Data Protection Laws

Cyber Security and Cyber Resilience Framework for Portfolio Managers

SEBI issued cyber security and cyber resilience framework for portfolio managers on March 29, 2023. The requirement for maintaining strong cyber security and having a cyber-resilience framework to secure the integrity of data and prevent privacy breaches has increased due to the securities market’s rapid technological development. To provide necessary facilities and services and carry out crucial tasks as a portfolio manager in the securities market, portfolio managers must have a strong cyber security and cyber resilience framework as part of operational risk management.

As of the last day of the previous calendar month, all portfolio managers who had assets under management totalling INR 3000 crore or more under discretionary and non-discretionary portfolio management services shall adhere to the provisions of the Cyber Security and Cyber Resilience framework.

Cyber Security and Cyber Resilience

The technique of protecting networks, computers, servers, electronic systems, mobile devices and data from malicious attacks is known as cyber security. It is often referred to as electronic information security or information technology security.

Cyber resilience refers to an organisation’s capacity to reduce the effect of security incidents by deploying and optimising the right security technologies and procedures. An organisation’s capacity to anticipate, respond to, and carry on business in the wake of a cyberattack is known as cyber resilience.

The confidentiality, integrity, and availability (CIA) of computer systems, networks, and databases are targets of cyberattacks and threats. The cyber security framework consists of procedures, controls, and instruments to reduce the risk of cyberattacks and enhance cyber resilience. 

Cyber Security and Cyber Resilience Governance

Portfolio Managers should create a thorough cyber security and cyber resilience policy document incorporating the framework outlined below as part of the operational risk management framework to manage risk to networks, systems and databases from cyber-attacks and threats.

• The Board of the Portfolio Manager or a similar body should endorse the policy document. If there are any deviations from the recommended framework, the policy document should also provide the justifications for any modifications.
• The Board or similar body of the Portfolio Manager should evaluate the policy document at least once a year to strengthen and improve its framework for cyber security and cyber resilience.
• The process of identifying, assessing, and managing cybersecurity risks associated with processes, networks, information and systems:
  1. “Identify” essential IT assets and the risks they pose and which are associated with such assets.
  2. “Protect” assets by implementing the proper controls, tools, and safeguards.
  3. “Detect” incidents, anomalies, and attacks using the proper monitoring tools and processes. 
  4. Take rapid action in response to the discovery of the event, anomaly, or attack.
  5. Recover from the incident using a framework for incident management, disaster recovery, and business continuity.
• The NCIIPC (National Critical Information Infrastructure Protection Centre) of the NTRO (National Technical Research Organization), Government of India, should be credited for the principles outlined in the report titled “Guidelines for Protection of National Critical Information Infrastructure” and any subsequent revisions.
• Portfolio Managers should appoint a senior official as the Chief Information Security Officer (CISO), whose duties include assessing, identifying, and reducing cyber security risks, responding to incidents, establishing appropriate standards and controls, and supervising the development and implementation of processes and procedures in accordance with the cyber security and cyber resilience policy approved by the Board or the Portfolio Manager’s equivalent body.
• The Board or an analogous entity of the Portfolio Manager shall establish a Technology Committee made up of knowledgeable technologists. This Technology Committee should review the cyber security and cyber resilience policy implementation on a semi-annual basis. This review should include a review of the IT, cyber resilience and cyber security capabilities currently in place, establishing goals for a target level of cyber resilience and creating a plan to improve cyber security and cyber resilience. The review must be presented to the Portfolio Manager’s Board or an equivalent entity so that appropriate action can be taken.
• The Portfolio Managers should design a reporting process to make it easier to quickly inform the CISO or senior management of unexpected activities and events.
• The aforementioned committee and the Portfolio Manager’s senior management, including the CISO, shall routinely examine incidents of cyberattacks, if any, locally and internationally, and take action to strengthen the framework for cyber security and resilience.
• To ensure the purpose of cyber security, portfolio managers should specify the duties of their workers, outsourced staff, vendors, and other entities who may have access to or use their systems or networks.

Key aspects of the Circular

Identifying the risk

Identifying the risk is crucial in protecting and tackling the cyber threat and its impact on the business. 

1. The portfolio manager must identify and categorise essential assets based on their criticality and sensitivity for company operations, services, and data management. 
2. To do this, Portfolio Manager must keep an accurate inventory of all of its hardware, software, and information assets (internal and external), as well as information on its network connections, resources, and data flows.
3. As a result, portfolio managers should evaluate the cyber risks (threats and vulnerabilities) that the company may face, as well as the likelihood of such threats and their impact on the business, and then apply controls commensurate with the criticality of the risks.
4. Portfolio managers should also push any third-party service providers, such as custodians, brokers, distributors, etc., to have the same information security standards.

Policy Framework for access control

The Securities and Exchange Board of India (SEBI) has provided the framework for access control to prevent portfolio managers from cyber threats, and they are as follows:

• No one should have an inherent right to access private information, programmes, system resources, or facilities just because of their position or rank.
• Any access to the applications, systems, networks, databases, etc., of Portfolio Manager shall only be done for particular purposes and for a specific amount of time. Access to applications, IT systems, databases, and networks should only be given to those who actually require it and in accordance with the least-privileged principle.
• Robust authentication procedures should be used to authorise such access, which should be granted only during the times when it is necessary.
• To prevent unauthorised users from accessing systems, apps, networks, and databases, the portfolio manager should set up strict password controls. 
• Portfolio managers should ensure that user access records are specifically identified and logged for audit and review reasons. Such records should be kept up to date and encrypted for at least two (2) years.
• Portfolio Managers should implement additional security procedures to monitor employees with higher levels of system access (such as admin or privileged users). 
• Account access lock policies should be put into place for all accounts after failed attempts.
• Strict supervision, monitoring, and access controls should be placed on employees and outsourced workers, such as those working for vendors or service providers, who may be granted permission to access the Portfolio Manager’s essential systems, networks, and other computer resources.
• All users who connect via online or internet facilities should utilise two-factor authentication at log-in.
• To monitor and control the use of the internet and internet-based services like social networking sites, cloud-based internet storage sites, etc., portfolio managers should create an Internet access policy.
• An appropriate “end of life” mechanism should be used to deactivate access credentials for users whose access privileges have been revoked or who are leaving the company.

Physical and Network Security management

Below are some of the points to manage physical and network security:

• Physical access to essential systems should be kept to a minimum. By making sure that, at the very least, outsourced staff or visitors are always accompanied by authorised employees, physical access of outsourced staff or visitors should be properly supervised.
• If physical access to the important systems should be immediately revoked if it is no longer needed
• The employment of security guards, CCTVs, card access systems, mantraps, bollards, etc., when applicable, should be made to ensure that the perimeter of the critical equipment rooms is physically protected and monitored.
• Portfolio managers should define baseline standards to enable consistent deployment of security configurations to operating systems, databases, network devices, and enterprise mobile devices inside the IT ecosystem. To make sure that the baseline requirements are enforced consistently, the Portfolio Manager should perform periodic enforcement inspections. The inspections should be performed at least once every year. 
• To safeguard their IT infrastructure from security exposures coming from both internal and external sources, portfolio managers should install network security tools like firewalls and intrusion detection and prevention systems.
• Servers and other computer systems should have antivirus software installed. Antivirus definition file updates and automatic antivirus scanning should be carried out often.

Hardware and software hardening

The Portfolio Managers should only deploy hardware and software that has been tested and hardened. Portfolio Managers should ensure that default passwords are changed to secure ones and that all unused services are turned off or removed from hardware and software during the hardening process.

It is advisable to block all open ports that are not in use, or that could be exploited to exploit data. It is crucial to note other open ports and take the necessary precautions to secure them.

Application Testing and Security

Portfolio managers need to make sure that testing for regression is done before a new or changed system is put into place. The tests should cover business logic, security measures, and performance of the system under various stress-load scenarios and recovery conditions.

Patch Control

Portfolio managers should implement patch management protocols and ensure they include identifying, classifying, and ranking security fixes. An implementation schedule for each category should be set to implement security patches in a timely manner.

To ensure that the application of security patches does not have an adverse effect on other systems, portfolio managers should rigorously test security patches before deploying them into the production environment. 

Vulnerability Assessment and Penetration Testing (VAPT)

Portfolio managers are required to undertake the Vulnerability Assessment and Penetration Testing (VAPT) in the following manner:

• Portfolio Managers must perform routine VAPTs, among other things, on critical assets and infrastructure parts, such as servers, networking systems, security devices, load balancers, and other IT systems related to their work as a portfolio manager, in order to identify security flaws in the IT environment and perform an in-depth assessment of the security posture of the system through simulations of actual cyber attacks on its systems.
• Portfolio Managers are required to undertake VAPT at least once in a financial year. However, VAPT must be carried out at least twice every fiscal year for Portfolio Managers whose systems have been designated as “protected systems” by the (NCIIPC) National Critical Information Infrastructure Protection Center under the Information Technology (IT) Act, 2000^[1]. Also, for conducting VAPT, all Portfolio Managers must only work with businesses that have been empanelled by the (CERT-In) Indian Computer Emergency Response Team.
• After receiving clearance from the Technology Committee of the appropriate Portfolio Manager, the final report on the aforementioned VAPT must be submitted to SEBI within a month of the VAPT activity’s conclusion.
• Any flaws or vulnerabilities found must be fixed right away, and compliance with the findings from the VAPT must be reported to SEBI within three months of the final VAPT report’s submission.
• In addition, before activating a new system that is a critical system or a component of an existing critical system, Portfolio Managers must do penetration testing and vulnerability scanning.

Response and Recovery

To identify the steps needed to stop the spread of a cyber-attack or breach, lessen its impact, and end the issue, warnings generated by monitoring and detecting systems should be thoroughly studied, including their impact and forensic investigation.

The goal of the Portfolio Manager’s response and recovery strategy should be the prompt restoration of systems damaged by events of cyberattacks or breaches. The Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for portfolio managers should be no longer than 4 hours and 30 minutes, respectively.

In the event of cyberattacks or a breach of the cyber security system, the response plan should outline the duties and procedures that must be carried out by the company’s employees, support personnel, and external staff.

Any instance of data loss or system destruction should be carefully investigated, and any lessons acquired from such instances should be applied to increase security measures and enhance recovery processes.

Portfolio Managers should also carry out appropriate exercises on a regular basis to evaluate the sufficiency and efficacy of the response and recovery plan.

Sharing of information

All cyber-attacks, threats, events, and breaches that Portfolio Managers experience must be notified to SEBI within six hours of becoming aware of them or having them brought to their attention. The incident must also be reported to CERT-In in accordance with the rules and instructions that the organisation issues from time to time. The Portfolio Manager must also notify NCIIPC of the occurrence if their systems have been designated as “protected systems” by NCIIPC. 

The quarterly reports must be submitted to SEBI within fifteen days of the quarters ending in June, September, December, and March of each year. These reports include information on cyber-attacks, threats, cyber-incidents, and breaches experienced by Portfolio Managers as well as measures taken to mitigate vulnerabilities, threats, and attacks. They also include information on bugs, vulnerabilities, and threats that may be helpful for other Portfolio Managers. 

Details that are deemed helpful for anonymised distribution with other portfolio managers must be shared using a mechanism that SEBI will periodically describe. 

Conclusion

To conclude, maintaining a robust cyber security and cyber resilience framework to ensure data integrity and prevent privacy breaches is necessary for the modern technological environment. To protect the investor’s interests in the security market, to promote the development and to regulate the securities market, this circular is being issued in accordance with the authority granted under Section 11(1) of the Securities and Exchange Board of India Act (SEBI), 1992, as read with Regulation 43 of the SEBI (Portfolio Managers) Regulations, 2020.

Also Read:
What is the Difference Between Cyber Security and Data Security?
Cybersecurity in Digital Banking: Threats, Challenges and Solution

1680091655431