Understanding the IFSCA Circular on Cyber Security and Resilience

IFSCA has issued a circular on March 10, 2025, titled “Guidelines on Cyber Security and Cyber Resilience for Regulated Entities in IFSCs” effective from 1^st April 2025. This circular mandates financial institutions operating within International Financial Services Centres (IFSCs) to implement strong cybersecurity frameworks, ensuring operational integrity and protection against evolving cyber threats

Why This Circular Matters?

A Real-World Scenario

Consider a financial institution within an IFSC managing large volumes of sensitive financial transactions. Without strong cybersecurity protocols, the institution faces cyber threats, data breaches, and potential service disruptions. Recognizing these risks, IFSCA has introduced comprehensive guidelines to help regulated entities mitigate cyber threats and enhance resilience.

Key Compliance Requirements

1. Governance

Cyber Security Committee: Entities shall establish a board-level committee to oversee cybersecurity strategies and appoint a Designated Officer for implementation.

Regulatory Compliance: The committee ensures adherence to cyber risk management policies and IFSCA regulations.

2. Cyber Security and Cyber Resilience Framework

Comprehensive Cyber Security Policy: Regulated Entities (REs) shall formulate an Information Security Policy covering:

• IT asset identification and classification
• Data protection and access controls
• Physical security measures
• Vulnerability Assessment and Penetration Testing (VAPT)
• Incident Management & Audit Trails
• 24/7 Security Operations Centre (SOC): Entities shall have real-time threat monitoring via an internal or outsourced SOC.
• Business Continuity & Disaster Recovery: Institutions shall ensure operational resilience during cyber incidents.

3. Third-Party Risk Management

Due Diligence & Risk Assessment: Entities shall evaluate cybersecurity risks posed by third-party service providers.

Data Security & Incident Reporting: Clear security expectations shall be set for third-party vendors.

Critical Vendor Review:

Mandatory audits every 6 months for critical service providers. Flexible review frequency for others.

Risk Mitigation: Entities bear full responsibility for managing third-party cyber risks.

4. Communication and Awareness

Regular Cybersecurity Training: Employees shall undergo ongoing training on cybersecurity best practices and incident response protocols.

5. Audit & Compliance Reporting

Annual Cyber Security Audits: Conducted by certified professionals (CISA, CISM, GSNA, CISSP).

Report Submission: Entities shall submit audit reports to IFSCA within 90 days of completion.

Higher Risk Entities: Encouraged to conduct more frequent audits.

Market Participants (Bullion Traders, Depository Participants): Shall submit reports to Market Infrastructure Institutions (MIIs).

Cyber Incidents Reporting:

Report within 6 hours of detection to IFSCA.

Interim report within 3 days, followed by a final report within 30 days.

RE shall take mitigation measures within 7 days.

Exempted Entities

Certain entities are exempt for a period of 3 years if they follow their parent entity’s cybersecurity framework and submit annual certifications from the designated officer within 90 days of end of each financial year:

🔹 Branches of regulated Indian or foreign entities

🔹 Global In-House Centres (GICs)

🔹 Entities with fewer than 10 employees

🔹 Foreign universities operating in IFSCs

Conclusion

The IFSCA circular establishes a clear regulatory framework to enhance cyber security in financial institutions within IFSCs. By adhering to these guidelines, entities can mitigate cyber threats, ensure regulatory compliance, and strengthen operational resilience in an increasingly digital financial ecosystem.