The Securities and Exchange Board of India (Sebi) has recently tweaked the cyber security and cyber resilience framework for asset management companies (AMCs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year. The new framework will come into force from July 15.
Along with the cyber audit reports, AMCs were required to submit to stock exchanges and depositories a statement from the MD and CEO, certifying their compliance with all Sebi guidelines and advisories related to cyber security issued from time to time, according to a circular.
Under the modified framework, the AMCs need to identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management.
Further, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets. All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well. The board of AMC is required to approve the list of critical systems.
According to Sebi, AMCs must also perform regular vulnerability assessments and penetration tests (VAPT) that include critical assets and infrastructure components to detect security vulnerabilities in the IT environment and a deep assessment of the system’s security posture through simulations of real attacks on your systems and networks.
Furthermore, they are required to engage only organizations comprised of CERT-In (Indian Computer Emergency Response Team) to conduct VAPT. Within one month from the completion of the VAPT, the final report must be submitted to Sebi with the approval of the technology committee of the respective AMC.
“Any gaps/vulnerabilities detected will be remediated immediately and the closing compliance of the findings identified during VAPT will be submitted to the stock exchanges/depositories within three months of the final VAPT report being submitted,” the regulator said.
Previously, the regulator introduced a modified cybersecurity and cyber resiliency framework for broker-dealers and depository participants, market infrastructure institutions (stock exchanges, depository and clearing corporations), and KYC registration agencies (KRAs).