Tax Management India. Com
Law and Practice  :  Digital eBook
Research is most exciting & rewarding
  TMI - Tax Management India. Com
Follow us:
  Facebook   Twitter   Linkedin   Telegram

TMI Blog

Home

Cyber Security and Cyber Resilience framework for Mutual Funds / Asset Management Companies (AMCs)

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... rescribed vide SEBI circular CIR/MRD/DP13/2015 dated July 06, 2015 on cyber security and cyber resilience also be made applicable to all Mutual Funds / AMC. Accordingly, all Mutual Funds / AMCs shall comply with the provisions of Cyber Security and Cyber Resilience as placed at Annexure-1 . 4. Mutual Funds / AMCs are advised to take necessary steps to put in place systems for implementation of this circular. The guidelines annexed with this circular shall be effective from April 1, 2019. 5. This circular is issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, read with the provisions of Regulation 77 of SEBI (Mutual Funds) Regulations, 1996, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. Yours faithfully, Harini Balaji General Manager Investment Management Department Tel No. 022-26449372 Email: [email protected] Annexure - 1 1. Cyber-attacks and threats attempt to compromise the Confidentiality, Integrity and Availability (CIA) of the computer systems, networks and databases (Confid .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ISO 27001, ISO 27002, COBIT 5, etc., or their subsequent revisions, if any, from time to time. 6. Mutual Funds/ AMCs should designate a senior official as Chief Information Security Officer (CISO) whose function would be to assess, identify and reduce cyber security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the cyber security and resilience policy approved by the Board of the AMCs. 7. The Board of the AMCs shall constitute a Technology Committee comprising experts proficient in technology. This Technology Committee should on a quarterly basis review the implementation of the cyber security and cyber resilience policy approved by their Board, and such review should include review of their current IT and cyber security and cyber resilience capabilities, set goals for a target level of cyber resilience, and establish a plan to improve and strengthen cyber security and cyber resilience. The review shall be placed before the Board of the AMCs and Trustees for appropriate action. 8. Mutual Funds/ AMCs should establish a reporting procedure to facilitate communicat .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... uld be stored using strong and latest hashing algorithms. 17. Mutual Funds/ AMCs should ensure that records of user access are uniquely identified and logged for audit and review purposes. Such logs should be maintained and stored in encrypted form for a time period not less than two (2) years. 18. Mutual Funds/ AMCs should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users). Such controls and measures should inter-alia include restricting the number of privileged users, periodic review of privileged users activities, disallow privileged users from accessing systems logs in which their activities are being captured, strong controls over remote access by privileged users, etc. 19. Account access lock policies after failure attempts should be implemented for all accounts. 20. Employees and outsourced staff such as employees of vendors or service providers, who may be given authorized access to the Mutual Fund s/ AMC s critical systems, networks and other computer resources, should be subject to stringent supervision, monitoring and access restrictions. 21. Two-factor authentic .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... fidentiality of information is not compromised during the process of exchanging and transferring information with external parties. 32. The information security policy should also cover use of devices such as mobile phone, faxes, photocopiers, scanners, etc. that can be used for capturing and transmission of data. 33. Mutual Funds/ AMCs should allow only authorized data storage devices through appropriate validation processes. Hardening of Hardware and Software 34. Only a hardened and vetted hardware / software should be deployed by the Mutual Funds/ AMCs. During the hardening process, Mutual Funds/ AMCs should inter-alia ensure that default passwords are replaced with strong passwords and all unnecessary services are removed or disabled in equipments / software. 35. All open ports which are not in use or can potentially be used for exploitation of data should be blocked. Other open ports should be monitored and appropriate measures should be taken to secure the ports. Application Security and Testing 36. Mutual Funds/ AMCs should ensure that regression testing is undertaken before new or modified system is implemented. The scope of tests should cover business .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... tworks, Mutual Funds/ AMCs should implement suitable mechanism to monitor capacity utilization of its critical systems and networks. 45. Suitable alerts should be generated in the event of detection of unauthorized or abnormal system activities, transmission errors or unusual online transactions. Response and Recovery 46. Alerts generated from monitoring and detection systems should be suitably investigated, including impact and forensic analysis of such alerts, in order to determine activities that are to be performed to prevent expansion of such incident of cyber-attack or breach, mitigate its effect and eradicate the incident. 47. The response and recovery plan of the Mutual Funds/ AMCs should aim at timely restoration of systems affected by incidents of cyber-attacks or breaches. The recovery plan should be in line with the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time. 48. The response plan should define responsibilities and actions to be performed by its employees and support or outsourced staff .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

 

 

 

 

Quick Updates:Latest Updates