The Pension Fund Regulatory and Development Authority (PFRDA) released comprehensive Information and Cybersecurity Policy Guidelines – 2024 to ensure robust protection of IT infrastructure and sensitive data handled by regulated entities (REs) such as Central Recordkeeping Agencies (CRAs), Pension Funds, Point of Presence (POPs), custodians, trustee banks, and retirement advisors. These guidelines aim to fortify systemic resilience against increasing cyber threats and support the integrity of the National Pension System (NPS) architecture.
Objective and Scope
Given the rising sophistication of cyber-attacks and the growing reliance on technologies like cloud, APIs, mobile apps, and AI, PFRDA emphasizes a structured, risk-based cybersecurity framework. The guidelines consolidate earlier instructions and are aligned with relevant laws such as the IT Act, 2000, and the Digital Personal Data Protection Act, 2023. The policy also provides a benchmark for audits and assessments by internal and third-party agencies.
Applicability and Categorization
REs are categorized into:
- Category I: CRAs and Pension Funds (including those acting as POPs) – full policy applies.
- Category II: Other POPs, Trustee Bank, Custodian, Retirement Advisors (excluding individuals) – policy applies unless they comply with cybersecurity rules of principal regulators like SEBI or RBI. However, they must still report incidents per Section 4.5.
Core Cybersecurity Components
The guidelines are structured around six pillars:
- Governance: Establishment of an Information & Cybersecurity Risk Management Committee (ICSRM), led by a Chief Information Security Officer (CISO), to oversee implementation, audits, and awareness campaigns.
- Identify: Threat assessments, asset inventories, risk classification, and synchronization with National Informatics Centre (NIC) for NTP. Third-party service providers must also comply with similar standards.
- Protect: Detailed safeguards include access controls, encryption, DDoS protection, secure APIs, Wi-Fi segmentation, VPNs, patch and antivirus management, and endpoint security. Secure mail systems, robust password policies, remote access control, application security, mobile app hardening, and secure SDLC are mandated.
- Detect: REs must maintain log storage for 180 days and establish a Security Operations Centre (SOC), either internally or through managed services, for real-time monitoring.
- Respond: Mandates Cyber Crisis Management Plan (CCMP) and Incident Response frameworks. REs must classify incidents, contain breaches swiftly, notify PFRDA and CERT-In within six hours, and communicate impact to stakeholders where applicable.
- Recover: Requires a Business Continuity Plan (BCP) and Disaster Recovery (DR) plan with bi-annual DR drills, encrypted backups, and secure failover protocols. Backups must be tested regularly to ensure readiness.
Audits and Reporting
- Annual cybersecurity audits are mandatory via CERT-In empaneled auditors for external reviews, with internal audits at least bi-annually.
- Cyber incidents like unauthorized access, DDoS attacks, data breaches, ransomware, IoT compromise, or phishing must be reported to CERT-In and PFRDA within six hours.
- Category I REs must submit quarterly and annual compliance reports; Category II must submit annual declarations and confirm alignment with their principal regulators’ policies.
