Summary of this article
PFRDA mandates cyber incident reporting to them via email.
Regulated entities and intermediaries need to report a cyber incident within six hours to CERT-In and PFRDA.
They are also mandated to send cyber incident incidents report quarterly and annually to PFRDA.
The Pension Fund Regulatory and Development Authority (PFRDA) issued updated instructions for regulated entities (REs) and intermediaries on January 15, 2026, regarding the reporting of cybercrime-related incidents. PFRDA has directed PoPs to report it to the authority via email as well. It read, “In addition to reporting to CERT-IN (in case of any Cyber-incident), all PoPs, including APY-SPs and Non-Individual RAs shall mandatorily report cyber incidents mentioned in the Guidelines dated 1st August 2024 to the PFRDA at reports-pop-@pfrda.org.in with the subject ‘Reporting of Cyber Incident’ in accordance with the reporting timeline and format outlined in the said Guidelines. Additionally, category I PoPs shall also be required to submit the report on the cyber incidents to PFRDA on a quarterly basis, along with the details of remedial actions taken.”
In August 2024, PFRDA issued detailed guidelines on the subject “Information & Cyber Security Policy Guidelines-2024 for intermediaries/Regulated Entities (REs).” The circular dated August 1, 2024, directed all Points of Presence (PoPs) to mandatorily report cyber incidents to PFRDA as per the guidelines, in addition to reporting them to the Indian Computer Emergency Response Team (CERT-IN).
As per the 2024 circular, REs and intermediaries are classified as Category I and Category II.
Category I REs And Intermediaries:
These comprise pension funds, central recordkeeping agencies (CRAs), and pension funds that are registered as PoPs.
Category II REs And Intermediaries:
Category II consists of PoPs, including Atal Pension Yojana Subscriber Portal (APY-SPs), Trustee Bank, Custodian, and RAs, excluding individuals.
Cyber Incidents Reporting Requirements Guidelines For REs And Intermediaries
Per the 2024 guidelines, REs need to mandatorily report cyber incidents to CERT-In and PFRDA within 6 hours of noticing the incident themselves or being brought to their notice by anyone else.
For Category I REs, all incidents, including data breaches, data leaks, malicious activities affecting cloud computing, malicious code attacks, etc., along with the remedies taken, should be reported to CERT-IN and PFRDA on a quarterly basis. In addition to it, if an incident, which, in RE’s opinion, can affect subscribers or other stakeholders, it should be reported to PFRDA within 48 hours of the occurrence of any such incident. Besides, an annual compliance report should be sent to PFRDA within 30 days of the close of the FY.
For Category II REs, the annual compliance report needs to be sent within 30 days of the close of the FY. The report should contain a certification by the compliance officer that the cyber incidents have been reported to the principal regulator, such as the Reserve Bank of India (RBI), Securities and Exchange Board of India (Sebi), Insurance Regulatory and Development Authority of India (IRDAI), and National Housing Bank, according to the guidelines. Also, the cybersecurity audits have been conducted as per guidelines, and remedial actions have been taken.
