By Fiona Mehta
The Securities and Exchange Board of India (SEBI) June 2022 tweaked the cyber security and cyber resilience framework for asset management companies (AMCs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year.
AMCs have been asked to submit a declaration from the managing director (MD) and chief executive officer (CEO) to stock exchanges and depositories, along with the cyber audit reports, certifying compliance with all Sebi guidelines and advisories related to cyber security issued from time to time, according to a circular. The new framework will come into force on July 15, 2022.
Under the new framework, asset management organisations must identify and classify important assets based on their sensitivity and criticality for company operations, services, and data management.
Further, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets.
All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well.
The board of AMC is required to approve the list of critical systems.
“To this end, Mutual funds/ AMCs shall maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.
According to SEBI, they must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include critical assets and infrastructure components in order to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on their systems and networks.
AMCs are required to conduct VAPT at least once in a financial year. However, the mutual funds/ AMCs, whose systems have been identified as “protected systems” by National Critical Information Infrastructure Protection Centre (NCIIPC) need to conduct VAPT at least twice in a financial year.
Further, they are required to engage only CERT-In (Indian Computer Emergency Response Team) empanelled organisations for conducting VAPT. Within a month from the completion of the VAPT, the final report must be submitted to Sebi with the approval of the technology committee of respective AMCs.
“Any gaps/vulnerabilities detected shall be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the stock exchanges/depositories within three months post the submission of final VAPT report,” the regulator said.
Earlier, the regulator came out with modified cyber security and cyber resilience framework for stock brokers and depository participants, market infrastructure institutions – stock exchanges, depository and clearing corporations – and KYC registration agencies (KRAs).