India’s International Financial Services Centres (IFSCs), particularly GIFT City, are emerging as global financial hubs, attracting diverse international players. The International Financial Services Centres Authority (IFSCA) issued comprehensive guidelines on March 10, 2025, to bolster cyber security amid rising threats to financial stability.
These guidelines mandate Regulated Entities (REs) to implement robust frameworks, with proportionality based on operations scale, complexity, and risks.
IFSC and IFSCA Overview
IFSCs operate as special economic zones offering tax incentives and unified regulation for financial services like banking, insurance, and securities. GIFT City in Gujarat hosts most activities, regulated solely by IFSCA under the 2019 Act.gift.
IFSCA unifies oversight across sectors, promoting innovation while ensuring compliance with global standards. REs include entities licensed by IFSCA, such as Broker Dealers, Clearing Members, Asset Management Companies (AMCs), Portfolio Management Services (PMSs), Alternative Investment Funds (AIFs), and Registered Investment Advisers (RIAs).
As cyber threats evolve with IFSC growth, these guidelines protect IT systems, data, and operations from breaches, fraud, and disruptions.
Purpose and Applicability
The guidelines aim to foster cyber resilience, enabling REs to anticipate, withstand, contain, and recover from attacks. They emphasize Confidentiality, Integrity, and Availability (CIA) of IT assets while addressing third-party risks and global client exposures.
Implementation follows proportionality: smaller entities face lighter requirements, but all must align with risk appetite. Effective from April 1, 2025, they apply to all IFSCA-licensed REs except exemptions like branches of regulated entities, group-only service providers (<10 employees), and foreign universities in IFSCs—for three years, conditional on parent frameworks.
Exempt REs must certify compliance via the parent’s CISO within 90 days post-financial year.
Governance Structure
REs must establish clear governance with an “Oversight Body” comprising the Governing Board, senior management (MD/CEO/CISO/CTO), or dedicated committees. This body sets cyber risk tone, ensures expertise, and approves frameworks.
A Designated Officer (CISO or equivalent senior personnel) leads risk assessment, incident response, standards, and processes. The Oversight Body oversees alignment with overall risk management.
This structure promotes accountability from the top, embedding cyber awareness across staff.
Cyber Security Framework Essentials
REs formulate a Cyber Security and Cyber Resilience Framework defining risk appetite, objectives, threats (including third-party), and requirements for people, processes, and technology. It outlines roles, communication during incidents, and periodic reviews.
The Information Security (IS) Policy, integral to this framework, covers key areas:
| Component | Key Requirements |
|---|---|
| Asset Identification & Classification | Inventory logical/physical assets; risk-assess and classify by criticality, data sensitivity, impact. |
| Protection | Align controls with NIST/ISO 27001; include hardening, network/data security, patching, disposal. |
| Access Control | Least privilege, segregation of duties; robust authentication. |
| Physical Security | Secure data centers, restricted access to servers. |
| VAPT | Annual testing on critical systems. |
| Recovery | Policies for business continuity, minimizing disruptions. |
| Incident Management | Define incidents; processes for prevention, detection, response, reporting to IFSCA. |
| Audit Trails | Support continuity, compliance, forensics, disputes. |
This integrated approach ensures comprehensive threat coverage.
Third-Party Risk Management
REs collaborate with vendors on security expectations, incident reporting, and standards. A risk-based review identifies critical providers (core operations/system access), audited/reviewed every six months; others as needed.
Clear escalation channels address gaps; REs bear ultimate mitigation responsibility. This prevents supply chain vulnerabilities in interconnected IFSC ecosystems.
Communication and Awareness
Regular employee training covers phishing, social engineering, password hygiene, and reporting. Accessible channels enable quick suspicious activity reports.
These measures build a vigilant culture, crucial for early threat detection in fast-paced financial operations.
Audit and Compliance Requirements
Annual audits by CERT-In empanelled auditors or certified professionals (CISA/CISM/GSNA/CISSP) or experienced peers assess controls against risks. No conflicts; reports to IFSCA within 90 days post-financial year, via supervising department.
Broker-Dealers etc., submitting to exchanges share copies within 7 days. Higher frequency optional based on risks.
CertCube Labs Pvt Ltd’s Role: As a CERT-In empanelled auditor, CertCube Labs Pvt Ltd conducts IFSCA-aligned cyber security audits for REs, verifying governance, frameworks, VAPT, and controls. Their expertise in RBI/NPCI/NABARD/IRDAI compliance extends to IFSCs, offering end-to-end assessments, gap remediation, and certification readiness—essential for GIFT City entities.
Incident Reporting Protocols
Report incidents to [email protected] (cc: CISO, IFSCA) within 6 hours of detection; interim report in 3 days, root cause in 30 days; mitigate within 7 days. This ensures swift regulatory response, minimizing systemic impacts.
Exemptions and Conditions
Exemptions (para 21) require parent framework adoption, parent’s CISO as Designated Officer, and regulated parent scope including IFSC unit. Annual certification mandatory; exemptions end after three years.
Implementation Roadmap
REs assess operations for proportionality; appoint Designated Officer; draft framework/IS Policy by Q2 2025; conduct baseline VAPT/audits. Oversight Body approves; train staff; review third-parties.
Best Practices from Experts: Engage CERT-In empanelled firms like CertCube Labs early for mock audits, ensuring alignment with NIST/ISO and IFSCA expectations.
Challenges and Mitigation Strategies
Challenges include sophisticated threats, third-party dependencies, talent gaps. Mitigate via continuous VAPT, AI-driven monitoring, zero-trust models—beyond guidelines for resilience.
REs in high-interconnectivity (e.g., AMCs/AIFs) prioritize audit trails and recovery testing.
Role of Certcube Labs Pvt Ltd
IFSCA mandates qualified CERT-In empanelled auditors for independence and expertise. CertCube Labs Pvt Ltd, specializes in financial sector audits (NABARD, NPCI, IRDAI, DoT), covering IT governance, vulnerability scans, compliance mapping.
They provide:
- Framework gap analysis.
- VAPT execution.
- Third-party reviews.
- Incident simulation training.
- Report preparation for IFSCA submission.
For IFSC REs, CertCube ensures proportional compliance, leveraging experience in similar regulated environments.