Direct Tax
Consulting
ESG Advisory
Indirect Tax
Growth Advisory
Internal Audit
BFSI Audit
Industry Audit
Valuation
RBI Services
SEBI Services
IRDA Registration
AML Advisory
IBC Services
NBFC Compliance
IRDA Compliance
Finance & Accounts
Payroll Compliance Services
HR Outsourcing
LPO
Fractional CFO
General Legal
Corporate Law
Debt Recovery
Select Your Location
The technological advancement of the securities market has increased the need for robust cyber security and cyber resilience framework in India. Cyber attacks and threats compromise the confidentiality, integrity, and availability (CIA) of computer systems, networks, and databases. Cyber security means the measures, tools, and processes used to prevent cyber attacks and threats. Cyber resilience means the ability of an organization to prepare and respond to cyber-attack and to continue its operations during its recovery from cyber attacks.
In this regard, SEBI introduced Circular No. SEBI/HO/IMD/IMD-PoD-1/P/CIR/2023/046 (the Circular) dated 29th March 2023. This circular intends to protect the integrity of data and safeguard against privacy breaches. It also aims to provide facilities and services essential to perform as a Portfolio Manager in the securities market. The Circular is intended to come into force from 1st October 2023. Meanwhile, the Portfolio Managers are required to take steps for implementing the circular and ensure its compliance. Let’s understand the key aspects of this Circular on Cyber Security and Cyber Resilience Framework.
For proper governance of cyber security and cyber resilience framework, the portfolio managers have to formulate a comprehensive policy document based on the framework provided in the circular. The policy document so formulated will have to be approved by SEBI or an equivalent body of the Portfolio Manager on an annual basis to strengthen and improve the cyber security and cyber resilience framework. The Policy Document should include the following processes:
Portfolio Managers will have to designate a senior official as CISO to assess, identify and reduce cyber security risks, establish appropriate standards and controls, respond to incidents, and direct the establishment and implementation of the process and procedures.
SEBI[1] or an equivalent body of Portfolio Managers will constitute Technology Committee. The task of this committee is to review the implementation of the cyber security and cyber resilience policy on a half-yearly basis. The review process of this committee should include the current IT and cyber security and cyber resilience capabilities, measures to improve and strengthen cyber security and cyber resilience, and set goals for a target level of cyber resilience.
2. Identify
Portfolio Managers are responsible to identify and classify critical assets depending on their sensitivity and criticality. SEBI or an equivalent body of Portfolio Managers shall approve the list of critical assets. Portfolio Managers are also responsible to maintain an up-to-date inventory of hardware and systems, software and information assets, details of its network resources, data flows, and connections of its networks. It is the Portfolio Managers who have to identify the cyber risks and threats and their possible impact on the business and deploy controls to minimize the criticality. Portfolio Managers should encourage third-party service providers like Brokers, Custodians, Distributors, etc to follow similar standards of Information Security.
3. Protection
The access to portfolio manager’s system shall be restricted to defined purposes and a defined period. No person will have an intrinsic right to access confidential data, applications, system resources, or facilities. The access should be granted on a need-to-need basis based on the principle of least privilege. Strong password controls should be implemented for users to access applications, databases, networks, and systems. Additionally, the record of the users should be uniquely identified and logged in for audit and review and should be stored for not less than 2 years. Additional control and security measures must be deployed to supervise staff about the elevated system access entitlements. Account access lock policies should be available for all accounts which make failure attempts. Further, a two-step log-in process should be implemented for all users who connect online or via the internet. For this purpose, the portfolio managers should formulate an Internet access policy for monitoring and regulating the use of Internet and Internet-based services. A proper ‘end of life’ mechanism should be provided to users who are leaving the organization or whose access has been withdrawn.
Minimum physical access should be granted to critical systems and should be properly supervised. It must be ensured that the outsourced staff or visitors are accompanied by authorized employees at all times. The critical equipment rooms should be physically secured and monitored by employing physical, human, and procedural controls.
A Baseline standard should be established by Portfolio Managers to facilitate consistent application of security configurations for operating systems, databases, network devices, and mobile devices of the enterprise within the IT environment. Network Security Devices should be installed to protect the IT infrastructure from security exposures originating and anti-virus software should be installed on every server and computer system.
Data in any form should be encrypted using strong encryption methods. Measures should be taken by portfolio managers to prevent unauthorized access or copying or transmission of data held in a fiduciary or contractual capacity. All measures should be taken to ensure that the confidentiality of the information is not compromised at the time of exchange or transfer of data. Only authorized data should be stored through an appropriate validation process.
Portfolio Managers should deploy only hardened or vetted hardware. Hardening is a process where the default passwords are replaced with strong passwords, and unnecessary services are removed or disabled from the equipment or software. All open ports not in use or that can be used for exploitation should be blocked. Open ports which are in use should be monitored, and appropriate measures should be taken to secure these ports.
It must be ensured portfolio managers that regression testing is undertaken before implementing the new or modified system. The test should cover the business logic, security controls, and system performance under different stressful scenarios and recovery conditions.
The Patch Management system ensures the identification, categorization, and prioritization of security patches. It is the responsibility of the portfolio managers to ensure that patch management procedures are established. Rigorous testing of security patches should be done before deploying into the production environment. This will ensure that the application of patches does not impact other systems.
A suitable policy should be framed by portfolio managers for the disposal of storage media and systems. Before disposal, the data and information on such devices should be removed.
Periodic VAPT should be conducted by portfolio managers of the activities carried out by the portfolio manager, etc. This will help detect security vulnerabilities in the IT environment and ensure an in-depth evaluation of the security posture of the system. VAPT should be conducted at least once a financial year. Any gaps or vulnerabilities detected should be remedied immediately and a compliance report should be submitted within 3 months from the submission of the final VAPT report. Vulnerability scanning and penetration testing should be conducted before commissioning a new system.
4. Monitoring & Detection
A proper monitoring mechanism should be established to facilitate continuous monitoring of security events, timely detection of unauthorized or malicious activity; unauthorized access, changes, or copying; transmission of data or information held in a contractual or fiduciary capacity by internal or external parties. In cases of detection of unauthorized or abnormal activities, suitable alerts should be generated. High resilience and timely detection of attacks on systems can be ensured only by implementing suitable mechanisms to monitor the capacity utilization of critical systems.
5. Response and Recovery
Any alert should be properly investigated and forensic analysis should be conducted. This will help determine the activities which should be undertaken to prevent the expansion of the cyber attack breach, mitigate it, and then eradicate the incident. The response and recovery plan should aim at the timely restoration of systems affected by the cyber attack. The responsibilities and actions of the employees should be clearly defined in the response plan. Portfolio managers should have a Recovery Time Objective (RTO) of not more than 4 hours and a Recovery Point Objective (RPO) of not more than 30 minutes. The cyber attack incident should be thoroughly analyzed and lessons learned should be used to strengthen the security mechanism and improve recovery planning and process. Periodic drills should be conducted by portfolio managers to test the adequacy and effectiveness of the response and recovery plan.
6. Information Sharing
The information regarding cyber attacks, threats, and breaches should be reported by the Portfolio Manager to SEBI within 6 hours of such incident and to CERT-In. If the Portfolio Managers system has been identified as a “protected system” by NCIIPC, then it should also be informed. Further, a quarterly report containing information about the incident and informing about the measures taken to mitigate the threats or attacks should be informed to SEBI within 15 days from the end of the quarter. Any other information which the portfolio manager considers useful for sharing in a masked or anonymous manner should be shared in a manner as may be specified by SEBI from time to time.
7. Training
Periodic training should be conducted by the Portfolio Managers to enhance the awareness among employees, outsourced staff, etc; on IT and Cyber security policy and standards with a special focus on staff from non-technical disciplines. The content of the training program should be reviewed and updated to ensure it is current and relevant.
8. Periodic Audit
An annual audit of the system should be arranged by Portfolio Managers. The audit should be conducted by a qualified and independent CISA or CISM or CERT-IN empanelled auditor to ensure compliance with all criteria. In this regard, a report should be submitted to SEBI within 3 months of the end of the financial year.
9. Service Providers or vendors
Portfolio managers outsource many critical activities to different service providers and agencies. The portfolio manager is responsible, accountable, and owner of the outsourced activities therefore, proper monitoring mechanisms and framework should be there to ensure all requirements are complied with. A period report regarding this should be submitted to SEBI highlighting critical activities handled by the agencies and certifying that the above requirement is complied with.
With technological advancement, the instances of cyber attacks and cyber threats have increased hence, the demand for cyber security and cyber resilience has also increased. The introduction of this circular is a step to have cyber security and cyber resilience for Portfolio Managers. Portfolio managers have to follow this framework while providing essential facilities and critical functions. This will protect the integrity of the data and also prevent any breach of privacy.
Read our Article: Data Protection in Financial Sector – A Complete Analysis
An implementation of a "Liquidity Window Facility" for debt securities investors via a stock ex...
In the last 10 to 15 years, forensic audit practice has evolved to cover a broad spectrum of ac...
The GST return filing has significantly changed since September 2024. The key changes mad...
The Chief Financial Officer (CFO) position is crucial to financial management. CFOs have histor...
Foreign Direct Investment (FDI) has been a critical factor in fuelling the economic growth rate...
Are you human?: 3 + 1 =
Easy Payment Options Available No Spam. No Sharing. 100% Confidentiality
Cyber Security (CS) is a broader concept encompassing a range of practices, technologies, and processes designed to...
03 Jun, 2024
The Digital Personal Data Protection Bill 2022 is a vital step towards protecting the privacy and personal data of...
06 Jul, 2023