Register Price / Packages DEMO Option My Bookmarks Daily Newsletters Feedback/ Suggestions
Tax Management India. Com
Law and Practice  :  Digital eBook
Research is most exciting & rewarding


Case Laws Acts Notifications Circulars Classification Forms Manuals Articles News D. Forum Highlights Notes
TMI - e-Newsletter     TaxTMI    Levy of GST - Royalty- seigniorage fee paid by the...     TaxTMI    Levy of Penalty u/s 129(3) of the Central Goods and...     TaxTMI    Levy of penalty - goods were undervalued - The High...     TaxTMI    Cancellation of GST Registration - Legal Validity...     TaxTMI    Control of income-tax authorities - U/s 118 -...     TaxTMI    Amendment to Regulation 3.1 of FEMA, Mode of...     TaxTMI    Amendment to Regulation 4 of FEMA, Mode of Payment...     TaxTMI    Securities and Exchange Board of India (Investment...     TaxTMI    Securities and Exchange Board of India (Research...     TaxTMI    LTCG - year of assessment - The Tribunal noted...     TaxTMI    Penalty u/s. 270A - Under-reporting of income /...     TaxTMI    Extinguishment of liability as per order of NCLT -...     TaxTMI    Violation of principles of natural justice -cryptic...     TaxTMI    Determination of time limit for filing of Appeal...     TaxTMI    Scope of SCN - impugned order proceeds on a...     TaxTMI    Latest Case-Laws     TaxTMI    Latest Notifications + Circulars     TaxTMI    GST Council Decisions     TaxTMI       Right Stop
  TMI - Tax Management India. Com
Follow us:
  Facebook   Twitter   Linkedin   Telegram

TMI Blog

Home

Cyber Security and Cyber Resilience framework for Mutual Funds / Asset Management Companies (AMCs)

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... rescribed vide SEBI circular CIR/MRD/DP13/2015 dated July 06, 2015 on cyber security and cyber resilience also be made applicable to all Mutual Funds / AMC. Accordingly, all Mutual Funds / AMCs shall comply with the provisions of Cyber Security and Cyber Resilience as placed at Annexure-1 . 4. Mutual Funds / AMCs are advised to take necessary steps to put in place systems for implementation of this circular. The guidelines annexed with this circular shall be effective from April 1, 2019. 5. This circular is issued in exercise of powers conferred under Section 11 (1) of the Securities and Exchange Board of India Act, 1992, read with the provisions of Regulation 77 of SEBI (Mutual Funds) Regulations, 1996, to protect the interests of investors in securities and to promote the development of, and to regulate the securities market. Yours faithfully, Harini Balaji General Manager Investment Management Department Tel No. 022-26449372 Email: harinib@sebi.gov.in Annexure - 1 1. Cyber-attacks and threats attempt to compromise the Confidentiality, Integrity and Availability (CIA) of the computer systems, networks and databases (Confid .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ISO 27001, ISO 27002, COBIT 5, etc., or their subsequent revisions, if any, from time to time. 6. Mutual Funds/ AMCs should designate a senior official as Chief Information Security Officer (CISO) whose function would be to assess, identify and reduce cyber security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the cyber security and resilience policy approved by the Board of the AMCs. 7. The Board of the AMCs shall constitute a Technology Committee comprising experts proficient in technology. This Technology Committee should on a quarterly basis review the implementation of the cyber security and cyber resilience policy approved by their Board, and such review should include review of their current IT and cyber security and cyber resilience capabilities, set goals for a target level of cyber resilience, and establish a plan to improve and strengthen cyber security and cyber resilience. The review shall be placed before the Board of the AMCs and Trustees for appropriate action. 8. Mutual Funds/ AMCs should establish a reporting procedure to facilitate communicat .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... uld be stored using strong and latest hashing algorithms. 17. Mutual Funds/ AMCs should ensure that records of user access are uniquely identified and logged for audit and review purposes. Such logs should be maintained and stored in encrypted form for a time period not less than two (2) years. 18. Mutual Funds/ AMCs should deploy additional controls and security measures to supervise staff with elevated system access entitlements (such as admin or privileged users). Such controls and measures should inter-alia include restricting the number of privileged users, periodic review of privileged users activities, disallow privileged users from accessing systems logs in which their activities are being captured, strong controls over remote access by privileged users, etc. 19. Account access lock policies after failure attempts should be implemented for all accounts. 20. Employees and outsourced staff such as employees of vendors or service providers, who may be given authorized access to the Mutual Fund s/ AMC s critical systems, networks and other computer resources, should be subject to stringent supervision, monitoring and access restrictions. 21. Two-factor authentic .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... fidentiality of information is not compromised during the process of exchanging and transferring information with external parties. 32. The information security policy should also cover use of devices such as mobile phone, faxes, photocopiers, scanners, etc. that can be used for capturing and transmission of data. 33. Mutual Funds/ AMCs should allow only authorized data storage devices through appropriate validation processes. Hardening of Hardware and Software 34. Only a hardened and vetted hardware / software should be deployed by the Mutual Funds/ AMCs. During the hardening process, Mutual Funds/ AMCs should inter-alia ensure that default passwords are replaced with strong passwords and all unnecessary services are removed or disabled in equipments / software. 35. All open ports which are not in use or can potentially be used for exploitation of data should be blocked. Other open ports should be monitored and appropriate measures should be taken to secure the ports. Application Security and Testing 36. Mutual Funds/ AMCs should ensure that regression testing is undertaken before new or modified system is implemented. The scope of tests should cover business .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... tworks, Mutual Funds/ AMCs should implement suitable mechanism to monitor capacity utilization of its critical systems and networks. 45. Suitable alerts should be generated in the event of detection of unauthorized or abnormal system activities, transmission errors or unusual online transactions. Response and Recovery 46. Alerts generated from monitoring and detection systems should be suitably investigated, including impact and forensic analysis of such alerts, in order to determine activities that are to be performed to prevent expansion of such incident of cyber-attack or breach, mitigate its effect and eradicate the incident. 47. The response and recovery plan of the Mutual Funds/ AMCs should aim at timely restoration of systems affected by incidents of cyber-attacks or breaches. The recovery plan should be in line with the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) as specified by SEBI for Market Infrastructure Institutions vide SEBI circular CIR/MRD/DMS/17/20 dated June 22, 2012 as amended from time to time. 48. The response plan should define responsibilities and actions to be performed by its employees and support or outsourced staff .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

 

 

 

 

Quick Updates:Latest Updates

What's New:
    Latest Case Laws
What's New:
    Latest Notifications
What's New:
    Latest Circulars
H: Liquidation of corporate Debtor - Eligibility of the Appellant to subm...
H: Short payment of Central Excise Duty - The Appellate Tribunal conclude...
A: Roving Judgements!
A: Assessee would be considered as electronic commerce operator when digi...
H: Recovery of dues by adjusting them against the refund amount - Delay i...
H: Dishonour of Cheque - Vicarious liability of the Company Secretary - T...
F: Section 17(2) Rule 42
F: Refund of IGST Charged and collected from Foreign Customer on Export o...
F: Penalty under Section 73(1) of CGST Act, 2017
F: QUANTUM OF PENALTY UNDER THE IGST ACT
F: refund of amount deposited through DRC-03
F: ITC of FY 2017-18 blocked
F: Export Services without LUT
F: Addition of unaccounted supplies in the Returns
A: DISTINCTION BETWEEN DEATH OF PLAINTIFF AND DEFENDANT DURING PENDENCY O...
A: A Comprehensive Guide to Inter-State and Intra-State Supply
A: Intermediary Services Nexus with Export of Services
A: Assessment Order not valid when Petitioner could not file reply due to...
C: Instruction on review of requirement of G-Card holders at a Customs St...
A: Supreme Court orders about alleged bogus capital gains on alleged penn...
C: Verification of authenticity and genuineness of Certificate of Origin ...
H: Levy of interest and penalty - transition of amount wrongly claimed as...
C: Acceptance of Electronic Certificate of Origin (e-CoO) issued by the i...
H: Levy of penalty @200% - e-way bill which was generated by the appellan...
H: Eligibility for Input Tax Credit - Failure to report outward supply - ...
H: Seeking cancellation of the GST registration - The case involved a pet...
H: Reference to Departmental valuation officer [DVO] without first reject...
H: Validity of reopening of assessment - Validity of grant the approval b...
H: Validity of reopening of assessment - Petitioner received another noti...
H: Penalty levied u/s 271(1)(c) - Transfer pricing adjustment - assessee ...