Advisory Services
Audit
Consulting
ESG Advisory
RBI Registration
SEBI Registration
IRDA Registration
FEMA Advisory
Compliances
IBC Services
VCFO Services
Growing
Developing
ME-1
ME-2
EU-1
EU-2
SE
Others
Select Your Location
SEBI issued cyber security and cyber resilience framework for portfolio managers on March 29, 2023. The requirement for maintaining strong cyber security and having a cyber-resilience framework to secure the integrity of data and prevent privacy breaches has increased due to the securities market’s rapid technological development. To provide necessary facilities and services and carry out crucial tasks as a portfolio manager in the securities market, portfolio managers must have a strong cyber security and cyber resilience framework as part of operational risk management.
As of the last day of the previous calendar month, all portfolio managers who had assets under management totalling INR 3000 crore or more under discretionary and non-discretionary portfolio management services shall adhere to the provisions of the Cyber Security and Cyber Resilience framework.
Table of Contents
The technique of protecting networks, computers, servers, electronic systems, mobile devices and data from malicious attacks is known as cyber security. It is often referred to as electronic information security or information technology security.
Cyber resilience refers to an organisation’s capacity to reduce the effect of security incidents by deploying and optimising the right security technologies and procedures. An organisation’s capacity to anticipate, respond to, and carry on business in the wake of a cyberattack is known as cyber resilience.
The confidentiality, integrity, and availability (CIA) of computer systems, networks, and databases are targets of cyberattacks and threats. The cyber security framework consists of procedures, controls, and instruments to reduce the risk of cyberattacks and enhance cyber resilience.
Portfolio Managers should create a thorough cyber security and cyber resilience policy document incorporating the framework outlined below as part of the operational risk management framework to manage risk to networks, systems and databases from cyber-attacks and threats.
Identifying the risk
Identifying the risk is crucial in protecting and tackling the cyber threat and its impact on the business.
The Securities and Exchange Board of India (SEBI) has provided the framework for access control to prevent portfolio managers from cyber threats, and they are as follows:
Below are some of the points to manage physical and network security:
The Portfolio Managers should only deploy hardware and software that has been tested and hardened. Portfolio Managers should ensure that default passwords are changed to secure ones and that all unused services are turned off or removed from hardware and software during the hardening process.
It is advisable to block all open ports that are not in use, or that could be exploited to exploit data. It is crucial to note other open ports and take the necessary precautions to secure them.
Portfolio managers need to make sure that testing for regression is done before a new or changed system is put into place. The tests should cover business logic, security measures, and performance of the system under various stress-load scenarios and recovery conditions.
Portfolio managers should implement patch management protocols and ensure they include identifying, classifying, and ranking security fixes. An implementation schedule for each category should be set to implement security patches in a timely manner.
To ensure that the application of security patches does not have an adverse effect on other systems, portfolio managers should rigorously test security patches before deploying them into the production environment.
Portfolio managers are required to undertake the Vulnerability Assessment and Penetration Testing (VAPT) in the following manner:
To identify the steps needed to stop the spread of a cyber-attack or breach, lessen its impact, and end the issue, warnings generated by monitoring and detecting systems should be thoroughly studied, including their impact and forensic investigation.
The goal of the Portfolio Manager’s response and recovery strategy should be the prompt restoration of systems damaged by events of cyberattacks or breaches. The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for portfolio managers should be no longer than 4 hours and 30 minutes, respectively.
In the event of cyberattacks or a breach of the cyber security system, the response plan should outline the duties and procedures that must be carried out by the company’s employees, support personnel, and external staff.
Any instance of data loss or system destruction should be carefully investigated, and any lessons acquired from such instances should be applied to increase security measures and enhance recovery processes.
Portfolio Managers should also carry out appropriate exercises on a regular basis to evaluate the sufficiency and efficacy of the response and recovery plan.
All cyber-attacks, threats, events, and breaches that Portfolio Managers experience must be notified to SEBI within six hours of becoming aware of them or having them brought to their attention. The incident must also be reported to CERT-In in accordance with the rules and instructions that the organisation issues from time to time. The Portfolio Manager must also notify NCIIPC of the occurrence if their systems have been designated as “protected systems” by NCIIPC.
The quarterly reports must be submitted to SEBI within fifteen days of the quarters ending in June, September, December, and March of each year. These reports include information on cyber-attacks, threats, cyber-incidents, and breaches experienced by Portfolio Managers as well as measures taken to mitigate vulnerabilities, threats, and attacks. They also include information on bugs, vulnerabilities, and threats that may be helpful for other Portfolio Managers.
Details that are deemed helpful for anonymised distribution with other portfolio managers must be shared using a mechanism that SEBI will periodically describe.
To conclude, maintaining a robust cyber security and cyber resilience framework to ensure data integrity and prevent privacy breaches is necessary for the modern technological environment. To protect the investor’s interests in the security market, to promote the development and to regulate the securities market, this circular is being issued in accordance with the authority granted under Section 11(1) of the Securities and Exchange Board of India Act (SEBI), 1992, as read with Regulation 43 of the SEBI (Portfolio Managers) Regulations, 2020.
Also Read:What is the Difference Between Cyber Security and Data Security?Cybersecurity in Digital Banking: Threats, Challenges and Solution
I am a driven and meticulous professional who completed B.Com BL (Hons) from Tamil Nadu Dr. Ambedkar Law University and completed Master of Laws in specialization (Criminal Law with Cyber Crimes). I have extensive experience in Criminal Litigation and want to utilise my legal knowledge in writing also I have proficiency in writing legitimate content with comprehensive research. My core areas of interest are Business Law, Intellectual Property Rights, and Cyber crimes.
Black money has been the subject of heated political debate in India for a long time. Successiv...
The Apex Court pronounced a judgement in the case titled Tata Motors Vs The Brihan Mumbai Elect...
Since economies are moving towards digitalisation and making it feasible to conduct transaction...
The Alternative Investment Funds (AIFs) Pro-rata and Pari-Passu Rights Proposal Consultation Pa...
The Financial Action Task Force, i.e. FATF (the Force), is the global money laundering and terr...
Advance tax refers to the payment of the tax liability before the end of the relevant financia...
On 11.12.15, the Hon’ble Delhi High Court (HC) pronounced a landmark judgement in the case ti...
Money laundering can be defined as the process of illegal concealment of the origin of money ob...
Every assessee in India is obligated to file an income tax return and make the timely payment o...
In the recent past, India has seen burgeoning demand for internet and smartphones. The rapid ri...
Are you human?: 2 + 8 =
Easy Payment Options Available No Spam. No Sharing. 100% Confidentiality
The Digital Personal Data Protection Bill 2022 is a vital step towards protecting the privacy and personal data of...
07 Mar, 2023
Cyber Security (CS) is a broader concept encompassing a range of practices, technologies, and processes designed to...
01 Apr, 2023
Red Herring Top 100 Asia enlists outstanding entrepreneurs and promising companies. It selects the award winners from approximately 2000 privately financed companies each year in the Asia. Since 1996, Red Herring has kept tabs on these up-and-comers. Red Herring editors were among the first to recognize that companies such as Google, Facebook, Kakao, Alibaba, Twitter, Rakuten, Salesforce.com, Xiaomi and YouTube would change the way we live and work.
Researchers have found out that organization using new technologies in their accounting and tax have better productivity as compared to those using the traditional methods. Complying with the recent technological trends in the accounting industry, Enterslice was formed to focus on the emerging start up companies and bring innovation in their traditional Chartered Accountants & Legal profession services, disrupt traditional Chartered Accountants practice mechanism & Lawyers.
Stay updated with all the latest legal updates. Just enter your email address and subscribe for free!
Chat on Whatsapp
Hey I'm Suman. Let's Talk!