India Introduces Cybersecurity Rules for Mutual Funds, Asset Managers

Mutual funds and asset management companies must develop a cybersecurity policy document approved and regularly reviewed by their boards and trustees.

SEBI (the Securities and Exchange Board of India) has introduced stricter cybersecurity rules for mutual funds and asset management companies (AMCs) to protect against data breaches.

The new rules will come into place from 1 April 2019, according to a SEBI circular.

“Quarterly reports containing information on cyber attacks and threats experienced by mutual funds/AMCs and measures taken to mitigate vulnerabilities, threats and attacks including information on bugs/vulnerabilities/threats that may be useful for other AMCs/MFs should be submitted to Sebi in a soft copy,” the circular said.

According to local media reports, SEBI has observed rapid technological developments in the securities markets, necessitating robust cybersecurity and cyber resilience frameworks to protect the integrity of data.

SEBI will require entities to formulate a cybersecurity and cyber resilience policy document adhering to its framework. The document needs to be approved by the fund board and trustees.

Reasons for any deviation from the framework will need to be provided in the policy document, SEBI said. The document will also need to be reviewed by the board at least once per year with a view to strengthen and improve cybersecurity rules.

According to SEBI, no person will have the “intrinsic right” to access confidential data due their rank or position. Its recommendations are in line with that of its high-powered steering committee on cybersecurity.

SEBI has also recently issued a new cybersecurity framework for stockbrokers and depository participants, as well as for market infrastructures.

To Top