IFSCA imposes binding cyber controls on IFSC regulated entities for frontier-AI attack risks
IFSC regulated entities must adopt binding cyber controls against frontier-AI attack risks — including treating critical vulnerabilities as exploitable within hours, adding frontier AI as a defined risk-assessment scenario reviewed by the Board, maintaining an SBOM and API inventory, and imposing preparedness requirements on critical service providers — with immediate effect.
- — Regulated entities in the IFSCs must add frontier AI as a defined scenario in their cyber-security risk assessments and place those assessments before the Board — and before the Standing Committee on Technology for Market Infrastructure Institutions — so a risk-assessment framework that omits AI-driven exploit scenarios no longer meets the baseline.
- — Regulated entities must maintain a Software Bill of Materials covering open-source components and a comprehensive API inventory with rate-limiting, throttling and whitelisted connectivity, because the circular treats incomplete component and API visibility as a compliance gap during accelerated patch waves.
- — Regulated entities must require their critical service providers to assess frontier-AI risk and furnish evidence of preparedness for compressed exploit timelines, and ensure remediation of third-party vulnerabilities — extending the obligation into vendor and dependency management.
- — Regulated entities using AI tools that transmit source code, configurations, logs or regulated data must ensure such use is authorised, that data is not exposed to unapproved external services, and that provider data-handling terms are adequate, and must apply human oversight and security testing to AI-generated or AI-remediated code before production deployment.
- — Regulated entities operating in India's International Financial Services Centres, and their cyber-security and technology-risk functions
- — Market Infrastructure Institutions in the IFSCs, whose Standing Committee on Technology must review the frontier-AI risk assessments
- — Boards of IFSC regulated entities responsible for reviewing cyber-security risk assessments
- — Critical service providers and technology vendors supplying IFSC regulated entities
Reading more than one change? A free account gives you a monthly quota, saved history, and daily catch-up. Pro gives unlimited full briefs, Clarify, and real-time alerts.