SP Services
SEBI

SEBI modifies cyber security framework for Mutual Funds/ AMCs

cyber security framework for Mutual Funds

On 9th June 2022, vide circular number SEBI/HO/IMD/IMD-I/DOF2/P/CIR/2022/81, a Circular was issued by the Securities and Exchange Board of India (SEBI) wherein SEBI modified the cyber resilience and cyber security framework for Mutual Funds and Asset Management Companies (AMCs). SEBI has mandated these entities to conduct a comprehensive cyber security audit at least two times in a financial year. Along with the audit report, the Mutual Funds and Asset Management Companies have also been mandated to submit to stock exchanges and respectively a declaration from their Managing Director and Chief Executive Officer certifying compliance by them with all the SEBI guidelines and advisories related to cyber security issued by SEBI from time to time. 

Who are the players to whom the circular on modified cyber security framework for Mutual Funds and Asset Management Companies is applicable?

The Circular titled “Modification in Cyber resilience and Cyber Security framework for Mutual Funds[1] / Asset Management Companies” is applicable to the following entities:

  1. All the Mutual Funds
  2. All the Asset Management Companies (AMCs)
  3. All the Trustee Companies/ Boards of Trustees of Mutual Funds
  4. The Association of Mutual Funds of India (AMFI)

Highlights of the Circular on modified cyber security framework for Mutual Funds and Asset Management Companies  

Identification and classification of critical assets

The Mutual Funds and Asset Management Companies need to identify and classify critical assets based on the sensitivity and criticality of the services, business operations and data management. Other critical assets include business critical systems, systems containing sensitive data, sensitive financial data, sensitive personal data, personally identifiable information, internet facing applications etc.

All the other auxiliary systems that connect to or communicate with the critical systems, be it maintenance or operations, have been designated as critical assets.

Responsibilities of the Board of Mutual Funds/ Asset Management Companies

It is the responsibility of the board of the Mutual Funds and Asset Management Companies to approve the list of critical assets.

The Mutual Funds and Asset Management Companies are supposed to prepare an up-to-date inventory of its hardware and systems, details of its network issues, connections to its network and data flow for this purpose, software and information assets.

Conducting VAPT

The connections to its network and data flow for this purpose also need to conduct a Vulnerability Assessment and Penetration Tests (VAPT) which include critical assets and infrastructure components with a view to detect security vulnerabilities in the IT environment and an in-depth assessment of the security infrastructure of the systems through simulations of real attacks on the systems and networks.

All the Asset Management Companies are supposed to carry out VAPT at least once in a financial year. However, where the systems of Mutual Funds and Asset Management Companies have been identified as “Protected systems” by the National Critical Information Infrastructure Protection Centre (NCIIPC), then the need to conduct VPAT becomes two times in a financial year.

It must be noted that for the purpose of conducting VPAT, services can be engaged of only those organizations that have been CERT-In empanelled.

Within a month of the completion of the VAPT, a report has to be submitted to SEBI after approval of the technology committee of the respective Mutual Funds and Asset Management Companies.

The gaps and vulnerabilities that were identified from the result of VAPT are supposed to be remedied on an immediate basis, and compliance of closure of findings identified during the VAPT have to be submitted to the Mutual Funds and Asset Management Companies within a period of three months after the submission of final VAPT report.

Mutual Funds/ Asset Management Companies to conduct cyber audit two times in a financial year

SEBI has mandates that all the Mutual Funds and Asset Management Companies are supposed to conduct a comprehensive cyber security audit at least two times in a financial year, and the audit report so generated shall be submitted to the Stock Exchanges and Depositories, respectively.

Apart from the audit report, the all the Mutual Funds and Asset Management Companies are also supposed to submit to the Stock Exchanges and Depositories a declaration from the Managing Director or the Chief Executive Officer certifying compliance with all the SEBI Circulars and advisories related to cyber security from time to time.

Both the Mutual Funds and Asset Management Companies are also supposed to take necessary steps to put in place systems for the implementation of the particulars of this Circular. They are also asked to make modifications in their internal policies to implement this Circular.

Date of coming into effect

The provisions of this Circular shall come into effect from 15th July 2022 itself and all the Mutual Funds and Asset Management Companies need to comply with modified cyber security framework according to the prescribed modifications.   

Conclusion

This Circular on extension modification in the cyber security framework for Stock Brokers and Depository Participants has been issued after exercising the powers conferred on the SEBI under section 11(1) of the SEBI Act, 1992 read with Regulation 77 of the SEBI (Mutual Funds) Regulation, 1996 with a view to protect the interests of the investors in the securities and also to promote the development and regulate the securities market. 

Read our Article: SEBI modifies cyber security framework for Stock Brokers/ Depository Participants

Prabhat Nigam

Prabhat has done his BA LLB (Hons) and has been writing research papers since his law school days. His interest in content writing made him pursue a career in legal research and content writing. His core areas of interest are indirect taxes, finance and real estate.

Business Plan Consultant

Trending Posted

Startup CFO

Our Awards Our Awards

Top 100 Companies in Asia - Red Herring
Top 100 Companies in Asia - Red Herring

Red Herring Top 100 Asia enlists outstanding entrepreneurs and promising companies. It selects the award winners from approximately 2000 privately financed companies each year in the Asia. Since 1996, Red Herring has kept tabs on these up-and-comers. Red Herring editors were among the first to recognize that companies such as Google, Facebook, Kakao, Alibaba, Twitter, Rakuten, Salesforce.com, Xiaomi and YouTube would change the way we live and work.

Top 25 in India - Consultants Review

Researchers have found out that organization using new technologies in their accounting and tax have better productivity as compared to those using the traditional methods. Complying with the recent technological trends in the accounting industry, Enterslice was formed to focus on the emerging start up companies and bring innovation in their traditional Chartered Accountants & Legal profession services, disrupt traditional Chartered Accountants practice mechanism & Lawyers.

Top 25 in India - Consultants Review

In the news