loader

Disclaimer

The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, www.khaitanco.com, you acknowledge and confirm that you are seeking information relating to Khaitan & Co of your own accord and that there has been no form of solicitation, advertisement or inducement by Khaitan & Co or its members. The content of this website is for informational purposes only and should not be interpreted as soliciting or advertisement. No material/information provided on this website should be construed as legal advice. Khaitan & Co shall not be liable for consequences of any action taken by relying on the material/information provided on this website. The contents of this website are the intellectual property of Khaitan & Co.

Please accept the above
Close

Search

See all results for ""

SEBI tightens cyber security and cyber resilience framework of mutual funds and asset management companies to safeguard investor interests

29-Jun-2022

Introduction

On 10 January 2019 the Securities and Exchange Board of India (SEBI) had prescribed the framework for cyber security and cyber resilience for mutual funds / asset management companies vide Circular No. SEBI/HO/IMD/DF2/CIR/P/2019/12.

Subsequently, SEBI had outlined a modified cyber security and cyber resilience framework for stockbrokers and depository participants, market infrastructure institutions (stock exchanges, depository and clearing corporations) and KYC registration agencies (KRAs).

In continuation thereof, partially modifying Annexure 1 of the 10 January 2019 circular, SEBI has now issued a circular on “modification in cyber resilience and cyber security framework for mutual funds / asset management companies” (June 2022 Circular).

Applicability

The provisions of this June 2022 Circular shall come into effect from 15 July 2022 and will be applicable to the following entities:

Ø  

All Mutual Funds (MFs)

Ø  

All Asset Management Companies (AMCs)

Ø  

All trustee companies / boards of trustees of MFs

Ø  

the association of mutual funds of India (AMFI)

Our analysis and comments on this June 2022 Circular are outlined below.

Analysis

The crucial highlights and amendments introduced by the June 2022 Circular are as follows:

Ø  

Identification, classification, and segregation of critical assets:

 

§  

MFs and AMCs need to identify and classify critical assets based upon their sensitivity and criticality for business operations, services, and data management.

 

§  

Such critical assets shall include business critical systems, internet applications, communication systems, or other systems containing sensitive data, sensitive personal data, sensitive financial data, personally identifiable information (PII) data etc.

 

§  

All ancillary systems which access or communicate with critical systems, whether for operational or maintenance purposes, are also to be designated as critical assets.

Ø  

Key Obligations of the Board of MFs / AMCs:

 

§  

Board of the AMCs and trustees must approve the list of critical assets.

 

§  

For this purpose, all MFs and AMCs are required to prepare an up-to-date inventory of their hardware and systems, details of their network resources, connections to its network, data flows, internal and external software, and information assets.

Ø  

Stress Tests - Conducting Vulnerability Assessment and Penetration Testing (VAPT):

 

§  

A periodic VAPT is to be conducted by the MFs and AMCs covering among others the critical assets and network infrastructure components including servers, security devices, and other IT systems to detect security vulnerabilities in the IT environment and for in-depth security assessment of the of the system through simulations of real attacks on its systems and networks.

 

 

-      

VAPT shall be conducted at least once in each financial year, unless their systems have been identified as “protected systems” (by National Critical Information Infrastructure Protection Centre (NCIIPC)), in which case VAPT shall be conducted at least twice in a financial year.

 

 

-      

VAPT Vendor: Can hire only an Indian Computer Emergency Response Team (CERT-In) empanelled organisation for conducting the VAPT assessment.

 

 

-      

Within 1 (one) month of completion of VAPT, the final report shall be submitted to SEBI, after securing approval from the technology committee of respective MFs / AMCs.

 

§  

On an immediate basis, the identified deviations or vulnerabilities shall be corrected and within 3 (three) months from the submission of final VAPT report and the compliance towards closure of findings shall be submitted to SEBI.

 

§  

Additionally, before installing a new system or updating an existing critical system, the MFs / AMCs are required to conduct a vulnerability scanning and perform penetration testing.

Ø  

Time bound reporting:

 

§  

The MFs / AMCs shall within 6 (six) hours of detecting such any cyber-incidents, attack, or breach, report the same to SEBI.

 

§  

The incident shall also be reported to CERT-In as per the periodic guidelines and directions issued.

 

§  

Moreover, the MFs / AMCs, whose systems have been identified as “protected system” by NCIIPC, shall also report the incident to NCIIPC.

 

§  

The MFs / AMCs shall submit, quarterly reports to SEBI within 15 (fifteen) days from the end of each quarter, detailing the cyber-attacks, threats, incidents, and breaches, the steps taken to mitigate and overcome the underlying vulnerabilities including information on the related bugs, so that other AMCs can use such information to embrace the precautionary measures and thereby preclude any further incidents.

 

§  

The MFs / AMCs shall submit all the cyber security information and related VAPT reports on the dedicated email ids: vapt_reports@sebi.gov.in and cybersecurity_amc@sebi.gov.in

Ø  

Cyber audit:

 

§  

At least 2 (two) times in a financial year, the MFs / AMCs are mandated to conduct a comprehensive cyber audit.

 

§  

All MFs / AMCs are required to submit a declaration from the managing director (MD) / chief executive officer (CEO) certifying their compliance with all periodic SEBI Circulars and advisories related to cyber security (in addition to the cyber audit reports).

Ø  

Systems and implementation policies:

MFs / AMCs shall take all necessary measures to initiate systems for implementation and modify internal policies, to comply with this cyber security framework circular.

Comments

In the pursuit of establishing a robust and enduring cybersecurity arrangement, seeking to protect our digital lives, we have witnessed the proliferation of the cyber related regulatory and legislative compliances.

In the same vein, SEBI has under this June 2022 Circular, outlined additional safeguards to preserve the critical assets, prevent any cyber threat, and in case of any security breach, has also prescribed the operational measures which the MFs and AMCs are required to implement, aimed at protecting the interests of the investors. 

Though these regulations considerably escalate the business risk due to non-compliance, as well as the enhanced costs and efforts of operational implementation, they serve as a confidence building measure for the customers, since strengthening the MFs and AMCs cyber security framework, provides an added protection for their mutual fund investments, preventing them from falling prey to any form of cyber incidents.

-     Achint Kaur (Counsel)

For any queries please contact: editors@khaitanco.com

Achint Kaur (partners)

We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.

For private circulation only

The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

© 2021 Khaitan & Co. All rights reserved.

Mumbai

One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001

Chennai

119/65, First Floor
Dr Radhakrishnan Salai
Mylapore
Chennai 600 004,
India

Noida

Max Towers
7th & 8th Floors
Sector 16B, Noida
Gautam Buddh Nagar
201 301 India

Singapore

Ocean Financial Centre
#37-02 10 Collyer
37th Floor Quay
Raffles Place 049315,
Singapore