Market regulator SEBI has tightened the cyber security framework for mutual funds (MFs) by mandating periodic vulnerability assessment and penetration testing (VAPT) by external agency and submission of the report to it within a month.
All cyber-attacks, threats, and breaches experienced by MFs have to be reported to SEBI within six hours of detecting such incidents or being brought to their notice.
Quarterly reporting
MFs and AMCs have to conduct VAPT at least once in a financial year and for those whose systems have been identified as “protected system” by the National Critical Information Infrastructure Protection Centre under the IT Act, VAPT has to be conducted at least twice in a financial year, SEBI in a circular on Thursday.
The circular will come into force from July 15.
The quarterly reports containing information on cyber-attacks, threats, cyber-incidents and breaches experienced by MFs and measures taken to mitigate vulnerabilities that may be useful for other fund houses have to be submitted to SEBI within 15 days after every quarter-end.
Cyber audit
Further, MFs are mandated to conduct comprehensive cyber audit at least twice in a financial year. Along with the cyber audit reports, all MFs have to submit a declaration from the Managing Director and Chief Executive Officer certifying compliance with all SEBI advisories related to cyber security, it added.
Any gaps or vulnerabilities detected has to be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within three months, it said.
In addition, MFs have to perform vulnerability scanning and conduct penetration testing prior to installing a new or updating a critical system.
Segregation of critical assets
MFs have to classify critical assets based on their sensitivity and criticality for business operations, services and data management. All the ancillary systems used for accessing and communicating with critical systems either for operations or maintenance should also be classified as critical assets. The Board of the AMCs and Trustees will approve the list of critical assets.
MFs also have to maintain inventory of its hardware and systems, software and information assets, details of its network resources, connections to its network and data flows, said SEBI.

Comments
Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.
We have migrated to a new commenting platform. If you are already a registered user of TheHindu Businessline and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.