As cyber threats continue to grow in sophistication, the International Financial Services Centres Authority (IFSCA) has issued new Cybersecurity and Cyber Resilience Guidelines for regulated entities (REs) operating in the GIFT IFSC. These guidelines aim to ensure that financial institutions adopt robust cybersecurity measures to safeguard IT infrastructure, protect sensitive data, and maintain trust in the jurisdiction.
With financial institutions becoming prime targets for cybercriminals, IFSCA’s new guidelines mark a crucial step toward fortifying cyber defenses in the GIFT IFSC. By implementing these measures, REs can enhance resilience, mitigate risks, and ensure secure financial operations in the international market.
Key Components of the Guidelines
The guidelines are structured into five main categories:
1. Governance
REs must have strong governance mechanisms with clear roles and responsibilities for cyber risk management.
Establishment of an Oversight Body, which may include the Governing Board, senior management, and cybersecurity-focused committees.
Appointment of a Chief Information Security Officer (CISO) or a designated senior officer to oversee cybersecurity risks and implementation.
2. Cybersecurity and Resilience Framework
REs must develop a Cybersecurity and Resilience Framework ensuring Confidentiality, Integrity, and Availability of IT assets.
The framework should outline cybersecurity objectives, define cyber risk appetite, and establish protocols for cyber incidents.
Regular risk assessments and security audits must be conducted to keep cybersecurity measures up to date.
3. Third-Party Risk Management
REs must adopt a risk-based approach to assess and monitor third-party service providers handling critical operations.
Audits and security assessments of vendors must be conducted every six months for high-risk third parties.
Clear contractual obligations should be set for cybersecurity compliance by third parties.
4. Communication and Awareness
Employees should undergo regular cybersecurity training, covering phishing threats, social engineering, and incident reporting.
Establishment of a clear reporting mechanism for employees to report potential cyber incidents.
5. Audit Requirements
REs must undergo an annual cybersecurity audit conducted by a CERT-In empanelled auditor or professionals holding recognized security certifications like CISA, CISM, GSNA, or CISSP.
The audit report must be submitted to IFSCA within 90 days of the financial year-end.
REs registered as Broker Dealers or Depository Participants can submit the same audit report used for Market Infrastructure Institutions.
Exemptions and Special Considerations
Certain entities are exempt from these guidelines, including:
Branches of regulated Indian or foreign entities.
Global In-House Centres (GICs) providing services only to their parent entity.
Entities with fewer than 10 employees.
Foreign universities operating within IFSCs.
However, these exempted entities must comply with their parent entity’s cybersecurity framework, and their CISO will act as the designated officer for IFSC compliance.
Comments