Listen to this article
SEBI has issued a more enhanced cyber security framework for mutual funds. The regulator has asked fund houses to report cases of cyber-attacks, threats and any other cyber incidents or breaches to SEBI within 6 hours of detection.
"The incident shall also be reported to CERT-In. Mutual funds whose systems have been identified as 'protected system' by NCIIPC, shall also report the incident to NCIIPC," the regulator said in a circular.
CERT-In and NCIIPC are government agencies. While CERT-In is the nodal agency to deal with cyber security threats like hacking and phishing, NCIIPC is tasked with identifying and protecting the country's critical information infrastructure.
Moreover, mutual funds now have to compulsorily conduct 'Vulnerability Assessment' of critical technological components at least once in a year. Mutual funds whose systems have been identified as 'protected system' by government agency NCIIPC will have to conduct the assessment at least twice in a year.
In addition, they can hire only a CERT-In empanelled company for the assessment.
The new guidelines will come into effect from July 15, 2022.
Other key guidelines:
- Mutual funds have to conduct comprehensive cyber audit at least twice every financial year.
- They have to submit quarterly reports to SEBI containing information on cyber-attacks, threats, cyber-incidents, and breaches experienced by the company
- Also, the quarterly report should include measures taken to mitigate vulnerabilities, threats and attacks including information on bugs/vulnerabilities/threats. SEBI said such information can be useful for other AMCs.
