In today’s increasingly digital financial landscape, cyber security has become a central pillar of trust, stability, and operational resilience. Nowhere is this more critical than in Market Infrastructure Institutions (MIIs) — stock exchanges, clearing corporations, depositories, and other entities that form the backbone of the capital market ecosystem. Recognizing this imperative, the International Financial Services Centres Authority (IFSCA) has released a draft of the “Guidelines on Cyber Security and Cyber Resilience for MIIs in IFSC”, inviting public comments to help shape a more robust and future-ready security framework.
This consultation paper stems from IFSCA’s principle-based cyber security guidelines issued earlier in March 2025 for all regulated entities in IFSCs. Building on these foundations, the new draft specifically targets MIIs—institutions that are deeply interconnected and systemically significant. Given their role in enabling trading, clearing, settlement, and record-keeping, any cyber incident affecting MIIs can potentially trigger cascading effects across financial markets. Therefore, IFSCA proposes a differentiated, elevated baseline for cyber security and resilience tailored to the unique risks MIIs face.
A major pillar of the draft guidelines is Governance. MIIs must formulate a comprehensive Cyber Security and Cyber Resilience Policy, approved and annually reviewed by their boards. This policy must clearly define risk appetite, risk tolerance, and the processes needed to identify, protect, detect, respond, and recover from cyber threats. The appointment of a dedicated Chief Information Security Officer (CISO), reporting directly to the MD/CEO, further reinforces accountability and oversight.
Under Identify, MIIs are expected to maintain an up-to-date inventory of all assets, classify critical systems, map data flows, and conduct biannual risk assessments, including post-quantum risks. This emphasis on asset visibility and threat awareness lays the foundation for effective protection strategies.
The Protect section is one of the most extensive, covering access controls, Active Directory security, insider threat mitigation, physical security, network segmentation, email and DNS filtering, DLP implementation, cryptographic standards, and secure software development practices. MIIs are required to enforce strong authentication, privileged access management, encryption, VAPT exercises, patch management protocols, and robust change management. These measures are designed to minimize vulnerabilities and reduce the attack surface across IT environments.
In the Detect, Respond, and Recover domains, the guidelines focus on rapid incident identification, real-time monitoring, timely reporting, forensic readiness, crisis management planning, and adherence to strict reporting timelines—including notifying IFSCA and CERT-In within six hours of detecting a cyber incident. MIIs must also test recovery capabilities in accordance with approved RTO and RPO benchmarks.
To build long-term Resilience, MIIs must conduct annual cyber resilience drills, involving critical third-party service providers where necessary. A 24x7x365 Cyber Security Operations Centre (C-SOC) is mandated, supported by a contingent setup at the disaster recovery site. Finally, periodic audits by CERT-In empaneled auditors and mandatory ISO 27001 certification underscore the emphasis on continuous evaluation and improvement.
IFSCA is inviting comments on the draft guidelines until December 16, 2025, encouraging all stakeholders to contribute to shaping a stronger, more secure financial ecosystem. This consultation marks a significant step toward future-proofing MIIs in the rapidly evolving cyber threat landscape—enhancing stability, trust, and resilience at the core of India’s international financial services ecosystem.