The GIFT IFSC has rapidly evolved into a dynamic global financial hub. As of June 2024, over 640 entities across various sectors—including 29 banks, 116 fund management firms, and 12 IFSC insurance offices—operate within this jurisdiction. The diversity in these entities, their operational scales, and their technology infrastructure have led to varied cyber risk profiles. Thus, developing a uniform cybersecurity and cyber resilience framework has become essential.

Challenges in Developing a Cybersecurity Framework

The presence of such a diverse set of entities in GIFT IFSC presents a unique challenge. While some entities are branches of international firms, others are wholly owned subsidiaries of parent companies based in different jurisdictions. This diversity, along with varying cyber risk profiles, makes it difficult for the IFSCA (International Financial Services Centres Authority) to implement a one-size-fits-all approach. In response, the IFSCA has opted for a principle-based approach to establish a cybersecurity framework that is flexible, proportional, and aligned with global best practices.

The Role of the Cyber Security Advisory Committee (CSAC)

To ensure the development of a robust cybersecurity strategy, the IFSCA established the Cyber Security Advisory Committee (CSAC) in August 2023. Chaired by Dr. Sanjay Bahl, the Director General of CERT-In, CSAC includes experts from the fields of cybersecurity, computer science, law, and government regulations. CSAC's role is pivotal in providing recommendations to strengthen the cyber resilience of entities operating within GIFT IFSC.

Key Elements of the Cybersecurity Guidelines

Governance Framework

The first component of the cybersecurity guidelines stresses the importance of governance mechanisms. Each entity must establish clear roles and responsibilities to manage cyber risks. This includes appointing a Chief Information Security Officer (CISO), a Chief Technology Officer (CTO), and senior officials with sufficient expertise to understand and mitigate cyber threats.

Cybersecurity and Cyber Resilience Framework

Entities in GIFT IFSC are required to formulate a cybersecurity and cyber resilience framework to ensure the confidentiality, integrity, and availability of information assets. This framework should outline processes for identifying, managing, and responding to cyber threats. Regular updates to the framework are mandatory to keep pace with evolving cyber risks.

Third-Party Risk Management

Third-party vendors and external partners play a crucial role in the operations of entities in GIFT IFSC. Entities are advised to adopt a collaborative security approach by forming strong security agreements with these third parties. Continuous vigilance through audits and reviews will help identify potential vulnerabilities or compliance gaps.

Education & Communication

Employee awareness and training are essential components of this framework. Regular cybersecurity training should cover topics like phishing, password hygiene, and incident reporting procedures. Clear communication channels should also be established for employees to report any suspicious activities.

Periodic Audits

To ensure that the cybersecurity measures are effective, entities must conduct regular audits through CERT-In empanelled auditors. These independent audits will provide assurance regarding the effectiveness of the cybersecurity framework and help in identifying areas of improvement.

Conclusion: Strengthening the Cyber Resilience of GIFT IFSC

As the financial services landscape within GIFT IFSC continues to grow, the implementation of strong cybersecurity guidelines is essential to maintaining trust and protecting sensitive data. By adopting a principle-based approach, entities can create a cyber resilience framework that is tailored to their specific needs, risks, and operations, ensuring long-term stability and growth in this global financial hub.

Disclaimer: This post is for informational purposes only and does not constitute professional advice. While efforts are made to ensure accuracy, we do not guarantee the completeness or reliability of the information provided. Any reliance is at your own risk. Consult professionals for specific advice.