SEBI tweaks cybersecurity and cyber resilience framework for AMCs

By Fiona Mehta


The Securities and Exchange Board of India (SEBI) June 2022 tweaked the cyber security and cyber resilience framework for asset management companies (AMCs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year.

AMCs have been asked to submit a declaration from the managing director (MD) and chief executive officer (CEO) to stock exchanges and depositories, along with the cyber audit reports, certifying compliance with all Sebi guidelines and advisories related to cyber security issued from time to time, according to a circular. The new framework will come into force on July 15, 2022.

Under the new framework, asset management organisations must identify and classify important assets based on their sensitivity and criticality for company operations, services, and data management.

Further, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets.

All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well.

The board of AMC is required to approve the list of critical systems.

“To this end, Mutual funds/ AMCs shall maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows,” Sebi said.

According to SEBI, they must conduct regular Vulnerability Assessments and Penetration Tests (VAPT) that include critical assets and infrastructure components in order to detect security vulnerabilities in the IT environment and an in-depth evaluation of the security posture of the system through simulations of real attacks on their systems and networks.

AMCs are required to conduct VAPT at least once in a financial year. However, the mutual funds/ AMCs, whose systems have been identified as “protected systems” by National Critical Information Infrastructure Protection Centre (NCIIPC) need to conduct VAPT at least twice in a financial year.

Further, they are required to engage only CERT-In (Indian Computer Emergency Response Team) empanelled organisations for conducting VAPT. Within a month from the completion of the VAPT, the final report must be submitted to Sebi with the approval of the technology committee of respective AMCs.

“Any gaps/vulnerabilities detected shall be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to the stock exchanges/depositories within three months post the submission of final VAPT report,” the regulator said.

Earlier, the regulator came out with modified cyber security and cyber resilience framework for stock brokers and depository participants, market infrastructure institutions – stock exchanges, depository and clearing corporations – and KYC registration agencies (KRAs).

WhatsApp Lottery Scam

By Fiona Mehta


Scammers are sending WhatsApp messages to users claiming to have won a lottery for Rs 25 lakh, which is a scam to fool people and take their money.


In such cyber frauds, fraudsters send WhatsApp messages to unsuspecting victims from unknown numbers, claiming that their mobile number has won a Kaun Banega Crorepati (KBC) lottery worth Rs. 25 lakhs, and that they must contact someone whose number is provided in the same WhatsApp message in order to claim it. This is also knows as the KBC lottery fraud.

When the victim calls the above-mentioned number to claim the money, the scammer informs him or her that they must first pay a refundable fee for lottery processing, as well as GST and other fees. Once the victim has deposited the money, they begin to demand more money under various pretexts. The con artists insist on interacting exclusively over WhatsApp. They get the victim to deposit money in multiple bank accounts, and the scam continues for weeks or even months, depending on how long they can persuade the victim to deposit money.

After a while, they begin informing the victim that the lottery prize has been increased to Rs. 45 lakhs, then Rs. 75 lakhs, and so on, in order to keep the victim engaged and interested. Finally, when the victim becomes adamant about receiving the money or refuses to pay any more, they stop phoning him or her and delete the WhatsApp numbers used in the fraud.

Recently, a 56-year-old woman from Mumbai fell prey to the Kaun Banega Crorepati (KBC) lottery fraud in April 2022, losing Rs 1.32 lakh after she received a message stating that she had won a prize money of Rs 25 lakh.


Safety Precautions:

  1. Any message informing that you have won a lottery or a prize, is, in all likelihood, a fraud.
  2. A closer look into such messages will show poor drafting, grammatical errors, and other glaring signs that the message is not genuine.
  3. These frauds exploit your greed. You forget to take basis precautions such as discussing with family members, verifying the information through alternate means, etc., as you get blinded by your greed.
  4. In any genuine lottery or prize, the tax component and other charges are cut from the prize money and the winner gets the deducted amount. So ask yourself the question that why you have to pay these charges in advance to get the so-called lottery money. This is because it is a fraud and there is no money that you have won.
  5. In the caller insists on maintaining secrecy, it is a sign that there is something fishy about the whole thing.
  6. Follow the thumb rule: Never transfer funds to unknown persons or entities in anticipation of high returns. This is never going to happen.
  7. If you are defrauded, lodge a complaint in your nearest Police Station describing complete incidence along with the supporting documents.

Centre weighs Panel to rule on Appeals against Social Media Takedowns

By Fiona Mehta


The Ministry of Information Technology has requested public feedback on changes to IT rules that went into force last year, with the goal of regulating content and encouraging companies to respond more quickly to legal requests to remove posts and provide information about message originators.


The Indian central government is considering establishing an appeals body with the authority to overturn social media companies’ content moderation judgments, the Information Technology ministry announced on June 2, 2022, in what would be the first such action of its type in the world.

The information was revealed in a paper seeking public input on proposed changes to IT rules that went into effect last year and aim to regulate social media content and hold companies like Facebook, YouTube, and Twitter more accountable. According to the paper made public on Thursday, there might be more than one such appeal tribunal. It establishes a 30-day deadline for appeals against company grievance officers’ rulings, followed by another 30-day period for the panels to consider the subject.

Social media companies must already have an in-house grievance redress officer and designate executives to work with law enforcement. In a newly added clause, the draught guidelines state that “the intermediary shall respect the rights guaranteed to individuals under the constitution,” referring to social media businesses.

India ranks among the largest sources worldwide of government requests for content takedowns to Twitter Inc and Meta Platforms Inc. Facebook Sees 38% rise in Hate Speech as well as 86% in Violent Content on Instagram in April 2022.

According to Apar Gupta of the Internet Freedom Foundation, the ministry’s plan will give it more power over social media platforms by allowing it to hire personnel to oversee content moderation decisions. “This is problematic, for this committee will lack any autonomy and is being formed without any statutory, or clear legal basis,” added Gupta, the group’s executive director.

Tensions have risen between India’s nationalist government and Twitter, which refused to completely comply with instructions last year to remove accounts and messages accused of disseminating false information about farmers’ demonstrations against the government.

Last year, government authorities indicated that if social media companies failed to respect domestic information and technology rules, they may no longer be eligible for liability protections as intermediaries or hosts of user content.

Govt. frames cyber security norms: Report breach within six hours

By Fiona Mehta


The ministry of electronics and information technology announced its first-ever cyber security policy in May 2022, requiring service providers, intermediaries, data centres, body corporates, and government entities to report any breaches or leaks within six hours of being alerted.

The policy will come into effect within 60 days. It will have far-reaching ramifications as to how the entities mentioned above collect and store, the period for which it will be stored and the mandatory need to share it with the government in case of a breach.

Parallel to this, the government is also working on a new cyber security policy, which has been in the works for over two years and proposes a multi stakeholder framework to check propaganda, deception, disinformation and “adversarial narratives” being peddled on websites of social media companies, people familiar with the matter said. Called National Cyber Security Strategy, 2021, the policy stresses on the need for a legislative framework to address the emerging challenges in the technology space.

Incidents that will be reported under CERT-in policy will include targeted scanning/probing of critical networks/systems, compromise of critical systems/information, unauthorised access of IT systems/data, defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, malicious code attacks such as spreading of virus / worm / Trojan / Bots / Spyware / Ransomware / Cryptominers, attack on servers such as Database, Mail and DNS and network devices such as routers, identity Theft, spoofing and phishing attacks.

The National Informatics Centre, that runs most government servers, has in itself been a target of several phishing attacks, wherein email ids of senior officials were compromised.

Moreover, for the purposes of cyber incident response, protective and preventive actions related to cyber incidents, the service provider, intermediary, data centre, body corporate is mandated to take action or provide information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness. They have also been asked to appoint a point of contact officer.

The above-mentioned entities have also been asked to enable logs of all their information and communications technology systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction. If needed, these will have to be shared along with reporting of any incident or when ordered/directed by it.

Maintain Accurate Information:

Aside from this, “virtual private server (VPS) providers, cloud service providers and virtual private network service (VPN service) providers, have been asked to register the following accurate information to be maintained for a period of five years or longer duration as mandated by the law”. The information includes validated names of subscribers/customers hiring the services, period of hire including dates, IPs allotted to/being used by the members, email address and IP address and time stamp used at the time of registration/on-boarding, purpose for hiring services, validated address and contact numbers and ownership pattern of the subscribers/customers hiring the services.

Know your customer:

As far as the virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by ministry of finance from time to time) are concerned, they shall “mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets”.

Cyber Crime against Women in India

By Fiona Mehta


With increased traffic in the virtual world, the risk of becoming a victim of cyber crime grows all the time, especially for women, who are typically perceived as easy targets. The types of internet crimes against women have grown, and the wave hasn’t stopped in India. Cyber flames, cyber eve-teasing, and cyber flirting and cheating are a few additional new generation crimes worth mentioning.

  1. Phishing – According to the National Crime Records Bureau (NCRB), cybercrime against women increased by 110% in India between 2018 and 2021.  Offenders are sending fake emails with a link to a specific webpage in order to trick victims into entering personal information such as bank account numbers, contact information, and passwords, or to install harmful viruses on the victim’s device as soon as they open the link. These emails and texts look to be from trustworthy sources. The criminals then utilize the victim’s bank account and other personal information to make fraudulent transactions from the victim’s account to their own.


  1. Cyber Stalking and Hacking – Usually, a cyber stalker’s victim is new to the internet and unfamiliar with internet safety standards. Over 75% are females, according to estimates. With a few mouse clicks or key strokes, a cyber stalker can easily locate confidential information about a potential victim. Women began becoming victims of cyber hacking by clicking on virus links, which downloaded all of their personal information, activated the camera and microphone, and captured intimate photos and videos. Offenders then utilise this information and photographs for sextortion and other favours.


  1. Cyber Defamation – The internet and social media are undoubtedly beneficial to individuals and society as a whole, but they are also a particularly rapidly growing field for potentially defamatory claims. In India, defamation is considered both a tort and a crime. It damages a person’s reputation and status, making the wrongdoer as accountable as if the wrongdoer had injured the person’s body.


  1. Sextortion – During the epidemic, this was the most common cybercrime perpetrated against women. By blackmailing the victims into revealing their private photos or modified photographs, the perpetrators began extorting money or sexual favours. Threatening women with sexual video calls/images or messages was a result of the pandemic and lockdown frustration. In addition, the loss of revenue prompted them to extort money from the victim by threatening them with modified photographs.


Legal Provisions:

There are no specific provision in the IT Act, 2000 that specifically deal with the crime against women as does the provisions of the Indian Penal Code, the Constitution of India or the Code of Criminal Procedure for that matter.



  • Keep a watch out for insignificant/false phone/email messages.
  • Do Not Respond or click on emails that request personal information.
  • Keep an eye out for bogus websites that attempt to steal your personal information.
  • If a victim is a victim of cybercrime, he or she should inform the nearby cyber cell or police department in their city.


WhatsApp Scam: Stealing money with a missed call

By Fiona Mehta


Cyber Crime in India has increased substantively over the past few years. A recent complaint on 6th May 2022 was registered in the cyber crime department by a girl.

In her complain, she states that she got a call from an unknown number saying that she had filed a complaint regarding internet/ network issues. The scammer asked her to dial *401* following a phone number, so that they can help her with her complaint. By following this procedure, she got a notification from WhatsApp saying that ‘you have logged in from a new device’ and she was eventually unable to access her WhatsApp account.

When you dial this number what happens is that you give access to call forwarding. This way the scammer is able to receive all the calls received on your mobile number and eventual access WhatsApp account. After this, the scammer keeps messaging your contacts for money.

A similar scam has been running on Facebook for several years where a link is forwarded to everyone in your friends list through the messenger app and clicking on this link hacks your account. By hacking your account, they can contact all your friends impersonating as you and steal money.


Precautions you can take to save yourself from such scams:

  1. Verify the caller, verify the source of the message received, and refrain from clicking on the link no matter how tempting it looks. Block or report the number you got the message or call from.
  2. Active 2 factor verifications on all your social media apps.
  3. If you get a call asking you to put any number prefix (*), do not do so. Prefer going to your network provider in person and dealing with any issue you have.
  4. Do not share your personal information.


What can you do if you have been scammed?

  1. Inform your family and friends immediately.
  2. If you have been scammed or if anyone has even tried to scam you, report to the National Cyber Crime Portal of India.
  3. Block your sim-card, freeze your bank account and change all your important passwords.
  4. Do not forget to enable 2 factor verification. This way no one will be able to log in even if they get the OTP for verification.