The International Financial Services Centres Authority (IFSCA) has issued guidelines on Cyber Security and Cyber Resilience (CSCR) for Regulated Entities operating in IFSC. The guidelines have been issued keeping in mind the ability of financial entities to protect their IT systems from being compromised by threats. Cyber Security is considered not just a necessity but a foundational pillar for ensuring the stability, resilience, and credibility of the financial services offered within the GIFT IFSC.
Key highlights of the guidelines are mentioned below:
- Regulated Entities (REs) to have adequate governance mechanisms, with a clear set of roles and responsibilities to manage cyber risk.
- REs to ensure that their Governing Board and the senior management possesses sufficient expertise and knowledge to effectively understand and manage cyber risk.
- REs to appoint a Chief Information Security Officer or alternatively, Designate a senior employee/management personnel to assess, Identify and reduce cyber security risks etc.
- REs to formulate the Cyber Security and Cyber Resilience Framework (CSCRF) to maintain the Confidentiality, Integrity and Availability of their IT assets.
- REs to also formulate an Information Security (IS) Policy as part of their CSCRF with the following basic principles:
- Identification and classification of IT Assets.
- Protection of IT Assets.
- Managing Access rights to IT Assets.
- Physical Security of IT Assets.
- Conducting Vulnerability Assessment and Penetration Test (VAPT) in IT environment for Critical systems, Infrastructure components and others.
- Recovery policies and procedures.
- Development and Implementation processes for preventing, detecting, analysing and responding to cyber incidents.
- Audit trail.
- REs to adopt a collaborative security approach with their third-party vendors/external partners. In addition, REs shall also adopt risk-based approach for periodic review of their third-party vendors/external partners.
- REs to get their cyber risks audited on a periodic basis by a CERT-In empanelled auditor or by an Independent Auditor having certification as specified in the circular mentioned herewith.
- REs to report the particulars of Cyber Incident within six (6) hours from the detection of the incident to the Authority on cyber-incidents@ifsca.gov.in with a copy to CISO. Additionally, REs to submit interim report within 3 days followed by a detailed root cause analysis report within 30 days.
- Following REs are exempted from the above guidelines, subject to the fulfilment of the conditions as specified in the circular:
- The REs operating in the form of a branch of a regulated Indian or foreign entity.
- The REs providing services to their group entities only e.g. Global In-House Centres (GICs).
- The REs which have less than 10 employees.
- Foreign universities set up in IFSCs
For ease of reference, please refer to the circular hyperlinked below.
Source: IFSCA
