Market regulator SEBI has tightened the cyber security framework for mutual funds (MFs) by mandating periodic vulnerability assessment and penetration testing (VAPT) by external agency and submission of the report to it within a month.

All cyber-attacks, threats, and breaches experienced by MFs have to be reported to SEBI within six hours of detecting such incidents or being brought to their notice.

Quarterly reporting

MFs and AMCs have to conduct VAPT at least once in a financial year and for those whose systems have been identified as “protected system” by the National Critical Information Infrastructure Protection Centre under the IT Act, VAPT has to be conducted at least twice in a financial year, SEBI in a circular on Thursday.

The circular will come into force from July 15.

The quarterly reports containing information on cyber-attacks, threats, cyber-incidents and breaches experienced by MFs and measures taken to mitigate vulnerabilities that may be useful for other fund houses have to be submitted to SEBI within 15 days after every quarter-end.

Cyber audit

Further, MFs are mandated to conduct comprehensive cyber audit at least twice in a financial year. Along with the cyber audit reports, all MFs have to submit a declaration from the Managing Director and Chief Executive Officer certifying compliance with all SEBI advisories related to cyber security, it added.

Any gaps or vulnerabilities detected has to be remedied on an immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within three months, it said.

In addition, MFs have to perform vulnerability scanning and conduct penetration testing prior to installing a new or updating a critical system.

Segregation of critical assets

MFs have to classify critical assets based on their sensitivity and criticality for business operations, services and data management. All the ancillary systems used for accessing and communicating with critical systems either for operations or maintenance should also be classified as critical assets. The Board of the AMCs and Trustees will approve the list of critical assets.

MFs also have to maintain inventory of its hardware and systems, software and information assets, details of its network resources, connections to its network and data flows, said SEBI.