On Mar. 10, 2025, IND IFSCA finalized Guidelines on cyber security and cyber resilience for regulated entities in IFSCs, to be effective from Apr. 1, 2025.
Includes exemptions that apply for a period of three years, i.e. until Apr. 1, 2028.
On Sep. 28, IND IFSCA issued proposal on principle-based guidelines.
IND IFSCA issued Consultation paper - principle-based guidelines on cyber security and cyber resilience for all regulated entities (REs) in IFSC, which outlines proposal for principle-based guidelines in order to ensure stability, resilience, and credibility.
Guidelines focus on proportionality based on scale, complexity, cyber risks of REs.
Proposed Guidelines
Establish clear governance roles for managing cyber risk, including governing body, IT strategy committees, CEO, CISO, CTO, IT steering committees, chief risk officer.
Senior official must oversee cybersecurity processes and manage cyber risks.
Develop framework to ensure confidentiality, integrity, availability of data assets; should cover security objectives, risk tolerance, threat management, periodic review.
Information security policy shall establish a comprehensive approach that includes the identification and classification of information assets and business functions.
Plus, implementation of security controls based on the threat landscape, enforcement of access controls using the principle of least privilege with robust authentication.
In addition, ensuring physical security and recovery mechanisms for IT assets, and setting up incident management processes along with maintaining audit trails.
Third-party risk management involves forming agreements with third parties on data security, incident reporting, while conducting continuous audits and reviews.
Provide regular cybersecurity training for employees on topics like phishing awareness, incident reporting; create accessible channels to report suspicious activities.
Conduct periodic auditing of governance, systems, processes related to cyber risks by independent auditors; audit frequency and focus shall match the entity’s risk profile.
Consultation End
The consultation is open for comments until Oct. 19, 2024.
Mar. 2025 Guidelines Finalized
On Mar. 10, 2025, IND IFSCA finalized Guidelines on cyber security and cyber resilience for regulated entities in IFSCs, to be effective from Apr. 1, 2025.
Includes exemptions that apply for a period of three years, i.e. until Apr. 1, 2028.
