Blogs

Guidelines on Cyber Security and Cyber Resilience for Market Infrastructure Institutions (MIIs) in IFSC

Muskan   |   01 May 2026

(4.3)
21 Views

On April 20, 2026, the International Financial Services Centres Authority (IFSCA) has issued the Guidelines on Cyber Security and Cyber Resilience for Market Infrastructure Institutions (MIIs) in IFSC. With implementation effective from April 1, 2026, these policy guidelines mark a significant step toward strengthening the MII's cyber security and cyber resilience posture.

Given MIIs heightened exposure to cyber risks, IFSCA has sought to establish a robust and structured framework.

Objectives

The new guidelines aim to create a comprehensive cyber security and resilience framework for the MIIs with the following key objectives:

  • Strengthen governance and accountability at senior levels.
  • Address evolving cyber threats, including risks emerging from quantum computing.
  • Align cyber security practices with global standards.
  • Ensure effective detection, response and recovery mechanisms.

Core Cyber Security Functions

These guidelines are structured around seven essential cyber security functions:

  1. Govern - Establish defined policies and oversight mechanisms for managing cyber security risks.
  2. Identify - Recognize and maintain an inventory of assets, along with risks and vulnerabilities.
  3. Protect - Implement security controls to protect systems and data from threats.
  4. Detect - Deploy systems to promptly identify cyber incidents and malicious activities.
  5. Respond - Take immediate action to contain and manage cyber security incidents.
  6. Recover - Restore systems and operations quickly after a cyber incident.
  7. Resilience - Strengthen continuous readiness through testing, drills and specific scenario-based exercises.

 

Governance and Accountability

MIIs shall formulate a comprehensive Cyber Security and Cyber Resilience Policy, defining risk appetite and risk tolerance statement. The Standing Committee on Technology (SCOT) of the MIIs shall review the implementation of the Policy on a bi-annual basis.

Asset Identification and Risk Assessment

MIIS shall maintain an up-to-date inventory of all information assets, including applications, data, and third-party dependencies. To ensure a clear picture of overall cyber risk posture, MIIs must classify assets based on sensitivity and criticality of the risks. Conducting annual risk assessments (including post-quantum risks) and maintaining network architecture diagrams helps in acquiring visibility.

 

Protection Measures

The guidelines mandate robust protection measures:

  • Stringent access control by following the Principle of Least Privilege (PoLP)
  • Strong password and authentication policies
  • Network and System Security controls deploying Firewalls and intrusion detection systems
  • Encrypting data both at rest and in transit including Data Loss Prevention (DLP) controls and annual cryptographic risk assessments

A roadmap for Post Quantum Cryptography (PQC) adoption is also mandated. MIIs must resolve insider risks through training, while ensuring rigid physical access controls and surveillance of critical infrastructure.

 

Continuous Detection and Monitoring

MIIs must implement systems for Real-time detection of anomalies and unauthorized activities. It must be capable to monitor logs across systems, applications, and networks and generating alerts promptly.

Incident Response and Reporting

The MIIs are advised to establish a Cyber Crisis Management Plan (CCMP) and an Incident Response Plan. In case of incidents, key reporting requirements include-

  • Notifying about an incident to IFSCA and CERT-In within 6 hours
  • Submitting the interim report within 3 days followed by a detailed root cause analysis report within 30 days
  • Taking mitigation actions within 7 days

The quarterly reports containing information on cyber-attacks shall be within 15 days from the quarters ending June, September, December and March of every year.

 

Recovery and Business Continuity

A recovery plan shall be formulated in line with the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) specified by IFSCA’s Guidelines for Business Continuity Plan (BCP) and Disaster Recovery (DR) for (MIIs).

Cyber Resilience

To ensure preparedness, MIIs shall perform cyber resilience testing, including business continuity drills and scenario-based exercises at least once in a financial year. The results must be reviewed and shared with IFSCA within 3 months from the end of the financial year.

Cyber Security Operations Center (C-SOC)

The MIIs shall have a Cyber Security Operation Center (C-SOC) that would be a 24x7x365 set-up. Also, a contingent C-SOC at their respective DR sites with identical capabilities with respect to the primary C-SOC is also required.

Periodic Audit For compliance requirements, these guidelines mandate:

  • Conducting cyber security audits by CERT-In empanelled auditors (reassignment after three consecutive years)
  • Submitting the audit reports within 120 days from the end of the financial year
  • Acquiring ISO 27001 certification within two years of the issuance of these guidelines. The evidence of certification shall be submitted to IFSCA.
  • Proactive review and corrective action against vulnerabilities.

Conclusion

These guidelines aim to ensures that MIIs are well-prepared to tackle emerging cyber threats and vulnerabilities. With the guidelines coming into effect from April 1, 2026, MIIs must adopt a structured approach towards cyber security by ensuring full compliance within the prescribed timelines.

Disclaimer: This is an effort by Lexcomply.com, to contribute towards improving compliance management regime. User is advised not to construe this service as legal opinion and is advisable to take a view of subject experts. 

Previous Next