IFSCA Issues Cyber Security Guidelines for Fund Managers in GIFT City

As Gujarat International Finance Tec-City (GIFT City) evolves into a global financial hub, the risk of cyber threats is expected to rise. In response, the International Financial Services Centres Authority (IFSCA) has issued cyber security guidelines, making regulated entities such as Asset Management Companies (AMCs), Portfolio Management Services (PMSs), Alternative Investment Funds (AIFs), and Registered Investment Advisers (RIAs) accountable for cyber security breaches.

The regulator emphasised that cyber security is not merely a requirement but a fundamental pillar for ensuring stability, resilience, and credibility. Here are the key aspects of the guidelines issued by IFSCA for fund management entities operating within GIFT City.

Governance Structure

IFSCA mandates that all regulated entities (REs) must establish a robust governance mechanism with clearly defined roles and responsibilities to manage cyber risks effectively.

• Each entity must appoint a Chief Information Security Officer (CISO) and a Chief Technology Officer (CTO) responsible for overseeing cyber security measures.
• These officials should have adequate expertise and knowledge to assess and mitigate cyber threats.
• Fund management entities must ensure that cyber risk management is a key component of their overall governance framework.

Cyber Security and Resilience Framework

To safeguard financial operations, the IFSCA requires fund management entities to develop a cyber security and resilience framework that can anticipate, withstand, and recover from cyber-attacks.

• A structured Information Security (IS) Policy must be in place, including an inventory of IT assets and their associated risk assessments.
• Cyber security measures should incorporate physical security protocols to prevent unauthorised access to critical IT infrastructure.
• Regular vulnerability assessments and penetration testing (VAPT) must be conducted to identify and mitigate potential weaknesses.
• Recovery policies and procedures should be implemented to ensure continuity of services in case of severe disruptions.
• Entities must maintain an audit trail for IT assets to track and monitor security incidents.

Third-Party Risk Management

Given the interconnected nature of financial services, the guidelines stress the importance of managing cyber risks associated with third-party vendors and external partners.

• A risk-based approach should be adopted for periodic evaluations of third-party vendors.
• Fund management entities must establish clear communication channels to address any security risks or non-compliance issues with partners.
• The responsibility for mitigating risks from third parties remains with the regulated entities operating under the IFSCA framework.

Communication and Employee Awareness

IFSCA highlights the importance of internal awareness and training to ensure a cyber-resilient environment.

• Fund management entities must provide regular training to employees on cybersecurity best practices.
• Clear and accessible reporting mechanisms should be in place for employees to report suspicious activities or cyber incidents.

Conclusion

As cyber threats evolve alongside the growth of GIFT City’s financial ecosystem, IFSCA’s new guidelines serve as a critical framework for safeguarding digital infrastructure. By enforcing strict governance, risk management, and resilience measures, the regulator aims to ensure the financial sector remains secure, stable, and trustworthy in an increasingly digital world.

Disclaimer: This blog has been written exclusively for educational purposes. The securities mentioned are only examples and not recommendations. This does not constitute a personal recommendation/investment advice. It does not aim to influence any individual or entity to make investment decisions. Recipients should conduct their own research and assessments to form an independent opinion about investment decisions. 

Investments in the securities market are subject to market risks, read all the related documents carefully before investing.