Regulatory Standards 2 – COMPASS by CyRAACS

Security and Exchange Board of India (SEBI)

SEBI has issued a circular outlining cyber security best practices for entities regulated by it. These include robust data protection and backups, regular backups testing, Firewalls, intrusion detection and prevention systems, and access controls. Overall, the aim is to enhance cybersecurity posture, safeguard sensitive data, and prevent cyber threats.

SEBI has recently introduced a cybersecurity framework specifically for portfolio managers. This mandates rapid reporting of cyber incidents (within 6 hours), response and recovery plan for affected systems, enhanced cybersecurity posture for portfolio managers, and protection of client data and investments.

SEBI has also introduced a cybersecurity framework specifically for Asset Management Companies (AMCs). This framework aims to enhance the cybersecurity posture of AMCs and ensure the security and integrity of client data and investments. The key requirements include regular vulnerability assessments and penetration testing, multi-factor authentication and encryption of sensitive data, regular security awareness training for employees.

NSDL, or National Securities Depository Limited, is a depository registered with SEBI. It is responsible for holding and maintaining securities such as shares, bonds, and mutual funds in an electronic form. Key functions are maintaining and holding securities electronically, facilitating securities transaction settlement, and maintaining ownership records.

SEBI requires AMCs to conduct regular system audits to ensure the security, integrity, and availability of their IT infrastructure. The key aspects include network security review, data protection evaluation, disaster recovery plan assessment, compliance verification. The main aim is to safeguard client data and investments.

Reserve Bank Of India (RBI)

The RBI (Reserve Bank of India) has issued a set of “Master Directives” for NBFCs (Non-Banking Financial Companies). They establish requirements for liquidity coverage, Risk management, asset classification, loan-to-value ratio. These guidelines aim to promote safe and sound operation of NBFCs, and protect consumers, investors, and the financial system.

RBI requires Payment System Operators (PSOs) to store payments data within India for a minimum of two years. This enhances payments system security and stability. The data should be stored in a secure and easily retrievable manner, with strict access controls to prevent unauthorized access or tampering.

RBI MD NBFC IT Governance is a set of guidelines for IT governance in Non-Banking Financial Companies (NBFCs) in India, issued by the Reserve Bank of India (RBI). This covers areas like IT infrastructure, security, continuity planning and aims to safeguard data, prevent cyber attacks, ensure business continuity.

Digital Payment Security Controls (DPSC) are measures to keep electronic transactions safe, including encryption, fraud detection, and authentication methods. The goal is to prevent unauthorized access to financial data and protect against cyber threats, ensuring secure online transactions.

SAR (System Audit Report) IS Audit Payment Systems 1325 + Account Aggregator is a comprehensive audit that covers a variety of compliance and risk management areas related to payment systems and account aggregation. This audit involves examining governance and risk management processes, ensuring safe and secure operations, complying with industry standards and regulations. It even helps identify and mitigate risk in payment systems and account aggregation.

E-Sign Audit Requirements refer to the requirements for electronic signatures to be valid and legally binding. They include, a record of the date and time of the signature, confirmation that the person signing was verified, a record of any changes made to the document during or after signing, the IP address of each signer. These requirements help to ensure the authenticity and integrity of the electronic signature, which is important for legal and compliance purposes.