Cyber Security And Cyber Resilience Framework For Portfolio Managers - From SEBI
What do you mean by a portfolio manager
Portfolio managers are professionals/ entities responsible for managing investment portfolios on behalf of clients or organizations. They make investment decisions based on market research, risk assessment, and the client's objectives. Their goal is to maximize returns while minimizing risk by diversifying the portfolio across various asset classes.
Portfolio managers work closely with their clients to understand their financial goals, risk tolerance, and investment preferences. Then, they use this information to construct a customized portfolio that meets the client's specific needs. Depending on the size of the portfolio and the complexity of the investments involved, portfolio managers may work independently or as part of a larger team of investment professionals. Overall, the role of a portfolio manager is to help clients achieve their financial goals through a carefully constructed and diversified investment portfolio that balances risk and return.
Applicability of the Circular
It applies to all the portfolio managers with assets under management of INR 3000 crore or more under discretionary and non-discretionary portfolio management services taken together, as on the last date of the previous calendar month should comply with the provisions of Cyber Security and Cyber Resilience.
What is discretionary and non-discretionary portfolio management service?
Discretionary portfolio management is where the portfolio manager has full authority to buy and sell securities on behalf of the client without needing their approval for each transaction. The manager creates a customized portfolio based on the client's objectives, risk tolerance, and preferences, using their own analysis of market conditions and economic trends.
Non-discretionary portfolio management service, on the other hand, is a type of investment management service where the portfolio manager makes investment recommendations to the client, but the client retains ultimate decision-making authority for each transaction. In this type of service, the portfolio manager provides investment advice and suggestions to the client, but the client must approve each transaction before it is executed.
Need for Cyber Security and Cyber Resilience Framework for Portfolio Managers
The rapid advancement of technology in the securities market highlights the importance of maintaining strong cyber security measures and implementing a cyber-resilience framework to safeguard data integrity and prevent privacy breaches. Robust cyber security and resilience are crucial components of operational risk management, especially for Portfolio Managers who must provide essential services and perform critical functions in the securities market.
Implementation Schedule for the Circular
The guidelines annexed in the circular shall be effective from 1st October 2023.
Key pointers from the ANNEXURE – 1
The portfolio managers should articulate a comprehensive cyber security and cyber resilience policy document based on the guidelines listed in the annexure.
The cyber security and cyber resilience policy should involve identifying, assessing, and managing cyber risks associated with information, processes, networks, and systems. This includes identifying critical IT assets and associated risks, protecting assets through suitable controls, detecting incidents and anomalies through monitoring tools, responding promptly to incidents, and recovering through incident management, disaster recovery, and business continuity framework.
In case of any deviations from the suggested framework, reasons/ justifications/ compensatory controls should be defined within the policy.
Best practices from standards such as ISO 27001, ISO 27002, COBIT 5, etc., should be defined in the policy level, as applicable.
Senior official in the organization, should be designated as the Chief Information Security Officer (CISO).
The Board of the entity should appoint/ constitute a Technology Committee (based on technical expertise available within the organization).
The cyber security and cyber resilience policy should be approved by the Board/equivalent body of the entity.
The Technology Committee should assess and review the implementation of the controls implemented as per the cyber security and cyber resilience policy.
Roles and responsibilities of the employees, outsourced staff and employees, or other entities having access to the Portfolio Manager’s systems should be defined in the policy.
The entity should identify and classify the critical assets based on the sensitivity and criticality of the asset with respect to business operations, services, and data management. This should include the supporting assets used for accessing/ communicating with the critical systems.
An asset inventory for the hardware and systems, software, and information assets (internal/ external) should be maintained and updated consistently.
The portfolio managers should encourage the third parties/ suppliers to have similar standards of Information Security as laid out in the circular.
Access should not be provisioned/ granted based on the ranks or position of the personnel.
Access should be provisioned/ granted on a time-bound basis and for a defined purpose.
Strong password controls should be implemented for all systems with a maximum validity period.
Records for user access should be identified, logged for audit and review purposes.
The entity should restrict the number of privileged users, conduct periodic reviews of the privileged user activities and strong controls should be implemented for remote access by the privileged users.
Account lock policies after specific failure attempts should be implemented.
Two-factor authentication mechanisms should be implemented for all users connecting through online/ internet facility.
Internet access policy to regulate internet usage should be defined and documented.
Network Security Management:
The portfolio managers should define and establish baseline standards of security configurations to operating systems, databases, network devices and enterprise mobile devices within the IT environment of the entity.
Assessment of the configuration’s implementation, as per the baseline standards, should be conducted periodically.
Firewalls, IDS and IPS should be implemented.
Anti-virus should be implemented on servers and endpoints of the organization.
Security of Data:
Data-in-motion and data-at-rest should be encrypted using AES, RSA, SHA-2, etc.
Portfolio Managers should allow only authorized data storage devices through appropriate validation processes.
Hardening of Hardware and Software:
Only hardened hardware/ software should be deployed by the Portfolio managers.
Open ports should be minimized by blocking and the ports which are required to be open should be monitored.
Application Security and testing:
Regression testing should be conducted prior to the implementation of new or modified systems. The testing should cover stress load scenarios and recovery conditions
Portfolio Managers must establish patch management procedures that identify, categorize, and prioritize security patches. They should also set implementation timeframes for each category of a security patch to ensure timely implementation.
Patching calendar including the timelines, based on the categorization and prioritization of security patches should be established.
The patches should be tested before deployment into the production systems.
Disposal of systems and storage devices:
Policy for disposal of systems and storage devices should be defined
The data/information on such devices and systems should be removed by using methods viz. wiping / cleaning / overwrite, degauss and physical destruction, as applicable.
Periodic VAPT of the critical assets and infrastructure components like servers, networking system, security devices, load balancers, other IT systems should be conducted, once a year, at least.
The VAPT should be conducted by CERT-In empaneled entities.
The final VAPT report should be submitted to SEBI within 1 month of completion of VAPT activity.
Gaps identified from the VAPT should be remediated and submit it to SEBI within 3 months post submission pf final VAPT report.
VAPT should be done prior to the commissioning of a new system in the environment.
Monitoring and detection
Appropriate security monitoring systems and process should be implemented to facilitate monitoring of security events and timely detection.
Attacks on systems and networks should be detected timely.
Mechanism to monitor capacity utilization should be implemented.
Response and recover
Response and recover plan of the portfolio Manager should aim at the timely restoration of the system affected by incidents of cyber-attacks.
RTO and RPO of the systems should not be more than 4 hrs and 30 mins, respectively.
Suitable periodic drills to test the adequacy and effectiveness of the response and recovery plan should be conducted.
If Cyber-attacks, threats, cyber-incidents, and breaches are experienced then it should be reported to SEBI within 6 hours of noticing/detecting the incident.
Security awareness training programs comprising the information security policies and standards should be conducted.
The training programs should be reviewed and updated as per the current and relevant standards.
Systems audits by an independent CISA/CISM qualified or CERT-IN empaneled auditor, should be conducted on an annual basis.
Vendor or services providers
Ownership of those outsourced activities lies primarily with portfolio manager.
Portfolio manager should have an appropriate monitoring mechanism through a clearly defined framework to ensure that all the requirements as specified in this circular is complied with.
In conclusion, the Securities and Exchange Board of India (SEBI) has issued a circular requiring portfolio manager with assets under management of INR 3000 crore or more under discretionary and non-discretionary portfolio management services to comply with the provisions of Cyber Security and Cyber Resilience. Portfolio managers play a crucial role in managing investment portfolios on behalf of clients, and their goal is to maximize returns while minimizing risk by diversifying the portfolio across various asset classes. Discretionary portfolio management is where the portfolio manager has full authority to buy and sell securities on behalf of the client without needing their approval for each transaction. Non-discretionary portfolio management service, on the other hand, is a type of investment management service where the portfolio manager makes investment recommendations to the client, but the client retains ultimate decision-making authority for each transaction.
The circular emphasizes the need for a strong cybersecurity and cyber resilience framework to safeguard data integrity and prevent privacy breaches, given the rapid advancement of technology in the securities market. The circular also provides guidelines for portfolio managers to articulate a comprehensive cybersecurity and cyber resilience policy document based on the guidelines listed in the annexure. The key pointers from the annexure include governance, identification, access control, network security management, and security of data. The circular will be effective from 1st October 2023.
In summary, the circular is a significant step in ensuring that portfolio managers have a robust cybersecurity and cyber resilience framework in place to manage their clients' investment portfolios. The guidelines provided in the annexure will help portfolio managers to identify and classify critical assets, establish strong access controls, implement network security management, and ensure the security of data. By complying with the provisions of Cyber Security and Cyber Resilience, portfolio managers can provide essential services and perform critical functions in the securities market while minimizing risks and maximizing returns.