Select Your Location
On 9th June 2022, vide circular number SEBI/HO/IMD/IMD-I/DOF2/P/CIR/2022/81, a Circular was issued by the Securities and Exchange Board of India (SEBI) wherein SEBI modified the cyber resilience and cyber security framework for Mutual Funds and Asset Management Companies (AMCs). SEBI has mandated these entities to conduct a comprehensive cyber security audit at least two times in a financial year. Along with the audit report, the Mutual Funds and Asset Management Companies have also been mandated to submit to stock exchanges and respectively a declaration from their Managing Director and Chief Executive Officer certifying compliance by them with all the SEBI guidelines and advisories related to cyber security issued by SEBI from time to time.
Who are the players to whom the circular on modified cyber security framework for Mutual Funds and Asset Management Companies is applicable?
The Circular titled “Modification in Cyber resilience and Cyber Security framework for Mutual Funds / Asset Management Companies” is applicable to the following entities:
Identification and classification of critical assets
The Mutual Funds and Asset Management Companies need to identify and classify critical assets based on the sensitivity and criticality of the services, business operations and data management. Other critical assets include business critical systems, systems containing sensitive data, sensitive financial data, sensitive personal data, personally identifiable information, internet facing applications etc.
All the other auxiliary systems that connect to or communicate with the critical systems, be it maintenance or operations, have been designated as critical assets.
Responsibilities of the Board of Mutual Funds/ Asset Management Companies
It is the responsibility of the board of the Mutual Funds and Asset Management Companies to approve the list of critical assets.
The Mutual Funds and Asset Management Companies are supposed to prepare an up-to-date inventory of its hardware and systems, details of its network issues, connections to its network and data flow for this purpose, software and information assets.
The connections to its network and data flow for this purpose also need to conduct a Vulnerability Assessment and Penetration Tests (VAPT) which include critical assets and infrastructure components with a view to detect security vulnerabilities in the IT environment and an in-depth assessment of the security infrastructure of the systems through simulations of real attacks on the systems and networks.
All the Asset Management Companies are supposed to carry out VAPT at least once in a financial year. However, where the systems of Mutual Funds and Asset Management Companies have been identified as “Protected systems” by the National Critical Information Infrastructure Protection Centre (NCIIPC), then the need to conduct VPAT becomes two times in a financial year.
It must be noted that for the purpose of conducting VPAT, services can be engaged of only those organizations that have been CERT-In empanelled.
Within a month of the completion of the VAPT, a report has to be submitted to SEBI after approval of the technology committee of the respective Mutual Funds and Asset Management Companies.
The gaps and vulnerabilities that were identified from the result of VAPT are supposed to be remedied on an immediate basis, and compliance of closure of findings identified during the VAPT have to be submitted to the Mutual Funds and Asset Management Companies within a period of three months after the submission of final VAPT report.
Mutual Funds/ Asset Management Companies to conduct cyber audit two times in a financial year
SEBI has mandates that all the Mutual Funds and Asset Management Companies are supposed to conduct a comprehensive cyber security audit at least two times in a financial year, and the audit report so generated shall be submitted to the Stock Exchanges and Depositories, respectively.
Apart from the audit report, the all the Mutual Funds and Asset Management Companies are also supposed to submit to the Stock Exchanges and Depositories a declaration from the Managing Director or the Chief Executive Officer certifying compliance with all the SEBI Circulars and advisories related to cyber security from time to time.
Both the Mutual Funds and Asset Management Companies are also supposed to take necessary steps to put in place systems for the implementation of the particulars of this Circular. They are also asked to make modifications in their internal policies to implement this Circular.
The provisions of this Circular shall come into effect from 15th July 2022 itself and all the Mutual Funds and Asset Management Companies need to comply with modified cyber security framework according to the prescribed modifications.
This Circular on extension modification in the cyber security framework for Stock Brokers and Depository Participants has been issued after exercising the powers conferred on the SEBI under section 11(1) of the SEBI Act, 1992 read with Regulation 77 of the SEBI (Mutual Funds) Regulation, 1996 with a view to protect the interests of the investors in the securities and also to promote the development and regulate the securities market.
Read our Article: SEBI modifies cyber security framework for Stock Brokers/ Depository Participants
Prabhat has done his BA LLB (Hons) and has been writing research papers since his law school days. His interest in content writing made him pursue a career in legal research and content writing. His core areas of interest are indirect taxes, finance and real estate.
The objective of the enactment of the Prevention of Money-laundering Act, 2002, i.e. PMLA (the...
Tax planning is a continuing effort and a management strategy for ensuring the minimization of...
On 18th May 2023, the Securities Exchange Board of India (SEBI) released a Consultation Paper o...
Infrastructure and real estate have been regarded as India's "sunshine sector" since the turn o...
On 22nd May 2023, the Central Board of Direct Taxes (CBDT) issued a new circular under secti...
Anyone can have different sources of income. With globalization and the opening up of economies...
The Reserve Bank of India (RBI) is crucial in regulating NBFC, including branch openings and cl...
In India, Non-Banking Financial Companies are subject to certain restrictions from taking publi...
It's usually a good idea to diversify the assets in your financial portfolio, especially during...
A nation is being built by the non-banking finance company through the development of wealth, t...
Are you human?: 3 + 9 =
Easy Payment Options Available No Spam. No Sharing. 100% Confidentiality
The capital market’s regulator, Securities Exchange Board of India, asked the mutual fund houses to ensure that m...
12 Oct, 2021
The interests of the investor are paramount. Therefore, any inconvenience caused to the investor should be strictly...
06 Dec, 2022
Red Herring Top 100 Asia enlists outstanding entrepreneurs and promising companies. It selects the award winners from approximately 2000 privately financed companies each year in the Asia. Since 1996, Red Herring has kept tabs on these up-and-comers. Red Herring editors were among the first to recognize that companies such as Google, Facebook, Kakao, Alibaba, Twitter, Rakuten, Salesforce.com, Xiaomi and YouTube would change the way we live and work.
Researchers have found out that organization using new technologies in their accounting and tax have better productivity as compared to those using the traditional methods. Complying with the recent technological trends in the accounting industry, Enterslice was formed to focus on the emerging start up companies and bring innovation in their traditional Chartered Accountants & Legal profession services, disrupt traditional Chartered Accountants practice mechanism & Lawyers.
Stay updated with all the latest legal updates. Just enter your email address and subscribe for free!
Chat on Whatsapp
Hey I'm Suman. Let's Talk!