International Financial Services Centres Authority (“IFSCA”), in exercise of powers conferred under Section 12 and Section 13 of the International Financial Services Centres Authority Act, 2019 vide Circular No. IFSCA-CSD0MSC/13/2025-DCS[1] dated March 10, 2025 (“Guidelines”), issued the guidelines on cyber security and cyber resilience for regulated entities (“REs”) in International Financial Services Centre (“IFSCs”). The Guidelines shall come into force on April 01, 2025.
As IFSCs evolve into global financial hubs, these Guidelines aim to ensure the protection of financial entities from increasingly sophisticated cyber threats, focussing on maintaining the confidentiality, integrity, and availability of IT systems, which is critical to the trust and credibility of financial services in the IFSC.
The key highlights of the Guidelines are as follows:
1. Governance
- The REs shall establish an effective governance mechanism to manage cyber risks, comprising stakeholders such as the Governing Board, senior management (including MD, CEO, CISO, CTO), and other relevant committees.
- Governing bodies and senior management shall possess sufficient expertise in cyber risk management and set the tone for a culture of awareness and vigilance across all organizational levels.
- The REs shall appoint a Chief Information Security Officer (CISO) or designate a senior employee to manage cyber risk, respond to incidents, and ensure the implementation of appropriate cybersecurity measures.
2. Cyber Security and Cyber Resilience Framework
- The REs shall formulate a Cyber Security and Cyber Resilience Framework to anticipate, withstand, and recover from cyber-attacks. This framework should inter-alia be integrated with the RE’s overall risk management strategy.
- The policy shall cover asset identification and classification, protection mechanisms, access control, physical security, vulnerability assessment, incident management, recovery procedures, and audit trails.
- The REs shall conduct Vulnerability Assessment and Penetration Testing (“VAPT”) on critical systems at least annually to identify vulnerabilities.
3. Third-Party Risk Management
- The REs shall collaborate with third-party vendors, ensuring that they adhere to the RE’s data security and cyber resilience standards. Critical third-party vendors must be assessed for security vulnerabilities every 6 (six) months.
- The responsibility to mitigate cyber risks associated with third-party vendors rests solely with the REs.
4. Communication & Awareness
- REs shall be required to regularly train employees on cybersecurity topics such as phishing, social engineering, and incident reporting.
- Clear communication channels shall be established for employees to report suspicious activities or vulnerabilities.
5. Audit
- An independent audit shall be conducted annually to assess the effectiveness of the RE’s cybersecurity framework. The audit must be performed by a CERT-In empanelled auditor or an auditor with relevant certifications such as CISA, CISM, CISSP, or equivalent.
- The REs shall submit the audit report to IFSCA within 90 (ninety) days of the financial year-end. In case of entities regulated as brokers or clearing members, the audit report can be submitted to IFSCA within 7 (seven) days after submission to the Market Infrastructure Institution/ Bullion Exchange.
6. Cyber Incident Reporting
In the event of a cyber incident, the RE must report the incident to IFSCA (via cyber-incidents@ifsca.gov.in) within 6 (six) hours of detection. An interim report is required within 3 (three) days, with a detailed root cause analysis report due within 30 (thirty) days. The RE shall implement mitigation measures within 7 (seven) days of a cyber incident.
7. Exemptions
- The following REs are exempted from these Guidelines, subject to certain conditions:
- REs operating as a branch of a regulated Indian or foreign entity.
- REs serving only their group entities (e.g., Global In-House Centres).
- REs with fewer than 10 (ten) employees.
- Foreign universities established in IFSCs.
- However, there shall be certain exemption conditions, which are as laid down below:
- REs must adopt the cyber security framework and IS Policy of their parent entity.
- The parent entity’s CISO must act as the designated officer for the RE.
- The parent entity must be regulated by a financial-sector regulator, and its cyber security framework must encompass the RE in the IFSC.
The exemptions are valid for 3 (three) years from the issuance of these Guidelines.
- The Designated Officer of the RE shall certify that the necessary systems and processes are in place to meet these Guidelines within 90 (ninety) days of the end of each financial year.
[1] https://ifsca.gov.in/Viewer?Path=Document%2FLegal%2Fguidelines-on-cyber-security-and-cyber-resilience-for-regulated-entities-in-ifscs-1-10032025064412.pdf&Title=Guidelines%20on%20Cyber%20Security%20and%20Cyber%20Resilience%20for%20Regulated%20Entities%20in%20IFSCs&Date=10%2F03%2F2025