BSE issues directive for encrypting traders’ messages

Indian stock exchange BSE (Bombay Stock Exchange) sent out a notice regarding the implementation of encryption for messages exchanged to its trading platform via the Enhanced Trading Interface (ETI). ETI is the exchange’s interface for traders. This directive, issued on May 27, asks for all the messages exchanged between the member applications and trading engines to be encrypted by the sender and decrypted by the receiver using the AES 256 encryption algorithm.

The test simulation for the encryption has been available from March 28. The discontinuation date of non-encryption channels in simulation has been extended from May 13 to June 8 now. “ All existing applications working on non-encryption channel will not be able to connect to simulation post June 8, 2024. Thus, all member applications are requested to complete the development of encryption before the discontinuation date,” the bourse’s notice said. Both the encryption channel and non-encryption channels will be supported simultaneously.

As per The Register’s report quoting unnamed sources, the communication between BSE and brokers was already encrypted. The new directive is for brokers requesting price quotes from the platform, which is a potentially valuable source of information as it may indicate a possibility of trade moving to the market.

To be sure, the National Stock Exchange, in September last year, issued a similar directive to protect security of interactive messages end-to-end. The exchange said in its filing that a combination of TLS 1.3 security protocol and AES-256 would be implemented to encrypt interactive message traffic between member applications and Exchange. The encryption of messages between member and client will be done by the respective members. 

To be sure, the market regulator, the Securities and Exchanges Board of India (Sebi) issued guidelines in August 2023 for the cybersecurity posture of stock exchanges and other market infrastructure institutions (MII). Under the guidelines, the MIIs need to maintain encrypted backups of data and regularly test them for confidentiality, integrity, and availability.