Register Price / Packages DEMO Option My Bookmarks Daily Newsletters Feedback/ Suggestions
Tax Management India. Com
Law and Practice  :  Digital eBook
Research is most exciting & rewarding


Case Laws Acts Notifications Circulars Classification Forms Manuals Articles News D. Forum Highlights Notes
TMI - e-Newsletter     TaxTMI    Taxation on gains arising out of compulsory...     TaxTMI    LTCG - year of assessment - The Tribunal noted...     TaxTMI    Penalty u/s. 270A - Under-reporting of income /...     TaxTMI    Exemption u/s 11 - assessee has not e-filed or not...     TaxTMI    Taxable supply or not - Entry fee collected from...     TaxTMI    Extinguishment of liability as per order of NCLT -...     TaxTMI    Violation of principles of natural justice -cryptic...     TaxTMI    Determination of time limit for filing of Appeal...     TaxTMI    Scope of SCN - impugned order proceeds on a...     TaxTMI    Penalty u/s. 271(1)(c) - Referring to a precedent...     TaxTMI    Penalty levied u/s 271(1)(c) - Transfer pricing...     TaxTMI    Eligibility for Input Tax Credit - Failure to...     TaxTMI    Levy of penalty @200% - e-way bill which was...     TaxTMI    Levy of interest and penalty - transition of amount...     TaxTMI    Levy of maximum penalty - penalty imposed on the...     TaxTMI    Latest Case-Laws     TaxTMI    Latest Notifications + Circulars     TaxTMI    GST Council Decisions     TaxTMI       Right Stop
  TMI - Tax Management India. Com
Follow us:
  Facebook   Twitter   Linkedin   Telegram

TMI Blog

Home

Cyber Security and Cyber Resilience framework for Portfolio Managers

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ns of Cyber Security and Cyber Resilience as placed at Annexure-1. Implementation Schedule: 4. Based on feedback received from stakeholders, it has been decided that the guidelines annexed with this circular shall be effective from October 01, 2023. In this context, Association of Portfolio Managers in India (APMI) shall also furnish activity wise implementation timelines and progress in implementation of provisions of this circular to SEBI on bi-monthly basis. 5. Portfolio Managers and APMI shall take necessary steps for implementing the circular, including putting the required processes and systems in place to ensure compliance with the provisions of this circular. 6. This circular is issued in exercise of powers conferred under Section 11(1) of the Securities and Exchange Board of India Act, 1992 read with Regulation 43 of the SEBI (Portfolio Managers) Regulations, 2020 , to protect the interests of investors in securities market and to promote the development of, and to regulate the securities market. 7. The circular is available on SEBI website at www.sebi.gov.in under the categories Info for Portfolio Managers and Legal framework - Circulars . .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... cture Protection Centre (NCIIPC) of the National Technical Research Organization (NTRO), Government of India, in the report titled Guidelines for Protection of National Critical Information Infrastructure and subsequent revisions, if any, from time to time. 5. Portfolio Managers should also incorporate best practices from standards such as ISO 27001, ISO 27002, COBIT 5, etc., or their subsequent revisions, if any, from time to time. 6. Portfolio Managers should designate a senior official as Chief Information Security Officer (CISO) whose function would be to assess, identify and reduce cyber security risks, respond to incidents, establish appropriate standards and controls, and direct the establishment and implementation of processes and procedures as per the cyber security and resilience policy approved by the Board or equivalent body of Portfolio Manager. 7. The Board or equivalent body of the Portfolio Manager shall constitute a Technology Committee comprising experts proficient in technology. This Technology Committee should on a half yearly basis review the implementation of the cyber security and cyber resilience policy approved by their Board or equivalent body, .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... tandards of Information Security. Protection Access Controls 14. No person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities. 15. Any access to Portfolio Manager s systems, applications, networks, databases, etc., should be for a defined purpose and for a defined period. Portfolio Manager should grant access to IT systems, applications, databases, and networks on a need-to-use basis and based on the principle of least privilege. Such access should be for the period when the access is required and should be authorized using strong authentication mechanisms. 16. Portfolio Manager should implement strong password controls for users access to systems, applications, networks and databases. Password controls should include a change of password upon first log-on, minimum password length and history, password complexity as well as maximum validity period. The user credential data should be stored using strong and latest hashing algorithms. 17. Portfolio Managers should ensure that records of user access are uniquely identified and logged for audit and review purposes. Such logs shou .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... ise mobile devices within the IT environment. The Portfolio Manager should conduct regular enforcement checks to ensure that the baseline standards are applied uniformly. The checks should be done at least once in a year. 28. Portfolio Managers should install network security devices, such as firewalls as well as intrusion detection and prevention systems, to protect their IT infrastructure from security exposures originating from internal and external sources. 29. Anti-virus software should be installed on servers and other computer systems. Updation of anti-virus definition files and automatic anti-virus scanning should be done on a regular basis. Security of Data 30. Data-in motion and Data-at-rest should be in encrypted form by using strong encryption methods such as Advanced Encryption Standard (AES), RSA, SHA-2, etc. 31. Portfolio Managers should implement measures to prevent unauthorized access or copying or transmission of data / information held in contractual or fiduciary capacity. It should be ensured that confidentiality of information is not compromised during the process of exchanging and transferring information with external parties. 32. The info .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... n the IT environment and in-depth evaluation of the security posture of the system through simulations of actual attacks on its systems and networks. Portfolio Managers shall conduct VAPT at least once in a financial year. However, for the Portfolio Managers, whose systems have been identified as protected system by National Critical Information Infrastructure Protection Centre (NCIIPC) under the Information Technology (IT) Act, 2000, VAPT shall be conducted at least twice in a financial year. Further, all Portfolio Managers shall engage only Indian Computer Emergency Response Team (CERT-In) empanelled organizations for conducting VAPT. The final report on said VAPT shall be submitted to SEBI after approval from Technology Committee of respective Portfolio Manager, within 1 month of completion of VAPT activity. 41. Any gaps or vulnerabilities detected shall be remedied on immediate basis and compliance of closure of findings identified during VAPT shall be submitted to SEBI within 3 months post the submission of final VAPT report. 42. In addition, Portfolio Managers shall perform vulnerability scanning and conduct penetration testing prior to the commissioning of a ne .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

..... o SEBI within 6 hours of noticing/ detecting such incidents or being brought to their notice about such incidents. The incident shall also be reported to CERT-In in accordance with the guidelines/ directions issued by CERT-In from time to time. Additionally, the Portfolio Manager, whose systems have been identified as protected system by NCIIPC, shall also report the incident to NCIIPC. The quarterly reports containing information on cyber-attacks, threats, cyber-incidents, and breaches experienced by Portfolio Manager and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs/ vulnerabilities/ threats that may be useful for other Portfolio Managers shall be submitted to SEBI within 15 days from the quarter ended June, September, December and March of every year. The above information/ reports shall be shared through the dedicated e-mail ids: vapt_reports@sebi.gov.in and cybersecurity_pms@sebi.gov.in 52. Such details as are felt useful for sharing with other Portfolio Managers in masked and anonymous manner shall be shared using mechanism to be specified by SEBI from time to time. Training 53. Portfolio Managers should conduct .....

X X   X X   Extracts   X X   X X

→ Full Text of the Document

X X   X X   Extracts   X X   X X

 

 

 

 

Quick Updates:Latest Updates

What's New:
    Latest Case Laws
What's New:
    Latest Notifications
What's New:
    Latest Circulars
F: INQUIRY BY THE APPELLATE AUTHORITY
H: Applicable rate of tax (GST) - Classification of goods - mango pulp su...
H: Exemption from GST - pure services or supply of goods to the Notified ...
H: Interest Liability on Electronic Credit Ledger Payments - Seeking levy...
H: Recovery of short paid duty alongwith interest and penalty - The petit...
H: Validity of assessment order - reply to the ASTM-10 notice was not tak...
H: Refund of the unutilized ITC of GST Compensation Cess on coal - zero r...
H: Classification of the mixed spices - classification accepted under the...
H: Imposition of GST on vouchers - The petitioner, involved in managing c...
H: Validity of assessment order - The High Court opined that the challeng...
H: Refund claim - determination of the turn over for the purpose of refun...
H: Grant of Regular Bail - In a case where the State sought to challenge ...
H: Delay in filing the appeal - Time Limitation - petition delayed for al...
H: Cancellation of GST registration of the petitioner - The High Court ex...
H: Availing and utilization of Input Tax Credit - The applicant had initi...
F: Penalty under Section 73(1) of CGST Act, 2017
H: Addition u/s 68 - unexplained share application money - genuineness an...
F: Refund of IGST Charged and collected from Foreign Customer on Export o...
F: sales Against 0.1% GST- if export not done within 90 Days
F: PAYMENT TO CINE OR TV ARTISTS. LIABILITY UNDER RCM
A: Collection of Entry Fee from visitors for Temple Hall Exempt under GST
A: State-wise Professional Tax Payment Deadlines in India: A Comprehensiv...
A: Low tax effect in pending appeals- The administrative role to withdraw...
F: ITC of FY 2017-18 blocked
C: Clarification on the applicability of 3% amount on account of non-achi...
C: Suspension of inoperative SIONs
N: Amendment in the Export policy of Onions
N: Seeks to amend specified customs tariff notifications to exempt applic...
A: How to become a crorepati via SIP
C: Master Direction – Risk Management and Inter-Bank Dealings: Amendments