Cyber Security and Cyber Resilience Policy for IFSC Entities Mandatory IFSCA Compliance Framework under 2025 Guidelines
  • February 26, 2026
Post Views: 1

Cyber Security and Cyber Resilience Policy for IFSC Entities: Mandatory IFSCA Compliance Framework under 2025 Guidelines

Table of Contents

Introduction: Cyber Security is Now a Core Compliance Requirement in IFSC

The International Financial Services Centre (IFSC) at GIFT City has rapidly emerged as a global hub for cross-border financial services, fund management, fintech, capital markets, insurance, and advisory operations. Most IFSC entities operate through digital platforms, cloud infrastructure, and cross-border data flows, making cyber security not merely an IT function but a critical regulatory, operational, and governance priority.

Recognizing the increasing cyber risks and the need to protect financial stability and client data, the International Financial Services Centres Authority (IFSCA) issued the Cyber Security and Cyber Resilience Guidelines on 10 March 2025, effective from 1 April 2025. These guidelines make it mandatory for regulated entities to establish a Cyber Security and Cyber Resilience Policy as part of their core compliance framework. Cyber security policy forms one of the essential components under the broader mandatory policies for IFSC entities in GIFT City, which every regulated entity must implement before commencing operations.

This policy is no longer optional or advisory. It is a mandatory internal governance document that every IFSC regulated entity must prepare, implement, and maintain to ensure protection against cyber threats and ensure operational continuity.

Regulatory Background: IFSCA Cyber Security and Cyber Resilience Guidelines, 2025

IFSCA issued comprehensive Cyber Security and Cyber Resilience Guidelines applicable to all regulated entities operating in IFSC, including capital market intermediaries, fund management entities, banking units, insurance entities, finance companies, and TechFin service providers.

The guidelines adopt a principle-based and proportional approach, allowing flexibility based on the size, scale, and risk profile of the regulated entity while ensuring minimum baseline cyber security standards.

The framework is aligned with globally recognized cyber security standards such as:

  • ISO 27001 Information Security Framework
  • NIST Cyber Security Framework
  • CERT-In cyber security practices

The primary objective of the guidelines is to:

  • Protect client and investor data
  • Ensure operational continuity
  • Strengthen cyber resilience of IFSC entities
  • Maintain global credibility of IFSC as a secure financial jurisdiction

As part of these guidelines, preparation of a Cyber Security and Cyber Resilience Policy is a mandatory requirement for regulated entities.

Applicability, Proportionality and Exemptions under IFSCA Cyber Guidelines

IFSCA has adopted a proportional compliance approach, recognizing that entities operating in IFSC may vary significantly in terms of size, scale, complexity, and technological infrastructure.

The Cyber Security and Cyber Resilience Guidelines apply to:

IFSCA has provided limited exemptions for certain categories of entities for a period of three years, such as:

  • Branches of Indian or foreign regulated entities
  • Entities with very small employee strength
  • Group entities operating under parent cyber security framework

However, even in such cases, the entity must:

  • Adopt the cyber security framework of the parent entity, and
  • Provide annual certification confirming compliance

Importantly, these exemptions do not eliminate the responsibility to maintain cyber security governance. Every regulated entity must still implement appropriate cyber security controls and governance mechanisms.

Therefore, preparation of a Cyber Security and Cyber Resilience Policy remains a foundational compliance requirement.

Mandatory Requirement to Establish Cyber Security and Cyber Resilience Policy

IFSCA explicitly requires every regulated entity to establish, implement, and maintain a formal Cyber Security and Cyber Resilience Policy approved by its Board or Governing Body.

This policy forms a critical component of the entity’s:

  • Governance framework
  • Risk management framework
  • Internal control framework

The Cyber Security Policy must be:

  • Formally documented
  • Approved by Board of Directors or equivalent governing body
  • Communicated internally
  • Implemented across operations
  • Periodically reviewed and updated

The responsibility for cyber security does not lie only with the IT department. It is a senior management and Board-level responsibility.

The policy must clearly define:

  • Cyber security governance structure
  • Roles and responsibilities
  • Risk management processes
  • Incident response procedures
  • Audit and monitoring framework

IFSCA expects cyber security to be integrated into the overall governance framework of the entity.

Failure to establish and maintain this policy may be considered a regulatory non-compliance.

Key Components of Cyber Security and Cyber Resilience Policy

IFSCA guidelines specify several critical areas that must be covered in the Cyber Security and Cyber Resilience Policy.

Cyber Security Governance Structure

Cyber security must be governed at the highest level of the organization.

The policy must define:

  • Board oversight and accountability
  • Senior management responsibility
  • Designation of Cyber Security Officer or IT responsible officer
  • Reporting structure and escalation mechanism

Senior management must ensure adequate resources and implementation of cyber security controls.

Cyber security governance must be integrated with enterprise risk management.

Identification and Classification of Information Assets

The policy must include procedures to identify and classify all IT assets, including:

  • Computers and servers
  • Databases
  • Cloud infrastructure
  • Software applications
  • Client data

Assets should be classified based on sensitivity such as:

  • Critical
  • Sensitive
  • Normal

This classification helps determine protection levels and security controls.

Access Control and Data Protection Framework

Access control is one of the most critical cyber security controls.

The policy must define:

  • Role-based access control
  • User access authorization procedures
  • Password management standards
  • Privileged access controls

Only authorized personnel should have access to sensitive data.

Data protection measures must ensure confidentiality, integrity, and security of client and business information.

Network Security and Infrastructure Protection

The Cyber Security Policy must include safeguards to protect network infrastructure.

This includes:

  • Firewall implementation
  • Antivirus and anti-malware systems
  • Network monitoring systems
  • Secure configuration of systems
  • Protection against unauthorized access

Regular monitoring and updating of systems is necessary to prevent cyber attacks.

Cyber Incident Detection, Response and Reporting

Cyber incident management is a mandatory requirement under IFSCA guidelines.

The policy must include:

  • Incident identification procedures
  • Incident response mechanism
  • Incident escalation framework
  • Incident investigation procedures

IFSCA has prescribed strict timelines for reporting cyber incidents:

  • Initial reporting within 6 hours
  • Interim report within 3 days
  • Final root cause analysis report within 30 days

Timely reporting is a critical regulatory requirement.

Cyber Resilience, Backup and Business Continuity

Cyber resilience ensures the entity can continue operations even during cyber incidents.

The policy must include:

  • Data backup procedures
  • Disaster recovery planning
  • System recovery procedures
  • Business continuity plan

Backup systems must be regularly tested.

This ensures continuity of operations and protects client interests.

Third-Party and Vendor Risk Management

Many entities rely on external vendors for IT services.

The Cyber Security Policy must include:

  • Vendor risk assessment
  • Vendor cyber security requirements
  • Monitoring of vendor cyber controls
  • Protection of data shared with vendors

Outsourcing does not reduce regulatory responsibility.

The regulated entity remains responsible for cyber security.

Cyber Security Audit and VAPT Requirements

IFSCA guidelines mandate regular cyber security audit and testing.

Every regulated entity must conduct:

Annual Cyber Security Audit

This audit evaluates:

  • Adequacy of cyber security controls
  • Compliance with policy
  • System vulnerabilities

Audit must be conducted by qualified independent professionals.

Vulnerability Assessment and Penetration Testing (VAPT)

VAPT is mandatory to identify system vulnerabilities.

It helps detect:

  • Weaknesses in systems
  • Security gaps
  • Potential cyber threats

VAPT should be conducted at least annually.

Entities must implement corrective actions based on audit findings.

Audit reports must be maintained and made available for regulatory inspection.

Practical Steps to Prepare Cyber Security and Cyber Resilience Policy

Preparing a Cyber Security Policy requires a structured approach.

Typical steps include:

Step 1: Identify IT Infrastructure and Systems

List all:

  • Hardware
  • Software
  • Applications
  • Cloud systems

Step 2: Conduct Cyber Risk Assessment

Identify:

  • Risk areas
  • Vulnerabilities
  • Threat exposure

Step 3: Define Governance Structure

Designate:

  • Cyber Security Officer
  • Reporting structure

Step 4: Draft Cyber Security Policy

Include:

  • All mandatory components
  • Roles and responsibilities
  • Incident reporting framework

Step 5: Obtain Board Approval

Board approval is mandatory.

Step 6: Implement Controls

Deploy:

  • Security systems
  • Monitoring systems

Step 7: Conduct Cyber Audit

Ensure policy effectiveness.

Professional advisory support can help ensure full compliance.

Consequences of Non-Compliance with Cyber Security Policy Requirements

Failure to implement cyber security policy may lead to:

  • Regulatory penalties
  • Regulatory action by IFSCA
  • Loss of license credibility
  • Operational disruption
  • Client data breaches
  • Reputation damage

Cyber security compliance is essential to protect business and regulatory standing.

Conclusion: Cyber Security Policy is Now a Mandatory Compliance Framework in IFSC

Cyber security is no longer merely an IT concern. It is a core regulatory and governance requirement for IFSC entities.

IFSCA Cyber Security and Cyber Resilience Guidelines, 2025 have made it mandatory for regulated entities to establish and maintain a Cyber Security Policy.

This policy protects:

  • Client data
  • Business operations
  • Regulatory compliance

Every IFSC entity must proactively prepare and implement a robust cyber security framework.

A well-structured Cyber Security Policy ensures not only regulatory compliance but also long-term operational stability and business credibility.

FAQs

1. Is Cyber Security Policy mandatory for IFSC entities?

Yes, it is mandatory under IFSCA Cyber Security Guidelines 2025.

2. Who should approve Cyber Security Policy?

It must be approved by Board of Directors or Governing Body.

3. Is Cyber Security Audit mandatory?

Yes, annual cyber security audit is required.

4. What is cyber incident reporting timeline?

Initial report within 6 hours, final report within 30 days.

5. Do small IFSC entities need cyber security policy?

Yes, proportional compliance applies but policy is still required.

Subscribe on LinkedIn

Leave A Comment

Subscribe to our Updates

Sign up to receive latest news, updates delivered directly to your inbox. No Spams
Not now, May be later
Subscribe to our Updates