I was going through the T&C of CDSL and this caught me off-guard,
“Despite all possible security measures that CDSL takes to keep Site free from hacking and other interference, the Site, like any other website, is not free from such risks. CDSL disclaims all liability on account of any loss or damage that any user may suffer or incur on account of any alteration or manipulation of any data or information accessed or downloaded by the user from the Site”
And this quote from a NASA Engineer is what hit me,
‘I felt exactly how you would feel if you were getting ready to launch and knew you were sitting on top of 2 million parts — all built by the lowest bidder on a government contract.’
It got me thinking, how secure are the Depositories technically given they don’t even offer 2FA?
What is stopping say a Russian/Chinese hacking group to hold it for ransom or delete the database?
Are these Depositories diversified enough with multiple servers in different physical locations to mitigate this?
Can anyone throw light on this?
Yes this may look like extreme form of some phobia, but hey it’s my majority portfolio of assets lying with these Depositories and this is definitely a risk factor that needs to be assessed. @nithin
long back ago, i have read somewhere (don’t know the web address) that the exchanges, depositories have their alternate servers in diff regions ( more than 4 metro cities in India & many countries like US, UK, Germany, France etc).
i forex trading you might seen that sometimes the OHLC data of eur/usd (other 24 hour trading symbols) described with Europe session, US session, asia session. that time the trading servers & data has been shifted to other server location.
in this case if 2 or more servers has been hacked/locked with ransomware or destroyed by any missile attack, then for safety the remaining servers either get disconnected to avoid future data loss or regulators can declare to stop any new transaction to avoid any error.
Unlike Money that can be transferred and withdrawn/spent, you can’t really do that with securities. So assuming CDSL gets hacked and say you have 100 shares of Reliance. What can the hacker do with the 100 shares? The only thing he can do is to move it to another Demat account with NSDL or CDSL.
The shares transferred can be sold and withdrawn to a bank account. But this takes atleast 3 days. The hack will most likely be spotted by then and accounts blocked.
Agreed, the hacker can’t really do anything with the securities. But on a large enough scale, the resulting sheer chaos in just deleting the whole database in itself is a big payout for them. Do CDSL/NSDL really have offshore servers like Forex exchanges?
Does investors protection fund compensation for losses due to hack of depository , trading member or stock broker weather done to individual investors account or in bulk.
@yuvananda its just not backup available. They have multiple command centers called data centers spread across regions. They can restore database to last clean state as frequently as hourly. Like they have backup snapshots taken at multiple points of the day.
There are also failover db servers hosted and a robust bcp process.
Found this mentioned in the Annual Report of CDSL (Page 91) -
CDSL has been certified for ISO27001 for its Information Security Management System. It protects information throughout the life span, from its initial creation to its final disposal. CDSL infrastructure has multiple back-up levels which includes a redundant fail-over cluster and a seamless switchover to the Disaster Recovery System (DRS). The DRS is located at a different seismic zone. The Company has been awarded ISO 22301:2012 certification for its Business Continuity Management System.
The exchange’s IPFs have a very specific purpose. As per NSE Byelaws (Page 52), they can be utilized for -
CHAPTER XIII
INVESTOR PROTECTION FUND
In respect of such market segment of the Exchange as may be prescribed by the Exchange, an Investor Protection Fund (IPF) to be held in trust by National Stock Exchange Investor Protection Fund Trust (Trust) shall be maintained to make good claims for compensation which may be submitted by a trading member’s Constituent who suffers loss arising from the said trading member being declared as a defaulter by the Exchange under Chapter XII. No claim of a claimant, who is a Trading Member of the Exchange or an associate of a Trading Member, shall be eligible for compensation from the IPF unless he has acted as a Constituent of the said trading member to the extent permitted by the Exchange
But, later in NSE Byelaws (Page 56), the following is also mentioned -
The balance of the IPF lying unutilised with the Trust shall continue to be utilised only for such purposes as prescribed by SEBI. In the event of winding up of the Exchange, the balance lying unutilised with the Trust shall be transferred to SEBI. The funds will be maintained in a separate account and SEBI would act as Trustee of these funds to be utilised for purposes of investor education, awareness and research.
Also, Depositories have a separate Investor Protection Fund. According to a SEBI Circular for IPF of Depositories, those funds can be utilized for -
Utilization of the IPF
The IPF may be utilized for the following purposes with a focus on depository related services:
i. Promotion of investor education and investor awareness programmes through seminars, lectures, workshops, publications (print and electronic media), training programmes etc. aimed at enhancing securities market literacy and promoting retail participation in securities market.
ii. To aid, assist, subsidise, support, promote and foster research activities for promotion/ development of the securities market.
iii. To utilize the fund for supporting initiatives of Depository Participants for promotion of investor education and investor awareness programmes.
iv. To utilize the fund in any other manner as may be prescribed/ permitted by SEBI in the interest of investors.
It looks like SEBI can direct the depositories and exchanges to use their IPFs as it deems fit. So theoretically, SEBI could order them to use their IPFs for compensation in case a depository/exchange/broker got hacked but there isn’t any precedent for this in the past.
Other than this, SEBI also has its own IPEF (Investor Protection and Education Fund). There is an year old article which shares the corpus size of various IPFs -
The IPF of the particular exchange where the client traded via the defaulting broker will settle the respective claim. BSE and NSE explained how an investor can make a claim for compensation from IPF for a defaulting/expelled trading member (aka broker).
In the recent case of Karvy’s default, both NSE’s (Video) and BSE’s (Circular) IPFs are accepting requests from investors for claims. In its Confirmatory Order (Page 16), SEBI mentioned that "NSE shall invite and deal with the claims of the clients of KSBL, in accordance with its bye-laws. "
Also, in Karvy’s case, NSDL has recently decided to sell the Demat accounts of Karvy clients to other brokers and use the proceeds from the sale to settle the dues owed to Karvy’s clients -
