IFSCA Mandates Cybersecurity & Resilience Norms for Regulated Entities in IFSC

Introduction

The International Financial Services Central Authority (‘IFSCA’) issued guidelines[i] on 10.03.2025 in respect of cyber security and cyber resilience for all the Regulated Entities (‘REs’) operating within IFSC in order to safeguard the financial ecosystem. With cyber threats escalating across the world, the circular aims to strengthen the IT systems of the REs against risks such as fraudulent financial transactions, breach of sensitive data, disruption of IT infrastructure and other cyber incidents impacting international financial hubs which are under the ambit of IFSCA. Cyber security is thus recognized as a foundational pillar to ensure the stability, resilience and credibility of the financial services offered by the IFSC.

Key Features of the Guidelines

The key features of these guidelines, applicable to REs licensed, recognized, registered, or authorized by IFSCA, are summarized below:

1. Cyber Governance: IFSCA shall mandate that REs shall establish a robust cyber governance structure having a clear set of roles and responsibilities, possessing expertise and knowledge to manage cyber risk. This includes creation of an ‘oversight body’, comprising stakeholders, the governing board, senior management personnel, including the Managing Director (MD), the Chief Executive Officer (CEO), the Chief Technology Officer (CTO), the Chief Information Security Officer (CISO) or designated committees.

   Additionally, each RE must appoint a designated officer, either CISO or senior management personnel, to carry out cyber risk assessment, identify and reduce the cyber security risks, and establish and implement standards and controls.

2. Cyber Security and Cyber Resilience Framework: REs are required to develop a cyber security and cyber resilience framework, ensuring the confidentiality, integrity and availability of IT assets. This framework must aim to enhance RE’s ability to anticipate, survive and recover from cyber-attacks and be periodically updated to stay aligned with evolving threats. It includes the following:

   1. Risk Appetite and Resilience Goals: The frameworks must define the REs cyber risk appetite and resilience goals.

   2. Roles and Responsibilities: It must clearly define the roles and responsibilities for the oversight body, the designated officer, employees and other stakeholders, with established communication protocols during cyber incidents.

   3. Information Security (‘IS’) Policy: The REs shall establish an IS policy for cyber security and cyber resilience comprising the following:

      1. IT Assets Identification and Classification: Conduct risk assessment of the IT assets, maintain a detailed inventory of logical (data, software) and physical (hardware) IT assets with clear identification and classification as per the business sensitivity of data. This would prioritise the security measures to prioritize and mitigate the cyber risk of critical functions.

      2. Protection Measures: Implement suitable security controls in compliance with international standards such as NIST and ISO 27000, etc, to avoid the occurrence of any cyber-attacks on business functions, IT assets, data, etc. This would be for the measures in respect of hardening of devices, network/ data security, patch management, system disposal and other policies which would help in the protection of IT assets of REs.

      3. Access Control: REs must manage access to IT systems based on the ‘need to know’ and ‘least privilege principles’, ensuring no unnecessary/excessive access is granted. It must also enforce strong authentication methods to ensure compliance with access control policies.

      4. Physical Security: REs must protect the IT assets, data, confidentiality, integrity and availability by securing critical locations and restricting access to areas like data centres and server rooms.

      5. Vulnerability Assessment and Penetration Testing (‘VAPT’): Perform VAPT at least once a year to identify and address security weaknesses in all critical systems and IT infrastructure.

      6. Recovery: Establish recovery policies and procedures to ensure business continuity and for the recovery of the IT system during the event of disruption.

      7. Audit Trail: Maintain audit trails for IT assets to support business continuity and recovery needs, comply with legal and regulatory requirements, provide forensic evidence, and assist in dispute resolution.

3. Third Party Cyber Risk Management: REs must maintain a collaborative and risk-based approach with external third-party vendors by clearly defining shared responsibilities for data security, incident reporting, and compliance with security standards. Critical service providers must be audited. Additionally, clear communication and escalation mechanisms are compulsory, although the ultimate responsibility for third-party risks is with the RE.

4. Communication & Awareness: REs must train employees regularly on cybersecurity awareness, such as phishing, social engineering, and incident reporting procedures. REs must develop reporting channels to report suspicious activities, potential cyber vulnerabilities, or incidents.

5. Audit: Cybersecurity audits must be conducted annually by qualified and independent auditors with relevant credentials or experience. The audit must assess the adequacy of the RE’s cybersecurity controls and their alignment with the RE’s risk profile. The audit report must be submitted to IFSCA within 90 days from the end of the financial year. If an RE is already submitting such a report to a Market Infrastructure Institution or Bullion Exchange, the same may be submitted to IFSCA within 7 days of such filing. In the event of a cyber incident, REs are required to:

   1. Report the incident to IFSCA within 6 hours of detection.

   2. Submit an interim report within 3 days.

   3. File a detailed root cause analysis within 30 days, and

   4. Implement mitigation measures within 7 days.

6. Exemptions: Certain REs are granted a three-year exemption from these guidelines, including branches of Indian or foreign REs, group entities, entities with less than 10 employees, and foreign universities in IFSCs. However, these REs shall adopt their parent entity’s cyber security and IS policies, with the parent’s CISO acting as a designated officer for the RE. Additionally, the parent entity must be regulated by a financial authority and include the REs within its cyber framework. The designated officer must certify compliance within 90 days at the end of the financial year.

Conclusion

IFSCA’s guidelines on cyber security and resilience aim to safeguard the financial ecosystem of the IFSC by addressing the rising threats in cyberspace. These guidelines outline the necessary measures for REs to strengthen their IT systems, protect sensitive data, and ensure business continuity. Key provisions include establishing robust cyber governance, developing comprehensive cyber security frameworks, implementing stringent access controls, conducting regular vulnerability assessments, and ensuring third-party risk management. REs are required to undergo annual audits, with specific procedures for reporting cyber incidents. While certain REs, such as small entities and foreign universities, are granted exemptions, they must still comply with key aspects like adopting their parent entity’s cyber policies. Overall, the guidelines set a clear framework for enhancing the cyber resilience and security of REs, ensuring the stability and credibility of the financial services offered in the IFSC.

End Note

[i] IFSCA-CSD0MSC/13/2025-DCS, dated 10.03.2025.

Authored by Purvi Garg, Advocate at Metalegal Advocates. The views expressed are personal and do not constitute legal opinions.