Buch noted that standard archetypal disaster recover plans only account for location downtime and hardware and network breakdowns, and not software breakdown and contamination.
“In a cyber attack, it’s your software that will get attacked; so through transmission, your DR site will also get contaminated. So, we worry a lot about this,” she said.
In this regard, the capital market regulator has gotten the country’s two biggest exchanges — NSE and BSE — to have in place a mechanism.
“This is work in progress now. I think we will go live about March next year where now you are mitigating against software risk”, Buch said.
Under the proposed mechanism, she explained, all the data of every client’s positions and collaterals which is there in exchange ‘A’ is online and “going and sitting in a storage box next to exchange ‘B’, in its data centre.
“If exchange ‘A’ goes down and if SEBI determines that this is on account software attack — meaning cyber attack — and it’s not going to be possible for their DR site to come up in time, SEBI will press the button for that data to be uploaded into exchange ‘B”s system, their software.
And now every participant in the market can operate on exchange ‘B’ as though he was operating on exchange ‘A’.
Buch added in an interaction after her lecture on ‘Data and Technology in the Capital Market’ at the Indian Institute of Management Bangalore: “This has never been done in the world. And we will be the first to do this.”
“When the cyber attack happens, and it will happen one day, we all know that. And when this system kicks in, we would have prevented something. No body will see it as something (cyber attack) happened. (But see that) it didn’t happen”, Buch said.