The International Financial Services Centres Authority (IFSCA) has issued comprehensive Cybersecurity and Cyber Resilience Guidelines to strengthen cyber risk management within regulated entities (REs) operating in International Financial Services Centres (IFSCs), including GIFT City. These guidelines, effective April 1, 2025, outline mandatory cybersecurity measures for financial institutions to ensure data protection, business continuity, and compliance with international standards.
This guide breaks down everything you need to know about these guidelines, including governance structures, risk management, and how organizations can achieve compliance.
Key Components of the IFSCA Cybersecurity and Cyber Resilience Guidelines
The guidelines are structured around five core areas:
1. Governance
Regulated entities (REs) must establish a governance structure to oversee cybersecurity policies and risk management. This includes:
Forming an Oversight Body consisting of the Governing Board, CEO, CISO, CTO, and compliance officers.
Ensuring that senior management possesses adequate expertise in cybersecurity.
Appointing a Chief Information Security Officer (CISO) or a Designated Officer to lead cybersecurity initiatives.
Fostering a cybersecurity-aware culture across all levels of the organization.
2. Cybersecurity and Cyber Resilience Measures
The guidelines require REs to develop and maintain a robust cybersecurity posture, ensuring:
Identification and Classification of IT Assets: Maintain an inventory of IT assets and classify them based on business criticality and data sensitivity.
Access Control: Implement least privilege and segregation of duties principles to prevent unauthorized access.
Protection Measures: Deploy security controls in line with international standards (e.g., NIST, ISO 27001).
Vulnerability Assessment and Penetration Testing (VAPT): Conduct annual VAPT on critical systems.
Incident Management: Define and implement incident response strategies, including reporting incidents to IFSCA within six hours.
Audit Trails: Maintain detailed audit logs to support forensic investigations and compliance reviews.
3. Third-Party Risk Management
IFSCA emphasizes that third-party vendors and service providers should adhere to the same cybersecurity standards as REs. REs must:
Assess third-party risks every six months for critical service providers.
Establish contractual obligations for data security and incident reporting.
Maintain a risk-based approach for vendor reviews and audits.
4. Communication and Awareness
Conduct regular cybersecurity training for employees on topics like phishing, social engineering, and incident reporting.
Establish clear reporting channels for suspicious activities.
Implement an internal awareness program to ensure employees stay informed about evolving threats.
5. Audit and Compliance
Conduct annual cybersecurity audits through CERT-In empaneled auditors or professionals with CISA, CISM, CISSP, or GSNA certifications.
Submit the audit report to IFSCA within 90 days after the financial year ends.
Implement remediation measures based on audit findings.
Compliance and Exemptions
Entities Required to Comply
All licensed, recognized, registered, or authorized entities under IFSCA must adhere to these guidelines, including:
- Banks and financial institutions
- Insurance companies
- Capital market entities
- Fund management firms
- Other regulated financial entities in IFSCs
Exemptions (For a Limited Period)
The following entities are temporarily exempt for three years, provided they meet specific conditions:
- Foreign banks operating as branches in IFSCs
- Entities with fewer than 10 employees
- Foreign universities operating in IFSCs
- Global In-House Centres (GICs) providing services only to their parent entities
Condition for Exemption: These entities must adopt their parent company’s cybersecurity policy and designate a responsible officer for compliance.
How Zeron Can Help Organizations Comply with IFSCA Guidelines
Ensuring compliance with the IFSCA Cybersecurity and Cyber Resilience Guidelines can be a complex process. Zeron, a leader in Cyber Risk Posture Management, can assist organizations by:
- Developing IS Policies: Crafting cybersecurity policies aligned with IFSCA standards.
- Conducting VAPT Assessments: Identifying security gaps through penetration testing.
- Third-Party Risk Assessments: Evaluating vendors and mitigating supply chain risks.
- Employee Cybersecurity Training: Enhancing workforce awareness with specialized training programs.
- Audit Preparation and Reporting: Helping organizations prepare for annual cybersecurity audits and align with IFSCA’s compliance requirements.
Zeron enables financial institutions to meet regulatory obligations while strengthening their cyber resilience against evolving threats.
Conclusion
The IFSCA Cybersecurity and Cyber Resilience Guidelines set new cybersecurity benchmarks for financial institutions in IFSCs. Compliance is not just about regulatory adherence; it enhances operational security, data protection, and business continuity.
For expert guidance on aligning with IFSCA’s cybersecurity requirements, book a demo with Zeron today and secure your organization from cyber risks.