Sebi tweaks cybersecurity and cyber resilience framework for AMCs

The Securities and Exchange Board of India (Sebi) on Thursday tweaked the cyber security and cyber resilience framework for asset management companies (AMCs) and mandated them to conduct a comprehensive cyber audit at least twice in a financial year.

Along with the cyber audit reports, AMCs have been asked to submit to stock exchanges and depositories a declaration from the managing director (MD) and chief executive officer (CEO), certifying compliance by them with all Sebi guidelines and advisories related to cyber security issued from time to time, according to a circular.

The new framework will come into force from July 15.

Under the modified framework, the asset management firms need to identify and classify critical assets based on their sensitivity and criticality for business operations, services and data management.

Further, business-critical systems, internet-facing applications/systems, systems containing sensitive data, sensitive personal data, sensitive financial data, and personally identifiable information data, among others, should all be considered critical assets.

All auxiliary systems that connect to or communicate with critical systems, whether for operations or maintenance, must be designated as critical systems as well.

The board of AMC is required to approve the list of critical systems.

"To this end, Mutual funds/ AMCs shall maintain an up-to-date inventory of its hardware and systems, software and information assets (internal and external), details of its network resources, connections to its network and data flows," Sebi said.