PFRDA Introduced Mandatory Cyber Incident Reporting for Pension Intermediaries

The Pension Fund Regulatory and Development Authority issued a circular dated 15 January 2026 mandating enhanced reporting requirements under its Information and Cyber Security Policy Guidelines, 2024 for all Points of Presence (PoPs), APY Service Providers, and Non-Individual Retirement Advisers under NPS, NPS-Lite, and APY. The circular requires regulated entities to submit an annual cyber security compliance certificate for each financial year within 30 days of its close, in prescribed formats based on their categorisation. In addition to reporting cyber incidents to CERT-In, all such entities must now mandatorily report specified cyber incidents to PFRDA within the timelines and formats laid down earlier, while Category I PoPs must also submit quarterly cyber incident reports along with remedial actions. Category I PoPs are further required to submit their Board-approved Cyber Security Policy to PFRDA within 30 days of approval. The revised reporting framework applies from FY 2025–26 and supersedes earlier reporting norms.

Pension Fund Regulatory and Development Authority

Circular No.: PFRDA/2026/05/SUP-PoP/01 Date:15 January, 2026

To,
All Point of Presence (PoPs) under NPS, NPS-Lite and APY
All Non-Individual Retirement Advisers (RAs)

Subject: Reporting requirement under Information and Cyber Security Policy Guidelines issued by PFRDA

This has reference to Circular no. PFRDA/2024/14/ICS/01 dated 1st August 2024 on the subject “Information & Cyber Security Policy Guidelines-2024 for intermediaries/Regulated Entities (REs)” issued by the PFRDA. For the purpose of these guidelines, the intermediaries/Regulated Entities (REs) are classified into two categories as (i) Category I – consisting of Pension Funds that are registered as Point of Presence (PoPs) (ii) Category II – consisting of Point of Presence (PoPs) including APY-SPs, Retirement Advisors excluding individuals.

2. In compliance with the said Guidelines, intermediaries/REs (PoPs and Non-Individual RAs) shall submit the certificate of compliance as per the format enclosed as Annexure I & II, for the respective Financial Year (FY), within 30 days from the end of the said FY.

3. Further, in addition to reporting to CERT-IN (in-case of any Cyber-incident), all PoPs including APY-SPs and Non-Individual RAs shall mandatorily report cyber incidents mentioned in the Guidelines dated 1^st August 2024 to the PFRDA at reports-pop-@pfrda.org.in with the subject ‘Reporting of Cyber Incident’ in accordance with the reporting timeline and format outlined in the said Guidelines. Additionally, category I PoPs shall also required to submit the report on the cyber incidents to PFRDA on quarterly basis, along with the details of remedial actions taken.

4. Category I PoPs shall be required to submit their Cyber Security Policy which has been reviewed and approved by the Board to the Authority within 30 days of such approval by the Board of the regulated entity (RE).

5. The revised reporting format shall come into effect from the report applicable for the FY 2025­26 and will supersede Circular No. PFRDA/2020/13/SUP-POP/2 dated 21^st April 2020. Accordingly, all reports submitted on or after 1^st April 2026 shall be required to be furnished in the revised format.

(Ashish Kumar)
Chief General Manager

Encl: Annexure I & II

Annexure I

Cyber Security Compliance certificate for Category I PoPs the FY

(To be submitted by PoP through modes as specified by the Authority from time to time within 30 calendar days from the end of the FY)

This is to certify that__________ (Name of PoP) registered vide Reg. No.______ with Pension Fund Regulatory and Development Authority (PFRDA) has:

Adopted and complied with the Information and Cybersecurity Policy approved by the Board and has adhered to the Information and Cybersecurity Policy Guidelines issued by PFRDA, for the protection of data, information, and IT systems.

Further, a Cyber Security Audit was conducted in accordance with the guidelines issued by PFRDA and all remedial actions recommended in the audit report have been duly implemented. Cyber incidents, if any, were reported to CERT-In and PFRDA, in terms of the Information and Cybersecurity Policy of PFRDA. The PoP has also submitted the report on the cyber incidents to PFRDA on quarterly basis, along with the details of remedial actions taken.

It is further submitted that the Information and Cybersecurity Policy was approved by the board on ____ and the same was last reviewed on______ . The reviewed and approved Cyber Security Policy has been submitted to PFRDA within 30 days of such approval by the Board of the regulated entity (RE).

Additionally, the details of the members of Information and Cyber Security Risk Management Committee (ICSRM) is as mentioned below:

–

Annexure II

Cyber Security Compliance certificate for category II PoPs for the FY

(To be submitted by PoP through modes as specified by the Authority from time to time within 30 calendar days from the end of the FY)

This is to certify that____________ (Name of PoPs including APY-SPs /non-individual RAs) registered vide Reg. No.__________ with Pension Fund Regulatory and Development Authority (PFRDA) has:

Adopted and complied with the Information and Cybersecurity Policy approved by the Board and has adhered to the Information and Cybersecurity Policy Guidelines issued by PFRDA or the respective Principal Financial Sector Regulator (RBI / SEBI / IRDAI / NHB), as applicable, for the protection of data, information, and IT systems.

Further, a Cyber Security Audit was conducted in accordance with the guidelines issued by the respective Principal Financial Sector Regulator, and all remedial actions recommended in the audit report have been duly implemented. Cyber incidents, if any, were reported to CERT-In and PFRDA, and were also reported to the respective Principal Financial Sector Regulator, wherever applicable, in terms of the Information and Cybersecurity Policy of such Principal Financial Sector Regulator.