A consultation paper has been released to gather views and feedback from various stakeholders on proposed Guidelines on Cybersecurity and Cyber Resilience for regulated entities (REs) operating within GIFT IFSC.
Objectives of the Consultation
The primary aim of the consultation paper is to establish a principle-based cybersecurity framework that ensures the protection and resilience of financial institutions against evolving cyber threats. Given the growing complexity and sophistication of cyber-attacks, especially in international jurisdictions such as GIFT IFSC, securing the financial sector’s digital infrastructure is critical. This consultation seeks input from stakeholders to shape a robust cybersecurity framework, covering governance, third-party risks, audit mechanisms, and incident management.
The Importance of Cybersecurity in GIFT IFSC
As GIFT IFSC continues its journey toward becoming a significant player in the global financial landscape, the nature of cyber threats it faces will inevitably grow. Financial entities within GIFT IFSC manage a diverse global clientele, making the protection of sensitive financial data and critical IT infrastructure paramount. A single cyber breach can not only disrupt business operations but also erode trust in the jurisdiction.
Thus, cybersecurity and cyber resilience are fundamental to ensuring the stability and credibility of the financial services offered within GIFT IFSC. The guidelines aim to assist regulated entities in adopting cybersecurity measures in proportion to their operational complexity, interconnectivity, and risk exposure.
Key Components of the Cybersecurity Guidelines
The guidelines provide a holistic framework divided into several key components:
Governance: Entities must establish a well-defined governance structure to manage cyber risks, with designated officers such as the Chief Information Security Officer (CISO) taking responsibility for implementing cybersecurity policies. Senior management should foster a culture of cyber risk awareness across all levels of the organization.
Cybersecurity and Cyber Resilience Framework: This includes developing a comprehensive plan to safeguard the confidentiality, integrity, and availability of information assets. Financial entities must periodically review and update their cybersecurity frameworks to ensure they remain relevant and effective in the face of evolving cyber threats.
Third-Party Risk Management: Entities must actively manage risks posed by external vendors and partners. This includes defining shared expectations for data security and incident response, as well as conducting regular audits and reviews to ensure compliance with cybersecurity standards.
Communication and Awareness: Regular employee training and awareness programs on topics such as phishing, social engineering, and password hygiene are essential. Clear channels for reporting suspicious activities should be established, ensuring prompt identification and mitigation of potential threats.
Audit: Regulated entities are expected to undergo regular cybersecurity audits by CERT-In empanelled auditors, providing an independent review of their governance structures, systems, and processes. These audits are designed to ensure compliance and effectiveness in managing cyber risks.
Invitation for Public Comments
The IFSCA invites comments and suggestions from stakeholders on the proposed guidelines. Public comments are expected to enhance the effectiveness of the cybersecurity framework by incorporating diverse perspectives from the industry. Stakeholders can submit their feedback in the format provided in the consultation paper by October 19, 2024. The submissions should include the stakeholder’s name, contact details, and a detailed rationale for any suggestions or amendments proposed.