SUBSCRIBE NEWSLETTER
  • Change Language
  • English
  • Hindi
  • Marathi
  • Gujarati
  • Punjabi
  • Tamil
  • Telugu
  • Bengali
    • MF News SEBI intermediaries like MFs will be held responsible for violation of cyber securities norms

    SEBI intermediaries like MFs will be held responsible for violation of cyber securities norms

    SEBI releases Cyber Security and Cyber Resilience framework for all SEBI regulated entities which includes mutual funds.
    Kushan Shah Aug 21, 2024

    Listen to this article

    SEBI has released a Cyber Security and Cyber Resilience (CSCR) framework for SEBI Regulated Entities (REs) in which it has clarified that REs, which includes AIFs, collective investment schemes, clearing corporations, investment advisors, research analysts, KYC registration agencies (KRAs), MFs, AMCs, PMs, RTAs and Venture Capital Funds (VCFs) will be held responsible for breach of cyber securities norms.

    It said that intermediaries are accountable for ensuring compliance with laws, regulations, circulars etc. issued by SEBI/Govt. of India. They will be held accountable for any violations.

    Here is the summary of the framework:

    Anticipation of cyber attacks

    • REs shall establish and enforce cybersecurity risk management roles, responsibilities and authorities for accountability and improvement
    • REs have to document and implement CSCR policy with the approval of the board
    • Market Infrastructure Institutions (MIIs) have to conduct third-party assessment of their cyber resilience using a metric called Cyber Capability Index (CCI) on a half-yearly basis. Qualified REs have to do self-assessment of their cyber resilience on a yearly basis
    • REs have sole accountability of all aspects related to third-party services including confidentiality, integrity, availability, non-repudiation, security of their data and logs
    • REs have to identify and classify critical systems based on their sensitivity and criticality for business operations, services and data management
    • REs have to conduct a comprehensive scenario-based risk assessment of their IT environment including both internal and external risks
    • Any threat or vulnerability has to be used to understand inherent risks and for risk response prioritization
    • REs should design and implement network segmentation techniques to restrict access to sensitive information, hosts and services
    • REs have to use layering of Full-disk Encryption (FDE) along with File-based Encryption (FE) for data protection
    • All softwares/applications used for critical and feature enhancements should be done in separate production and non-production environments
    • Periodic audits will be done by CERT-In empaneled IS auditing organization to check compliance with the applicable standards and mandatory guidelines
    • REs have to conduct Vulnerability Assessment and Penetration Testing (VAPT) to detect vulnerabilities in the IT environment
    • REs will implement Application Programming Interface (API) security and endpoint security solutions with rate limiting, throttling and proper authentication and authorization mechanisms
    • MIIs and REs must obtain ISO 27001 certification to ensure essential security standards
    • REs should establish appropriate security mechanisms through Security Operations Centre (SOC) for continuous monitoring of security events and detection of anomalous activities. BSE and NSE will setup market SOC where small size REs and self-certification REs have to be onboarded
    • MIIs and qualified REs have to measure functional efficacy of their SOC on a half-yearly basis while rest of the REs can do this on a yearly basis from the SOC service providers
    • MIIs and qualified REs will conduct red teaming exercises where they will stimulate cyber-attacks to test its strength of the cybersecurity framework

    Withstanding & containing cyber attacks

    • All cybersecurity related incidents should be reported in a timely manner through the SEBI incident reporting portal
    • All REs will have to establish an incident response management plan with SOP and Cyber Crisis Management Plan (CCMP)
    • In case of an incident, Root Cause Analysis (RCA) should be done to identify the cause leading to the incident
    • In case the RCA is inconclusive, a forensic analysis should be undertaken for detailed investigation of the cybersecurity incident

    Recovering and evolving from cyber attacks

    • REs must document a comprehensive response and recovery plan which will be triggered to ensure prompt restoration of systems affected by a cybersecurity incident
    • Actions taken during the recovery process will have to be informed to all relevant stakeholders as required
    • Adaptive and evolving controls to tackle identified vulnerabilities to reduce attack surfaces will be created and incorporated into the CSCR

    The deadline for adoption of CSCR provisions is Jan 1, 2025 for categories of REs for which CSCR already exists and April 1, 2025 for others.

    Have a query or a doubt?
    Need a clarification or more information on an issue?
    Cafemutual welcomes all mutual fund and insurance related questions. So write in to us at newsdesk@cafemutual.com

    Latest Articles
    Your bulletin for the day
     Read More
    NISM ties up with FPSB India to launch a financial planning course
    Read More
    RIAs contribute 42% of the individual assets under direct plans
     Read More
    MF industry has 2.75 lakh distributors
     Read More
    AMCs should follow ethical standards while selling MFs: SEBI
     Read More
    VCs registered before 2012 can migrate to existing AIF regulations
     Read More
    ‘Wealth management is all about asset allocation’
     Read More
    ‘Large and mid cap companies offer attractive investing opportunities’: ITI MF
     Read More
    Hinduja Group receives RBI’s go ahead to start MF business
     Read More
    Nippon India, ICICI Prudential, HDFC command highest number of MF folios
     Read More
    Click to clap
    Disclaimer: Cafemutual is an industry platform of mutual fund professionals. Our visitors are requested to maintain the decorum of the platform when expressing their thoughts and commenting on articles. Viewers are advised to refrain from making defamatory allegations against individuals. Those making abusive language or defamatory allegations will be blocked from accessing the web site.
    0 Comment
    Be the first to comment.
    Login or Sign up to post comments.
    More than 2,07,000 of your industry peers are staying on top of their game by receiving daily tips, ideas and articles on growth strategies. Join them and stay updated by subscribing to Cafemutual newsletters.

    Fill in the below details or write to newsdesk@cafemutual.com and subscribe to Cafemutual Newsletter now.
    POLL
    MORE POLLS
    As regards Portfolio Management Services (PMS), what is your status
    EVENTS FORUMS
    INSIDE CAFEMUTUAL
  • About Us
  • Advertise With Us
  • Contact Us
  • Disclaimer
  • Editorial Policy
  • Media
  • Privacy Policy
  • Post Vacancies
  • Job Openings
    • SOCIAL
    SUBSCRIBE NEWSLETTER
    NEWS
  • MF News
  • Insurance News
  • CafeAlt
  • Thought Leadership Corner
  • NFO News
  • Ask Us
  • Guest Column
  • News Archive
  • News From Press
  • Passives
    • CLIENT MANAGEMENT
  • Business Development
    • RESOURCES
  • Empanelment Forms
    • MF FACTS & FIGURES
  • Directories
  • Events
  • Fund AUMs
  • Fund Fact Sheets
  • Reports
    • KNOWLEDGE
  • Education
  • Glossary
  • Tutorials
  • Video Library
    • MY RESEARCH DESK
  • Financial & SIP Calculators
  • Fund Performance & NAV

  • Success Stories
  • POLLS
  • Youtube Channel
    • © Cafemutual.com. All rights reserved. Reproduction of news, articles, images, videos or any other content in whole or in part in any form or medium without express written permission of cafemutual.com is prohibited.
    Powered by Barcode Design Studio