Listen to this article
SEBI has issued cyber security and cyber resilience framework for portfolio managers with an AUM of Rs. 3,000 crore or more.
“With rapid technological advancement in the securities market, there is a greater need for maintaining robust cyber security and to have a cyber-resilience framework to protect the integrity of data and guard against breaches of privacy” said the regulator.
SEBI clarified that discretionary and non-discretionary portfolio management services as on the last date of the previous calendar month are to be taken together for calculating the AUM.
It further clarified that the guidelines shall be effective from October 1, 2023 and also directed the Association of Portfolio Managers in India (APMI) to furnish activity wise implementation timelines and its progress on a bi-monthly basis.
The framework suggests a five-point process to identify, assess and manage cyber security risks associated with processes, information, networks, and systems:
- Identify critical IT assets and risks associated with such assets
- Protect assets by deploying suitable controls, tools, and measures
- Detect incidents, anomalies, and attacks through appropriate monitoring tools/processes
- Respond by taking immediate steps after identification of the incident, anomaly, or attack
- Recover from incident through incident management, disaster recovery, and business continuity framework
Additionally, SEBI has laid down timelines to notify cyber-attacks and has also asked portfolio managers to submit quarterly reports on cyber-attacks, threats, cyber-incidents, breaches and mitigation measures taken within 15 days from the end of every quarter.
It also directed portfolio managers to appoint an independent CISA (Certified Information Systems Auditor) /CISM (Certified Information Security Manager) qualified or CERT-IN (India's Computer Emergency Response Team) empanelled auditor for annual audits.
