Data Protection Laws

Key Aspects of Cyber Security and Cyber Resilience Framework for Portfolio Managers

The technological advancement of the securities market has increased the need for robust cyber security and cyber resilience framework in India. Cyber attacks and threats compromise the confidentiality, integrity, and availability (CIA) of computer systems, networks, and databases. Cyber security means the measures, tools, and processes used to prevent cyber attacks and threats. Cyber resilience means the ability of an organization to prepare and respond to cyber-attack and to continue its operations during its recovery from cyber attacks.

In this regard, SEBI introduced Circular No. SEBI/HO/IMD/IMD-PoD-1/P/CIR/2023/046 (the Circular) dated 29^th March 2023. This circular intends to protect the integrity of data and safeguard against privacy breaches. It also aims to provide facilities and services essential to perform as a Portfolio Manager in the securities market. The Circular is intended to come into force from 1^st October 2023. Meanwhile, the Portfolio Managers are required to take steps for implementing the circular and ensure its compliance. Let’s understand the key aspects of this Circular on Cyber Security and Cyber Resilience Framework.

What are the key aspects of the Cyber Security and Cyber Resilience Framework?

1. Governance

For proper governance of cyber security and cyber resilience framework, the portfolio managers have to formulate a comprehensive policy document based on the framework provided in the circular. The policy document so formulated will have to be approved by SEBI or an equivalent body of the Portfolio Manager on an annual basis to strengthen and improve the cyber security and cyber resilience framework. The Policy Document should include the following processes:

• identification of critical IT assets and risks associated with them;
• Protection of assets by deploying suitable control, tools, and measures;
• Detection of incidents, anomalies, and attacks through appropriate monitoring tools or processes.
• Response by taking quick steps after identification of the incident, anomaly, or attack;
• Recovery from an incident applying incident management, disaster recovery, and business continuity framework.

Appointments to govern the Cyber Security and Cyber Resilience Framework

• Chief Information Security Officer (CISO)

Portfolio Managers will have to designate a senior official as CISO to assess, identify and reduce cyber security risks, establish appropriate standards and controls, respond to incidents, and direct the establishment and implementation of the process and procedures.

• Technology Committee

SEBI^[1] or an equivalent body of Portfolio Managers will constitute Technology Committee. The task of this committee is to review the implementation of the cyber security and cyber resilience policy on a half-yearly basis. The review process of this committee should include the current IT and cyber security and cyber resilience capabilities, measures to improve and strengthen cyber security and cyber resilience, and set goals for a target level of cyber resilience.

2. Identify

Portfolio Managers are responsible to identify and classify critical assets depending on their sensitivity and criticality. SEBI or an equivalent body of Portfolio Managers shall approve the list of critical assets. Portfolio Managers are also responsible to maintain an up-to-date inventory of hardware and systems, software and information assets, details of its network resources, data flows, and connections of its networks. It is the Portfolio Managers who have to identify the cyber risks and threats and their possible impact on the business and deploy controls to minimize the criticality. Portfolio Managers should encourage third-party service providers like Brokers, Custodians, Distributors, etc to follow similar standards of Information Security.

3. Protection

• Access Control

The access to portfolio manager’s system shall be restricted to defined purposes and a defined period. No person will have an intrinsic right to access confidential data, applications, system resources, or facilities. The access should be granted on a need-to-need basis based on the principle of least privilege. Strong password controls should be implemented for users to access applications, databases, networks, and systems. Additionally, the record of the users should be uniquely identified and logged in for audit and review and should be stored for not less than 2 years. Additional control and security measures must be deployed to supervise staff about the elevated system access entitlements. Account access lock policies should be available for all accounts which make failure attempts. Further, a two-step log-in process should be implemented for all users who connect online or via the internet. For this purpose, the portfolio managers should formulate an Internet access policy for monitoring and regulating the use of Internet and Internet-based services. A proper ‘end of life’ mechanism should be provided to users who are leaving the organization or whose access has been withdrawn.

• Physical Security

Minimum physical access should be granted to critical systems and should be properly supervised. It must be ensured that the outsourced staff or visitors are accompanied by authorized employees at all times. The critical equipment rooms should be physically secured and monitored by employing physical, human, and procedural controls.

• Network Security Management

A Baseline standard should be established by Portfolio Managers to facilitate consistent application of security configurations for operating systems, databases, network devices, and mobile devices of the enterprise within the IT environment. Network Security Devices should be installed to protect the IT infrastructure from security exposures originating and anti-virus software should be installed on every server and computer system.

• Data Security

Data in any form should be encrypted using strong encryption methods. Measures should be taken by portfolio managers to prevent unauthorized access or copying or transmission of data held in a fiduciary or contractual capacity. All measures should be taken to ensure that the confidentiality of the information is not compromised at the time of exchange or transfer of data. Only authorized data should be stored through an appropriate validation process.

• Hardware and Software Hardening

Portfolio Managers should deploy only hardened or vetted hardware. Hardening is a process where the default passwords are replaced with strong passwords, and unnecessary services are removed or disabled from the equipment or software. All open ports not in use or that can be used for exploitation should be blocked. Open ports which are in use should be monitored, and appropriate measures should be taken to secure these ports.

• Application Security and Testing

It must be ensured portfolio managers that regression testing is undertaken before implementing the new or modified system. The test should cover the business logic, security controls, and system performance under different stressful scenarios and recovery conditions.

• Patch Management

The Patch Management system ensures the identification, categorization, and prioritization of security patches. It is the responsibility of the portfolio managers to ensure that patch management procedures are established. Rigorous testing of security patches should be done before deploying into the production environment. This will ensure that the application of patches does not impact other systems.

• Disposal of systems and storage devices

A suitable policy should be framed by portfolio managers for the disposal of storage media and systems. Before disposal, the data and information on such devices should be removed.

• Vulnerability Assessment and Penetration Testing (VAPT)

Periodic VAPT should be conducted by portfolio managers of the activities carried out by the portfolio manager, etc. This will help detect security vulnerabilities in the IT environment and ensure an in-depth evaluation of the security posture of the system. VAPT should be conducted at least once a financial year. Any gaps or vulnerabilities detected should be remedied immediately and a compliance report should be submitted within 3 months from the submission of the final VAPT report. Vulnerability scanning and penetration testing should be conducted before commissioning a new system.

4. Monitoring & Detection

A proper monitoring mechanism should be established to facilitate continuous monitoring of security events, timely detection of unauthorized or malicious activity; unauthorized access, changes, or copying; transmission of data or information held in a contractual or fiduciary capacity by internal or external parties. In cases of detection of unauthorized or abnormal activities, suitable alerts should be generated. High resilience and timely detection of attacks on systems can be ensured only by implementing suitable mechanisms to monitor the capacity utilization of critical systems.

5. Response and Recovery

Any alert should be properly investigated and forensic analysis should be conducted. This will help determine the activities which should be undertaken to prevent the expansion of the cyber attack breach, mitigate it, and then eradicate the incident. The response and recovery plan should aim at the timely restoration of systems affected by the cyber attack. The responsibilities and actions of the employees should be clearly defined in the response plan. Portfolio managers should have a Recovery Time Objective (RTO) of not more than 4 hours and a Recovery Point Objective (RPO) of not more than 30 minutes. The cyber attack incident should be thoroughly analyzed and lessons learned should be used to strengthen the security mechanism and improve recovery planning and process. Periodic drills should be conducted by portfolio managers to test the adequacy and effectiveness of the response and recovery plan.

6. Information Sharing

The information regarding cyber attacks, threats, and breaches should be reported by the Portfolio Manager to SEBI within 6 hours of such incident and to CERT-In. If the Portfolio Managers system has been identified as a “protected system” by NCIIPC, then it should also be informed. Further, a quarterly report containing information about the incident and informing about the measures taken to mitigate the threats or attacks should be informed to SEBI within 15 days from the end of the quarter. Any other information which the portfolio manager considers useful for sharing in a masked or anonymous manner should be shared in a manner as may be specified by SEBI from time to time.

7. Training

Periodic training should be conducted by the Portfolio Managers to enhance the awareness among employees, outsourced staff, etc; on IT and Cyber security policy and standards with a special focus on staff from non-technical disciplines. The content of the training program should be reviewed and updated to ensure it is current and relevant.

8. Periodic Audit

An annual audit of the system should be arranged by Portfolio Managers. The audit should be conducted by a qualified and independent CISA or CISM or CERT-IN empanelled auditor to ensure compliance with all criteria. In this regard, a report should be submitted to SEBI within 3 months of the end of the financial year.

9. Service Providers or vendors

Portfolio managers outsource many critical activities to different service providers and agencies. The portfolio manager is responsible, accountable, and owner of the outsourced activities therefore, proper monitoring mechanisms and framework should be there to ensure all requirements are complied with. A period report regarding this should be submitted to SEBI highlighting critical activities handled by the agencies and certifying that the above requirement is complied with.

Conclusion

With technological advancement, the instances of cyber attacks and cyber threats have increased hence, the demand for cyber security and cyber resilience has also increased. The introduction of this circular is a step to have cyber security and cyber resilience for Portfolio Managers. Portfolio managers have to follow this framework while providing essential facilities and critical functions. This will protect the integrity of the data and also prevent any breach of privacy. 

Read our Article: Data Protection in Financial Sector – A Complete Analysis