Electronic Subscription System platform to ensure
∙ Need-based access with permission
∙ Record keeping of each entry and stay
∙ One-time password for person identification
∙ Data encryption
∙ Training for users
∙ System vulnerability audit each year
The securities regulator has asked the Dhaka Stock Exchange (DSE) to strengthen its Electronic Subscription System (ESS) so that it can deliver the best service.
DSE will address all points by this year, the country's premier bourse said in a reply to the Bangladesh Securities and Exchange Commission (BSEC).
ESS is the bourse's own online platform for conducting the bidding process of initial public offerings (IPOs).
The regulator, observing potential weaknesses in the online bidding platform, has directed the DSE to give it a sound technological base and ensure user authentication, tracing, and information encryption.
The BSEC came up with a set of observations after it formed an enquiry committee to look into the bidding process of Walton Hi-Tech Industries' IPO under the book-building method.
Too many bids concentrated near the potential cut-off price had been a significant reason that prompted the regulator to investigate the bidding process, according to BSEC sources.
Later, it was found that there were too many repeated accesses in the electronic bidding platform by designated exchange officials during the bidding period of 72 hours in early March.
The regulator also found poor traceability of the internal entrants and asked for strict record-keeping in the future so that everyone will be held responsible if classified information leaks to potential bidders.
Maintaining secrecy of auction data is a must to keep the bidding free and fair and the regulator believes that DSE should take further steps to ensure information privacy.
"Adequate protection of ESS information depends on both technical and organisational practices for privacy and security," said the BSEC in its letter, though it did not mention any findings about a categorical case of information leakage.
It also wrote to DSE, "Access control technique must be used in combination with a well-managed information depository to limit the types of data that individual users can read and enter, and the types of functions they can perform."
DSE officials recently told The Business Standard that there are three types of ESS users – system administrators, bidding observers within the exchange, and the bidders.
The exchange wrote to the regulator that it would ensure a strict need-based access to level of information for the groups within or outside the exchange, alongside keeping record of who accesses which information, and of course, when and for how long.
The exchange's own designated people will also need an on-record permission for access, reason for access and other details.
One-time passwords (OTP) for users will be introduced on top of existing username and password authentication to ensure only the exact person from the bidder institution logs in.
For encryption of data, the exchange will also adopt SSL or secured socket layer in the web platform so that no one can get encrypted information in traffic.
The regulator asked DSE to resolve any licencing issues with vendors for top-quality performance and maintenance alongside using annual third-party IT audits to crosscheck for system vulnerabilities.
BSEC said the exchange should maintain retrievable and usable forms of audit trails that log all access to ESS information and the user ID under which access occurred.
DSE will have to launch education and training programmes to ensure that all users of information systems receive a minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies.
"All computer users will complete such training before being granted access to any information systems," reads the BSEC letter.
Initially, more than a decade ago, the DSE had purchased its book-building system platform from InfoTech Middle East Company.
The vendor company, despite being well paid, used to take too much time for even minor changes within the system and later the contract was not renewed.
Later, the exchange's IT team developed its own platform which is currently in use.