Capital markets regulator SEBI on Wednesday came out with a cybersecurity framework for all portfolio managers having an asset base of at least Rs 3,000 crore. The new guidelines will come into force from October 1, 2023, the Securities and Exchange Board of India (SEBI) said in a circular. Under the framework, SEBI asked portfolio managers to report all cyber-attacks and breaches experienced by them within 6 hours of detecting such incidents.
"The response and recovery plan of the portfolio manager should aim at the timely restoration of systems affected by incidents of cyber-attacks or breaches. Portfolio managers should have Recovery Time Objective and Recovery Point Objective not more than 4 hours and 30 minutes, respectively," SEBI said.
With rapid technological advancement in the securities market, the regulator said there is a greater need for maintaining robust cyber security and to have a cyber resilience framework to protect the integrity of data and guard against breaches of privacy. As part of the operational risk management, the portfolio managers need to have a robust cyber security and cyber resilience framework in order to provide essential facilities and services and perform critical functions in the securities market, SEBI said.
Accordingly, all portfolio managers with asset under management of Rs 3,000 crore or more, under discretionary and non-discretionary portfolio management service taken together, as on the last date of the previous calendar month will comply with the provisions of cybersecurity and cyber-resilience.
To manage risk to systems, networks, and databases from cyber-attacks and threats, SEBI asked portfolio managers to formulate comprehensive cyber security and cyber resilience policy document thereunder. The policy document should be approved by the board and in case of deviations from the suggested framework, reasons for such deviations should also be provided in the policy document.
The cybersecurity and cyber resilience policy should include the process to identify, assess, and manage cybersecurity risks associated with processes, information, networks, and systems. Portfolio managers should define the responsibilities of its employees, outsourced staff, and employees of vendors and other entities, who may have access to their networks.
They should establish a reporting procedure to facilitate communication of unusual activities and events to chief information security officer (CISO) or to the senior management in a timely manner. SEBI asked Association of Portfolio Managers in India (APMI) to furnish activity wise implementation timelines and progress in implementation of the new framework on a bi-monthly basis.
