The Securities and Exchange Board of India on 9th June 2022, has modified the cyber security and cyber resilience framework for Asset Management Companies and mandated them to conduct a comprehensive cyber audit at least 2 times in a financial year. This modified framework shall come force with effect from July 15, 2022.
Mutual Funds/ AMCs shall identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management. The critical assets shall include business critical systems, internet facing applications/ systems, systems that contain sensitive data, sensitive personal data, sensitive financial data, Personally Identifiable Information (PII) data, etc. All the ancillary systems used for accessing/ communicating with critical systems either for operations or maintenance shall also be classified as critical assets.
Mutual Funds/ AMCs shall carry out periodic Vulnerability Assessment and Penetration Testing (VAPT), inter-alia, including critical assets and infrastructure components like servers, networking systems, security devices, load balancers, other IT systems pertaining to the activities done as a role of Mutual Funds/ AMCs, etc., in order to detect security vulnerabilities in the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks.
Further, all Mutual Funds/ AMCs shall engage only Indian Computer Emergency Response Team (CERT-In) empanelled organizations for conducting VAPT. The final report on said VAPT shall be submitted to SEBI after approval from Technology Committee of respective Mutual Funds/ AMCs, within 1 month of completion of VAPT activity.
