The Securities and Exchanges Board of India (Sebi) has issued a circular mandating all portfolio managers with assets under management (AUM) of Rs. 3,000 crore or more to comply with certain cybersecurity and cyber resilience requirements.
Cybersecurity frameworks include measures, tools, and processes to prevent cyberattacks, respond to cyberattacks, and recover from cyberattacks. The circular has also listed the necessary steps that portfolio managers and association of portfolio managers of India (APMI) should take to ensure compliance with the provisions by October 1, 2023.
A security and cyber resilience policy should be developed by portfolio managers that emphasise identifying critical IT assets and their risks. The policy should also stress on deploying appropriate tools to protect IT assets among other criteria mentioned in the document available on the Sebi website.
Compliance Norms
According to the circular, chief information security officers (CISOs) should be designated by portfolio managers to ensure strict compliance with the above-mentioned policy after its approval by the Board or equivalent body of portfolio managers. Board members shall also form a Technology Committee comprising technology experts.
“Portfolio managers should instal network security devices, such as firewalls and intrusion detection and prevention systems to protect their IT infrastructure,” Sebi said.
Among the measures outlined in the circular are steps to ensure data security and disposal of systems and storage devices that are no longer needed.
Sebi and Cert-In must also be notified within six hours of detecting any cyberattacks or threats.
Portfolio managers will also have to submit a quarterly report useful to other managers detailing bugs or cyber threats, and how they were mitigated, within 15 days from the quarter ended June, September, December and March of every year.
The circular adds that employees and outsourced staff should be trained periodically on IT and/or cybersecurity policies and standards. Despite outsourcing many critical activities to different agencies, the primary responsibility of those outsourced activities lies primarily with the portfolio manager, Sebi said.
According to the circular, the portfolio managers shall arrange for independent CISA and/or CISM qualified or CERT-IN empanelled auditors to audit their systems on an annual basis to ensure compliance with the above areas. Also, they have to submit the report to Sebi with the comments of their Board. The critical activities handled by agencies should also be mentioned in this report.
