The Pension Fund Regulatory and Development Authority issued comprehensive cybersecurity guidelines in 2019 for all NPS intermediaries including pension fund managers, custodians, CRA, and POPs. The framework mandates board-level oversight, establishment of dedicated cybersecurity committees, implementation of ISO 27001 controls, and quarterly reporting of cyber incidents. It prescribes technical safeguards including network segmentation, encryption, multi-factor authentication, and periodic vulnerability assessments. The guidelines also require business continuity plans with RTO/RPO specifications and annual third-party security audits by CERT-In empanelled auditors.

• Establishes uniform cybersecurity baseline across all NPS ecosystem participants protecting Rs 8+ lakh crore of retirement savings for 6+ crore subscribers
• Mandates board accountability and C-suite involvement through designated Chief Information Security Officers with quarterly reporting to PFRDA, ensuring top-level governance
• Requires integration with national cyber defense infrastructure including mandatory incident reporting to CERT-In within specified timeframes
• Prescribes specific technical controls including data masking for PRANs, TLS 1.2+ encryption, and segregated network zones reducing attack surface for pension data
• Mandates annual IS audits by CERT-In empanelled auditors and quarterly vulnerability assessments creating continuous compliance verification mechanism

• Limited guidance on third-party vendor risk management despite heavy reliance on technology service providers by smaller POPs and aggregators leading to supply chain vulnerabilities
• Insufficient clarity on cloud security requirements as pension intermediaries increasingly migrate to AWS and Azure, creating interpretation challenges for hybrid deployments
• Weak enforcement of employee background verification and insider threat programs at Point of Presence Service Providers handling subscriber onboarding
• Absence of specific ransomware response protocols and cryptocurrency payment guidelines leaving intermediaries unprepared for modern extortion attacks
• No mandated cyber insurance requirements or minimum coverage thresholds unlike IRDAI norms, leaving financial risk unmitigated

• In 2020, a POP-SP in Delhi reported unauthorized access attempts to their eNPS portal during COVID-19 lockdown, exposing gaps in remote work security controls and leading PFRDA to issue specific work-from-home security directives to all intermediaries.
• NSDL-CRA faced phishing attacks in 2021 targeting subscriber credentials through fake PRAN activation websites, prompting PFRDA to mandate two-factor authentication for all CRA transactions and subscriber awareness campaigns across 400+ POPs.
• A pension fund manager detected data exfiltration attempts in 2022 during their VAPT audit, where attackers targeted NAV calculation systems, leading to PFRDA circular mandating air-gapped environments for critical financial computation infrastructure

• Implement zero-trust architecture across NPS ecosystem with micro-segmentation between front-office subscriber portals and back-office fund management systems to contain lateral movement
• Establish sector-wide threat intelligence sharing platform connecting all 10 pension fund managers, CRA, and custodian banks for real-time indicators of compromise specific to pension infrastructure
• Deploy AI-powered behavioral analytics on PRAN access patterns to detect account takeover attempts and fraudulent withdrawal requests before fund disbursement occurs
• Mandate regular red team exercises simulating nation-state attacks on pension infrastructure with participation from NCIIPC given critical infrastructure status of NPS