Listen to this article
In a recent circular, the Gujarat international Finance Tec (GIFT) city’s International Financial Services Centres Authority (IFSCA) has clarified that the regulated entities like AMCs, PMSs/AIFs and RIAs will be held responsible for cyber security breach.
The regulator said that with the evolution of the GIFT city as the hub of global financial activities, the cyber threats are also expected to grow.
The IFSCA said that the cyber security is not just a necessity but a foundational pillar for ensuring stability, resilience and credibility.
Here are some of the key guidelines for the fund management entities operating out of GIFT City:
Governance
- The Regulated Entities (REs) will need to have adequate governance mechanisms, with a clear set of roles and responsibilities to manage cyber risk which include Chief Information Security Officer (CISO) and Chief Technology Officer (CTO)
- These governing members should have sufficient expertise and knowledge to effectively understand and manage cyber risks
Cyber security and cyber resilience framework
- The fund management entities need to develop a framework to anticipate, withstand,
contain and recover from cyber-attacks - They need to outline the process and technology requirements for managing cyber risks
- There should be proper roles and regulations for the officials handling cyber security
- The entities need to formulate an Information Security (IS) Policy as part of their cyber
security and cyber resilience framework - The policy will need to maintain a detailed inventory of IT assets and a risk assessment of these assets
- The entities need to ensure adequate physical security of their IT assets so that the confidentiality, integrity and availability of information cannot be impaired
- The fund management entities will need to conduct vulnerability assessment and penetration testing (VAPT) to detect vulnerabilities in the IT environment
- They will also need to have a recovery policies and procedures to maximize their ability to provide services on an ongoing basis and to limit losses in the event of severe
business disruption - The entities need to ensure that the audit trail exists for IT assets
Third party risk management
- The fund management entities also need to adopt a collaborative security approach with their third-party vendors/external partners
- The entities need to have a risk-based approach for periodic review of third-party
vendors/external partners - They also need to establish clear communication channels and escalation procedures
for addressing any identified risks or non-compliance with partners, promptly and
effectively - The ultimate responsibility to mitigate the cyber risks arising from the third parties
will be on regulated entities operating from the IFSCA
Communication and awareness
- The fund management entity needs to provide regular training to its employees on topics pertaining to cyber security
- They also need to establish clear and accessible channels for employees to report
suspicious activity, vulnerabilities and potential cyber incidents
