SEBI issues framework on Cyber Security & Cyber Resilience for Mutual Funds /Asset Management Companies (AMCs), effective April 1, 2019
The Securities and Exchange Board of India (“SEBI”) has issued a circular dated January 10, 2019 to specify the Cyber Security & Cyber Resilience framework for Mutual Funds and Asset Management Companies (AMCs). The framework aims at protecting the interests of investors in securities and to promote the development of, and to regulate the securities market. The guidelines will gain effect from April 1,2019.
With rapid technological advancement in securities market there is need for maintaining robust cyber security and to have cyber resilience framework to protect integrity of data and guard against breaches of privacy. The Mutual Funds / Asset Management Companies (AMCs) need to have robust cyber security and cyber resilience framework in order to provide essential facilities and services and perform critical functions in securities market.
Mutual Funds / AMCs shall comply with the provisions of Cyber Security and Cyber Resilience and are required to take necessary steps to put in place systems for implementation of the framework.
The framework specifies guidelines for cyber security on the following heads:
- Identification -of critical assets and the cyber risks that it may face
- Access Control
- Physical Security
- Network security management
- Data Security- identification and encryption of critical data and restriction on access
- Hardening of Hardware and Software
- Application Security in Customer Facing Applications
- Certification of off-the-shelf products
- Patch Management Procedures
- Disposal of data, systems and storage devices
- Conduction of Vulnerability Assessment and Penetration Testing (VAPT)
- Security Monitoring and Detection systems
- Response and Recovery upon alerts
- Sharing of Information
- Training and Education of staff
- Periodic Audit
- Appropriate Monitoring of Vendors and Service Providers