The SEBI circular mandates portfolio managers to implement a robust cyber security and cyber resilience framework to protect the integrity of data and ensure the continued performance of critical functions in the securities market. The circular includes guidelines on governance, protection, detection, response, and recovery from cyber threats.

All portfolio managers with assets under management (AUM) of INR 3000 crore or more, under both discretionary and non-discretionary portfolio management services, are required to comply with the provisions outlined in the SEBI circular.

The framework includes the identification of critical IT assets, protection through suitable controls, detection of incidents, response to cyber-attacks, and recovery using disaster recovery and business continuity planning. It also emphasises the importance of governance, periodic audits, and training.

The guidelines from the SEBI circular become effective on October 1, 2023. Portfolio managers are expected to have the necessary processes and systems in place by this date.

Portfolio managers must report any cyber-attacks, threats, or breaches to SEBI within 6 hours of detection. Additionally, they must submit quarterly reports on cyber incidents and measures taken to mitigate them. The reports should be shared through the dedicated email addresses provided by SEBI.