Cyber Security Audit in IFSC: Who Should Conduct It, When It’s Required & How It Works [Applicable for FY 2025-26]

As GIFT IFSC continues to position itself as a globally competitive financial hub, cyber security has become a core regulatory priority rather than a purely technical function. Financial institutions operating in IFSC handle sensitive client data, execute cross-border transactions, and rely extensively on digital platforms. Any cyber vulnerability can result not only in operational disruption but also regulatory action and reputational damage.

Recognising this, the International Financial Services Centres Authority (IFSCA) has mandated structured cyber security audits for regulated entities. These audits provide independent assurance to the regulator and the governing body that the entity’s cyber security framework is robust, effective, and aligned with its risk profile.

This article explains who must conduct cyber security audits in IFSC, when they are required, by whom they must be conducted, and the regulatory expectations applicable for FY 2025-26.

What Is a Cyber Security Audit Under the IFSCA Framework?

A cyber security audit is an independent assessment of an entity’s cyber security governance, systems, policies, and technical controls. The objective is to evaluate whether adequate safeguards exist to protect the confidentiality, integrity, and availability of the entity’s information systems and data.

Unlike routine IT maintenance reviews, a cyber security audit focuses on regulatory compliance, risk management effectiveness, and cyber resilience. It examines whether the entity has implemented appropriate policies, security controls, monitoring systems, and incident response mechanisms in accordance with IFSCA guidelines and internationally recognised standards such as ISO 27001 and NIST.

These controls must be aligned with the entity’s formally adopted cyber security policy for IFSC entities, which forms the foundational governance framework under IFSCA regulations.

The audit ultimately provides assurance to the Board and senior management that cyber risks are properly identified, managed, and mitigated, and that the entity is prepared to withstand and recover from cyber incidents.

Who Is Required to Conduct Cyber Security Audit in IFSC?

Cyber security audit requirements apply to all regulated entities licensed, registered, or authorised by IFSCA. This includes a wide range of financial and service providers operating within GIFT IFSC.

The requirement typically covers:

• Banking units operating in IFSC
• Broker dealers and capital market intermediaries
• Fund management entities
• Insurance offices
• FinTech and technology service providers
• Ancillary service providers

The responsibility to ensure completion of cyber security audits lies with the entity’s governing body, which may include the Board of Directors, designated partners, or senior management in the case of branches.

Even in cases where certain entities are permitted to adopt the cyber security framework of their parent organisation, they are still required to ensure compliance with regulatory expectations and provide annual certification confirming adherence to the framework.

Therefore, cyber security audit is not merely an IT function but a governance responsibility at the highest level of the organisation.

When Should Cyber Security Audit Be Conducted?

Annual Mandatory Audit

IFSCA requires regulated entities to conduct cyber security audit at least once every financial year. For the financial year 2025-26, entities must ensure that the audit is completed and the audit report is submitted within the prescribed timeline after the end of the financial year.

This annual audit provides formal assurance to the regulator regarding the adequacy and effectiveness of cyber security controls implemented by the entity.

Entities are expected to incorporate cyber audit into their annual compliance calendar and plan the audit well in advance to allow sufficient time for remediation of any identified gaps.

Additional Situations Where Cyber Audit May Be Required

In addition to the mandatory annual audit, cyber security audit may also be conducted under specific circumstances, including:

1. Following a Cyber Incident

   If the entity experiences a cyber attack, data breach, system intrusion, or any security compromise, an audit may be necessary to assess the impact, identify vulnerabilities, and validate corrective actions.

2. After Major Technology Changes

   Implementation of new core systems, cloud migration, digital onboarding platforms, or integration with third-party technology providers may increase cyber risk exposure. Conducting an audit after such changes helps ensure that security controls remain effective.

3. During Regulatory Review or Inspection

   IFSCA may require additional audit validation as part of supervisory review, licensing processes, or regulatory inspections.

Entities should therefore view cyber audit as an ongoing risk management process rather than a one-time compliance activity.

By Whom Should Cyber Security Audit Be Conducted?

IFSCA requires cyber security audit to be conducted by independent and qualified auditors with relevant expertise in cyber security.

The audit may be conducted by:

CERT-In Empanelled Cyber Security Auditors

Auditors empanelled with the Indian Computer Emergency Response Team (CERT-In) are recognised as qualified professionals for conducting cyber security audits. These auditors possess specialised technical expertise and experience in evaluating cyber security controls.

Independent Professionals with Recognised Certifications

Cyber security audits may also be conducted by independent professionals holding internationally recognised certifications such as:

• Certified Information Systems Auditor (CISA)
• Certified Information Security Manager (CISM)
• Certified Information Systems Security Professional (CISSP)
• GIAC Systems and Network Auditor (GSNA)

These certifications demonstrate expertise in cyber risk assessment, security governance, and audit methodologies.

Audit Firms with Relevant Cyber Security Experience

Professional firms with experience in cyber security audit of financial institutions may also conduct the audit, provided they meet qualification and independence requirements.

Importance of Auditor Independence

Independence is a critical requirement. The auditor conducting the cyber security audit must not have any conflict of interest with the entity.

This means the auditor should not be involved in designing, implementing, or managing the entity’s cyber security systems. The objective is to ensure that the audit provides an unbiased and objective assessment.

Regulatory Reporting and Post-Audit Obligations

Completion of cyber security audit is only one part of the regulatory process. The entity must also comply with post-audit governance and reporting requirements.

Submission of Audit Report

The cyber security audit report must be submitted to the relevant IFSCA supervisory division within the prescribed timeline. The report serves as formal regulatory evidence of compliance.

Review by Governing Body

The audit findings must be reviewed by the governing body or senior management. This ensures that cyber risk is addressed at the strategic level and corrective actions are prioritised.

Implementation of Corrective Measures

Entities are expected to address audit observations promptly. This may involve strengthening access controls, improving monitoring systems, enhancing incident response capability, or upgrading security infrastructure.

Failure to address audit findings can increase regulatory risk and may impact supervisory assessment.

Strategic Importance of Cyber Security Audit for IFSC Entities

Cyber security audit should not be viewed merely as a compliance obligation. It plays a crucial role in strengthening operational resilience and supporting long-term business growth.

Effective cyber security audit helps organisations:

• Identify vulnerabilities before they are exploited
• Strengthen customer data protection
• Enhance governance and risk management
• Improve regulatory confidence
• Support secure digital onboarding and expansion

In an international financial centre such as IFSC, strong cyber security controls are essential for maintaining credibility and attracting global clients.

Organisations with robust cyber governance frameworks are better positioned to scale operations, adopt new technologies, and manage cross-border financial activities.

Conclusion

Cyber security audit has become an essential regulatory and governance requirement for IFSC regulated entities. Applicable for FY 2025-26, entities must ensure timely completion of annual cyber security audit through qualified independent auditors and submit the audit report to IFSCA.

Beyond regulatory compliance, cyber security audit provides valuable insights into risk exposure and helps organisations strengthen their security posture.

As cyber threats continue to evolve, proactive cyber governance and regular independent audits will remain critical for ensuring operational resilience and regulatory compliance in IFSC.

Organisations should therefore treat cyber security audit as a strategic priority and integrate it into their overall risk management framework.

Frequently Asked Questions (FAQs)

1. Is cyber security audit mandatory for IFSC entities?

   Yes. Cyber security audit is mandatory for all regulated entities operating in IFSC and must be conducted annually as per IFSCA guidelines.

2. Who can conduct cyber security audit in IFSC?

   Cyber security audit must be conducted by CERT-In empanelled auditors or independent professionals holding recognised cyber security certifications such as CISA, CISM, CISSP, or GSNA.

3. When should cyber security audit be conducted for FY 2025-26?

   Cyber security audit should be conducted during the financial year and the audit report must be submitted within the prescribed timeline after the end of FY 2025-26.

4. Can internal IT team conduct cyber security audit?

   No. Cyber security audit must be conducted by independent auditors. Internal IT teams cannot conduct the regulatory cyber security audit.

5. What happens if cyber security audit identifies gaps?

   If gaps are identified, the entity must implement corrective measures to address vulnerabilities and strengthen its cyber security framework. Failure to do so may increase regulatory risk.