The Pension Fund Regulatory and Development Authority (PFRDA) has taken a decisive step to strengthen India’s cybersecurity framework within the pension and financial ecosystem. In its latest circular, PFRDA/2025/05/ICS/01, issued on September 4, 2025, it lays out a clear structure for how regulated entities (REs) and intermediaries should classify, prioritize, and respond to cybersecurity incidents. This circular is an extension of the Information & Cyber Security Policy Guidelines – 2024, which first introduced the baseline framework for cyber-incident and response management under PFRDA’s supervision. 

The 2025 circular goes a step further by filling a crucial gap: “Setting up how cybersecurity events are classified and which ones need to be handled first.”

Why PFRDA 2025 Cybersecurity Guidelines Matter?

PFRDA oversees the retirement and pension sector. These domain deals with sensitive financial and personal data of millions of citizens. As the digital exposure of pension intermediaries increases, the risk of cyberattacks targeting fund management systems, investor data, and transaction platforms has grown sharply.

Until now, while firms had internal cybersecurity protocols, there was no standardized approach to classify incidents based on severity or impact. This inconsistency often delayed response times and made it difficult to prioritize remediation.

With speed being a strong weapon for hackers, the new guidelines address this by introducing a 4-type classification model – Critical, High, Medium, Low. This classification will help organizations to assess incidents not by convenience or order of detection, but by business impact, system disruption, and the recovery effort required, which is more effective in winning against our advanced enemies.

Core Objectives of the PFRDA 2025 Cybersecurity Guidelines

The PFRDA 2025 cybersecurity circular establishes several key objectives that all intermediaries and regulated entities must align with:

Standardized Classification

Creating clear severity levels for cyber incidents so all pension intermediaries and regulated entities interpret them the same way..

Impact-Based Prioritization

Handling incidents based on their business impact and disruption level, not in the order they occur.

Incident Response Consistency

Improving incident response by setting clear categories and quick escalation steps.

Operational Continuity

Making sure every regulated entity can keep critical functions running during cybersecurity incidents.

Regulatory Accountability

Emphasizing that regulated entities are legally required to report and respond under Section 14 of the PFRDA Act, 2013.

The Four-Tier Cybersecurity Incident Classification Framework

PFRDA’s 2025 cybersecurity guideline circular categorizes incidents into four classes: Critical, High, Medium, and Low. Each level is defined by specific parameters related to impact, data exposure, system compromise, and potential reputational or financial damage.

Critical Cyber Incidents

Those cyber incidents that pose an immediate and significant threat to business continuity, financial stability, or sensitive data integrity.

Examples include:

• Successful Denial-of-Service (DoS) attacks with substantial operational disruption.
• Ransomware infections that encrypt core data or systems.
• Exfiltration of confidential or sensitive customer data.
• Widespread data corruption that disrupts normal service delivery.
• Any incident with a serious financial, reputational, or compliance risk to the organization.

Action Required:

In such cases, activate the emergency response immediately and notify top management, PFRDA, and the incident response teams. Start business continuity and disaster recovery plans without delay. Cybersecurity firms like Kratikal can help you in this aspect.

High-Severity Cyber Incidents

These are cyber incidents that compromise security controls or data confidentiality but cause limited or temporary disruption to operations.

Examples include:

• Attempted DoS attacks that are detected early.
• Widespread presence of new malware strains not recognized by existing antivirus solutions.
• Unauthorized access to servers, network devices, or configuration changes.
• Data exfiltration attempts, large volumes of phishing emails, or outbound phishing activity originating from the organization’s domain.
• Events posing moderate reputational or financial risks.
  

Action Required:

Quickly contain the incident and begin a forensic investigation. System administrators must patch the exploited vulnerabilities, review logs, and invest in VMDR platforms like AutoSecT to prevent it from happening again.

Medium-Severity Cyber Incidents

These are those cyber-incidents that indicate possible vulnerabilities or targeted reconnaissance with minimal operational disruption.

Examples include:

• Reconnaissance scans or target mapping attempts.
• DoS attempts with no measurable business impact.
• Isolated phishing incidents where employees clicked malicious links but no data loss occurred.
• Limited presence of new or known malware handled by antivirus tools.
• Small-scale data modification or corruption events.

Action Required:

Monitor and analyze medium-severity incidents regularly. Record and track them to spot patterns that could lead to bigger attacks, and reinforce awareness among teams. Investing in a good VMDR platform that can continuously scan multiple assets and deliver real-time results in a single customised dashboard helps in this aspect.

Low-Severity Cyber Incidents

Cyber events that involve minor or background threats that pose negligible risk to system integrity or availability fall under this category.

Examples include:

• System probes or external scans with no follow-through.
• Threat intelligence reports indicating potential vulnerabilities.
• Alerts about compromised usernames or passwords.
• Isolated malware detections are automatically remediated by antivirus tools.

Action Required:

Document and close the incident as per standard operating procedures (SOPs), while ensuring the data is retained for future event correlation.

An Exception – Cross-Category Rule: Business Disruption Equals High or Critical

PFRDA clearly states that any cyber incident causing system disruption, stoppage, or abnormal operations must be classified as High or Critical, regardless of technical details. This highlights that classification should be based on business impact, not just technical causes.

PFRDA 2025 Cybersecurity Guidelines: Shift from Detection-Driven to Impact-Driven Response

One of the most transformative aspects of the circular is its departure from the traditional “first-come, first-served” response model. Under the new approach, regulated entities must evaluate:

• Potential business impact (financial loss, customer trust erosion, or regulatory exposure).
• Estimated recovery effort, not just ease of containment.
• Future repercussions if the incident remains uncontained.

This risk-based prioritization aligns with global cybersecurity standards such as NIST’s Cybersecurity Framework, emphasizing resilience and risk-informed incident management rather than reactive patching.

PFRDA 2025 Cybersecurity Guidelines: Practical Implications for REs

Implementing these guidelines will require both organizational and technical changes, starting with –

Policy Integration

Update existing information security policies to include the four-tier classification system and defined escalation process.

Incident Response Playbooks

Create clear playbooks for each severity level, outlining response timelines, responsible teams, communication channels, and post-incident review steps.

Continuous Monitoring

Use AI-driven VMDR platforms to automatically detect, log, and categorize events as well as provide effective AI-based patch recommendations.

Training and Awareness

Train IT, compliance, and operations staff to identify and escalate incidents correctly.

Reporting and Audit Trails

Maintain verifiable records of incident detection, response, and closure to show compliance during audits.

Third-Party Oversight

Ensure that outsourced IT and cloud providers follow the same incident classification and reporting standards.

PFRDA 2025 Cybersecurity Guidelines: Strengthening Operational Resilience

The circular repeatedly references “operational resilience and continuity of critical functions.” This phrase emphasizes PFRDA’s expectation that cyber-resilience be viewed as an organizational capability instead of a technical checklist. To achieve this, entities should implement:

• Business Impact Assessments to quantify downtime tolerance and prioritize assets.
• Business Continuity Plan(BCP) and Disaster Recovery (DR) drills aligned with critical and high-severity scenarios.
• Periodic tabletop exercises simulating ransomware, DDoS, or insider data-exfiltration events.
• Communication protocols ensure that regulatory authorities and affected stakeholders are notified swiftly and accurately.

By enforcing these measures, PFRDA aims to foster a culture of preparedness, ensuring the pension ecosystem can absorb and recover from cyber shocks without compromising investor trust.

As a Takeaway

PFRDA’s 2025 Cybersecurity Guidelines Classification will help India’s regulated financial and pension ecosystem to strengthen its cybersecurity framework. By institutionalizing a structured, impact-oriented classification and response model, the PFRDA ensures that every stakeholder, including fund managers, custodians, central recordkeeping agencies, and service intermediaries, shares a unified understanding of cyber risk severity. And for organizations that manage the retirement futures of millions, following these guidelines enhances the trust, accountability, and security quotient a lot more.

FAQs