The International Financial Services Center Authority (IFSCA), on March 10, 2026, introduced an amendment to Guidelines on Cyber Security and Cyber Resilience for Regulated Entities in IFSCs. The Guidelines provides the basic expectations that IFSCA has from the Regulated Entities (REs) regarding cyber security and cyber resilience. Many entities faced difficulties in reconciling localized IFSC requirements with their existing global cybersecurity policies and group-level governance structures.
Therefore, the 2026 amendment was therefore a response to these industry representations, aiming to ease the burden on smaller and group-linked entities while maintaining the overarching goal of systemic resilience. This allows specific categories of entities to leverage their parent organizations’ mature security frameworks rather than mandating the immediate creation of redundant local infrastructure.
The key changes include:
1. Restructuring of Exemptions: The amendment reconfigured Para 21 to grant a three-year exemption specifically for branches of regulated Indian or foreign entities, Global In-House Centres (GICs), and small entities with fewer than 10 employees.
2. Broadened Policy Adoption: REs are now permitted to adopt the cybersecurity framework and Information Security (IS) policy of either their parent entity or the holding company of such a parent entity, providing greater flexibility for global corporate structures.
3. Expanded Regulatory Recognition: The requirement for a parent organization to be overseen was expanded from “financial sector regulators” to include any “regulator or Government Body” in its home jurisdiction.
4. Mandatory Annual Audit Submission: Para 22e, introduced in the amendment, mandates that all exempted entities must submit an annual cyber security audit report to the IFSCA, ensuring that relief from localized framework creation does not result in an absence of independent assurance.
5. New Exempt Categories (Para 23): The amendment inserted a new paragraph to provide three-year relief for Credit Rating Agencies, newly incorporated standalone entities without a parent organization, and foreign universities set up in the IFSC.
6. Risk-Based Proportionality Certification: For entities under the newly created Para 23, the Designated Officer must certify that the entity has implemented cybersecurity measures proportionate to its specific risk exposure.
