New framework. SEBI asks PMS with AUM of over ₹3,000 crore to enhance cyber security

Market regulator SEBI on Wednesday came out with new framework to boost cyber security of portfolio management services.

With rapid technological advancement in the securities market, there is a greater need for maintaining robust cyber security and to have a cyber-resilience framework to protect the integrity of data and guard against breaches of privacy, it said.

Accordingly, all Portfolio Managers with assets under management of over ₹3,000 crore portfolio management service should formulate a comprehensive cyber security and cyber resilience policy document encompassing the framework by identifying critical IT assets and risks associated with such assets, deploying suitable controls, tools, and measures to protect the asset, detect incidents, anomalies and attacks through appropriate monitoring tools/processes, respond by taking immediate steps after identification of the incident, anomaly or attack and recover from incident through incident management, disaster recovery, and business continuity framework.

PMS should appoint a Chief Information Security Officer and constitute a Technology Committee comprising experts proficient in technology.

The cybersecurity policy should encompass the principles prescribed by the National Critical Information Infrastructure Protection Centre of the National Technical Research Organization in the latest report titled ’Guidelines for Protection of National Critical Information Infrastructure’.

From October 1

Based on feedback received from stakeholders, it has been decided that the guidelines should be effective from October 1, 2023, SEBI said.

In this context, the Association of Portfolio Managers in India should also furnish activity-wise implementation timelines and progress in the implementation to SEBI on a bimonthly basis, it said.

The policy document should be approved by the Board of the Portfolio Manager and in case of deviations from the suggested framework, reasons for such deviations should also be provided in the policy document. The policy document should be reviewed by the Board at least once annually with the view to strengthen and improve its cyber security and cyber resilience framework, it said.