยบำยที่จะจัดจ้ำงหรือฝึกฝนพนักงำนที่มี technical skills
20

รายการ Regulators ควรทา Regulated entities ควรทา
Cyber-Crime,
Securities Markets
and Systemic Risk,
Jul 2013
• ปรับปรุง / ใช้บังคับหลักเกณฑ์เกี่ยวกับ cyber crime โดยร่วมมือกับ
authorities อื่น ๆ (เพื่อป้องกัน regulation gap)
• สนับสนุนให้เกิดเครือข่ำย information sharing ในประเด็นดังกล่ำว
• ทำหน้ำที่เสมือนเป็นศูนย์ควำมรู้แก่อุตสำหกรรม / ตอบปัญหำข้อซักถำม
/ นำเสนอ best practice เช่น cyber security / resilience / รวบรวมเคส
ที่เกิดขึ้น เพื่อวิเครำะห์หำจุดอ่อนของอุตสำหกรรม
21

Summary Matrix for Conducting GAP Analysis from
IOSCO Principles and Lessons Learned
IOSCO Principles IT-related areas Address by
High-Level Principles for
Business Continuity, Aug 2006
-Principle 1-7  Issue notification about
BCP
Regulatory Issues Raised by the
Impact of Technological
Changes on Market Integrity
and Efficiency, Oct 2011
-Recommendation 1-5  Issue notification about
IT security
Principles for Financial Market
Infrastructures (PFMI), Apr
2012 + Guidance on Cyber
Resilience for FMI (2015)
-Principle 2 : Governance
-Principle 3 : Managing
Risk
-Principle 8 : Settlement
-Principle 17 : Operational
risk
-Principle 20 : FMI Link
 Add governance issues in
new regulation
 Notification about
BCP+IT Security
Principles of Securities
Regulation, Aug 2013 (revised)
-Principle 33  Notification about
BCP+IT Security
Mechanisms for Trading Venues
to Effectively Manage Electronic
Trading Risks and Plans for
Business Continuity, Apr 2015
-Recommendation for
Managing Technology to
Mitigate Risk
-Recommendation for How
to Plan for Disruptions:
Business Continuity Plans
 Add governance issues in
new regulation
 Notification about BCP
22

Conduct Gap Analysis through COBIT
EDM02 Ensure Benefits Delivery
EDM03 Ensure Risk Optimization
EDM04 Ensure Resource Optimization
EDM05 Ensure Stakeholder Transparency
APO04 Manage Innovation BAI04 Manage Availability and Capacity
BAI08 Manage Knowledge
MEA01 Monitor, Evaluate and Assess
Performance and Conformance
MEA02 Monitor, Evaluate and Assess
the System of Internal Control
(5 processes)
(13 processes) (10 processes) (6 processes) (3 processes)
Room for improvement
23

Cybersecurity Regulation for Thai
Capital Market
24

Contents of Regulation
Ensure Risk Optimisation
Ensure Resource Optimisation,
Ensure Stakeholder Transparency
The System of Internal Control
Ensure Risk Optimisation
Ensure Resource Optimisation,
Ensure Stakeholder Transparency
The System of Internal Control
Cobit5
ISO27001 + cloud
Endorse Governance of Enterprise IT as
regulation
25

Security Requirements in compliance with
ISO/IEC 27001:2013
• 1. Information Security Policy and Compliance
• 2. Organization of Information Security
• 3. Human Resource Security
• 4. Asset Management
• 5. Access Control
• 6. Cryptographic Control
• 7. Physical and Environment Security
• 8. Operations Security
• 9. Communications Security
• 10. System Acquisition, Development and Maintenance
• 11. Supplier Relationship
• 12. Information Security Incident Management
• 13. Information Security Aspects of BCM
26

Cloud Computing Regulation
• Cloud policy
• Cloud provider management
• Monitor and review cloud services
27

Cloud policy
• Risk assessment
• Define critical services/applications
• Define type of services :SaaS, PaaS, IaaS
• Conduct due diligence of cloud provider, focus on CIA
• Analyze qualifications of provider: financial status,
capability to serve
• Communicate policy effectively with signed letter
• Establish data policy – data classification and how to
manage each data category
• Define users responsibilities – access policy i.e. multi-factor
authentication for administrator
• Regular audit requirement
28

Cloud Provider Management
• Data is belong to service users (regulated entities)
• Define cloud services to be adopted
• Define network security requirements i.e
– Implement DDoS, APT
– Segregate network zone
– Data encryption
– Implement defense in depth approach
– Hardening and access control
– clear SLA and responsibilities of provider
• Monitor / report / incidence handling, problem management, overall
performance
• Backup and recovery policy
• RTO and RPO (recovery time objectives and recovery point objective)
29

Cloud Provider Management (Cont.)
• Compensation when provider fails to deliver
• Information leak prevention policy from
provider
• Provider has no authority to access and
disclose information
• Provider has been certified in compliance with
latest international standard
• Required report from external auditor at least
once a year
30

Cloud Provider Management (Cont.)
• exit plan – retain and permanent destroy
policy
• Define sub contract of cloud with full
obligation of main provider
31

As Users (regulated Entity)-
Monitor and review cloud services
• Monitor to ensure provider can provide qualified
services through agreement and inline with
standards
• Assess and conduct provider capacity planning
regularly
• Review term and condition of agreement when
significant changes occur
• Review service provider regularly –financial
status, process, efficiency and capability to serve
32

33
Require more from
Regulated Entity
• Apart form security requirement, new regulation also
requires more on:
– Information security incident management
– Cyberdrill test / scenario based testing
– Conduct BIA and report to board member
– Archive report/log for auditing
– Report to regulator when system disruption, system
compromised and harm to reputation
– Conduct Penetration Test and Vulnerabilities Assessment
• 1 year grace period from September 2016-Auygust
2017

Require more from Regulator
• Initiate Sector-based Incidence Response Plan
with peer regulators and critical infrastructure
– Information sharing
– Public announcement
• Conduct Industry-wide Cyberdrill Test
34

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

More from BAINIDA

More from BAINIDA (20)

Recently uploaded

Recently uploaded (20)