PFRDA Seeks Robust Cybersecurity Protocol For NPS; Issues New Guidelines For REs, Intermediaries

The Pension Fund Regulatory and Development Authority (PFRDA) has issued fresh guidelines to boost the cybersecurity of its regulated entities (REs) and intermediaries, aimed at protecting the data and privacy of the National Pension System (NPS) subscribers. As per its August 1, 2024, circular, “These guidelines will serve as a roadmap for regulated entities to effectively manage cyber-risks, protect critical assets, maintain trust and confidence”, and serve as the broad standard to protect the IT infrastructure from cyber-threats. PFRDA classified the REs and intermediaries into category 1 and 2. The first group includes central recordkeeping agencies (CRAs) and pension funds, and second group includes trustee bank, custodian, point of presence (PoPs), APY-SPs, and retirement advisors excluding individuals. Also Read: Centre Assures EPS Pensioners To Look Into Their Higher Pension Demand As per new rules, REs will now require to establish a governance structure for information management and reduce cyber threats. The circular lays down the rules for governance structure or a committee while providing REs the flexibility to choose its composition based on its operation, and complexity. It prescribes various governance-related rules in the circular.

PFRDA Guidelines For Cybersecurity:

• Set up a system for risk and resource management, disaster recovery, identifying risks, managing information assets’ inventory, and controls to protect data, hardware, and software.

• Prevent access to unauthorised software and user control, password management, endpoint security, vulnerability assessments, stop data leak, and strengthen cloud infrastructure.

• REs must develop detection capabilities against cyber-threats. Implement a system to respond and restore services post a cybersecurity incident.

• REs will put in place an ‘Information Security (IS) Audit Policy’, and ensure their information system and infrastructure supports the business functions.

• They must also maintain audit trails and mandatorily report incidents of cyberattacks within six hours to CERT-In (Indian Computer Emergency Response Team) or PFRDA.

Also Read: NPS Vatsalya: Another Option To Plan Your Children’s Financial Security; Know The Key Features The reporting measures for Category I REs are rigorous as they must update the PFRDA every quarter along with the details of action taken regarding all cyber threats they reported to CERT-In. For Category II REs, the board-approved ‘Information and Cybersecurity Policy’ along with the PFRDA guidelines must be followed strictly and report to PFRDA annually about reported threats, if any, within 30 days from the close of a financial year. As the NPS system has witnessed robust subscriber growth in recent years, protecting their online data and preventing fraud and other crimes has become imperative. PFRDA has asked the REs and intermediaries to strictly follow its cybersecurity guidelines.