New Cyber Security Framework for IFSC Regulated Entities

Transforming Financial Services in IFSC

OVERVIEW

  • IFSCA has issued guidelines to strengthen Cyber Security and Cyber Resilience for Regulated Entities (REs) in IFSCs.
  • The guidelines protect IT systems, secure data, ensure service availability, and strengthen operational resilience through clear governance, robust frameworks, and mandatory audits.

5 pillars of IFSCA cyber security

  • Governance emphasizes clear roles and responsibilities, with oversight by senior management to drive cyber risk management.
  • The Cyber Security & Resilience Framework safeguards IT assets by ensuring Confidentiality, Integrity, and Availability (CIA) and outlining processes to manage cyber incidents.
  • Third-Party Risk Management mandates REs to monitor external partners and ensure compliance with cyber security standards.
  • Communication & Awareness mandates regular staff training and the establishment of clear reporting channels for cyber incidents.
  • Audit requires annual independent assessments to verify compliance, with reports submitted to IFSCA within 90 days of the financial year-end.

CYBER FRAMEWORK REQUIREMENTS

  • Regulated Entities (REs) must appoint a Chief Information Security Officer (CISO) or a senior designated officer to oversee cyber risk management.
  • They are required to establish a comprehensive Cyber Security Framework to detect, respond to, and recover from cyber incidents.
  • Additionally, annual Vulnerability Assessments (VAPT) must be conducted to identify and mitigate potential risks.

THIRD-PARTY RISKS & INCIDENTs REPORTING

  • REs must regularly review third-party vendors, especially those handling critical systems, to identify and mitigate vulnerabilities.
  • In case of a cyber incident, mandatory reporting to the IFSCA is required within 6 hours of detection.
  • Additionally, REs must submit a root-cause analysis report within 30 days and implement necessary mitigation measures within 7 days.

EXEMPTIONS & DEADLINEs

  • Exempted entities include branches of regulated entities, GICs, entities with <10 employees, and foreign universities in IFSCs.
  • They must adopt the parent entity’s Cyber Security Framework and submit compliance certification within 90 days of the financial year-end.
  • The guidelines are effective for 3 years from the date of issuance.

conclusion

  • The IFSCA’s Cyber Security and Cyber Resilience Guidelines reflect a proactive approach to safeguarding the financial ecosystem within IFSCs.
  • These guidelines strengthen operational resilience and mitigate evolving cyber threats through governance, robust frameworks, third-party oversight, and audits.
  • Balancing compliance and exemptions ensures a flexible, secure environment, strengthening IFSCs’ position as a trusted global financial hub.

Download Brochure