SEBI modifies cyber security framework for Mutual Funds/ AMCs

Prabhat Nigam

13 Jun, 2022

On 9^th June 2022, vide circular number SEBI/HO/IMD/IMD-I/DOF2/P/CIR/2022/81, a Circular was issued by the Securities and Exchange Board of India (SEBI) wherein SEBI modified the cyber resilience and cyber security framework for Mutual Funds and Asset Management Companies (AMCs). SEBI has mandated these entities to conduct a comprehensive cyber security audit at least two times in a financial year. Along with the audit report, the Mutual Funds and Asset Management Companies have also been mandated to submit to stock exchanges and respectively a declaration from their Managing Director and Chief Executive Officer certifying compliance by them with all the SEBI guidelines and advisories related to cyber security issued by SEBI from time to time. 

Who are the players to whom the circular on modified cyber security framework for Mutual Funds and Asset Management Companies is applicable?

The Circular titled “Modification in Cyber resilience and Cyber Security framework for Mutual Funds^[1] / Asset Management Companies” is applicable to the following entities:

1. All the Mutual Funds
2. All the Asset Management Companies (AMCs)
3. All the Trustee Companies/ Boards of Trustees of Mutual Funds
4. The Association of Mutual Funds of India (AMFI)

Highlights of the Circular on modified cyber security framework for Mutual Funds and Asset Management Companies  

Identification and classification of critical assets

The Mutual Funds and Asset Management Companies need to identify and classify critical assets based on the sensitivity and criticality of the services, business operations and data management. Other critical assets include business critical systems, systems containing sensitive data, sensitive financial data, sensitive personal data, personally identifiable information, internet facing applications etc.

All the other auxiliary systems that connect to or communicate with the critical systems, be it maintenance or operations, have been designated as critical assets.

Responsibilities of the Board of Mutual Funds/ Asset Management Companies

It is the responsibility of the board of the Mutual Funds and Asset Management Companies to approve the list of critical assets.

The Mutual Funds and Asset Management Companies are supposed to prepare an up-to-date inventory of its hardware and systems, details of its network issues, connections to its network and data flow for this purpose, software and information assets.

Conducting VAPT

The connections to its network and data flow for this purpose also need to conduct a Vulnerability Assessment and Penetration Tests (VAPT) which include critical assets and infrastructure components with a view to detect security vulnerabilities in the IT environment and an in-depth assessment of the security infrastructure of the systems through simulations of real attacks on the systems and networks.

All the Asset Management Companies are supposed to carry out VAPT at least once in a financial year. However, where the systems of Mutual Funds and Asset Management Companies have been identified as “Protected systems” by the National Critical Information Infrastructure Protection Centre (NCIIPC), then the need to conduct VPAT becomes two times in a financial year.

It must be noted that for the purpose of conducting VPAT, services can be engaged of only those organizations that have been CERT-In empanelled.

Within a month of the completion of the VAPT, a report has to be submitted to SEBI after approval of the technology committee of the respective Mutual Funds and Asset Management Companies.

The gaps and vulnerabilities that were identified from the result of VAPT are supposed to be remedied on an immediate basis, and compliance of closure of findings identified during the VAPT have to be submitted to the Mutual Funds and Asset Management Companies within a period of three months after the submission of final VAPT report.

Mutual Funds/ Asset Management Companies to conduct cyber audit two times in a financial year

SEBI has mandates that all the Mutual Funds and Asset Management Companies are supposed to conduct a comprehensive cyber security audit at least two times in a financial year, and the audit report so generated shall be submitted to the Stock Exchanges and Depositories, respectively.

Apart from the audit report, the all the Mutual Funds and Asset Management Companies are also supposed to submit to the Stock Exchanges and Depositories a declaration from the Managing Director or the Chief Executive Officer certifying compliance with all the SEBI Circulars and advisories related to cyber security from time to time.

Both the Mutual Funds and Asset Management Companies are also supposed to take necessary steps to put in place systems for the implementation of the particulars of this Circular. They are also asked to make modifications in their internal policies to implement this Circular.

Date of coming into effect

The provisions of this Circular shall come into effect from 15^th July 2022 itself and all the Mutual Funds and Asset Management Companies need to comply with modified cyber security framework according to the prescribed modifications.   

Conclusion

This Circular on extension modification in the cyber security framework for Stock Brokers and Depository Participants has been issued after exercising the powers conferred on the SEBI under section 11(1) of the SEBI Act, 1992 read with Regulation 77 of the SEBI (Mutual Funds) Regulation, 1996 with a view to protect the interests of the investors in the securities and also to promote the development and regulate the securities market. 

Read our Article: SEBI modifies cyber security framework for Stock Brokers/ Depository Participants