IFSCA ·

IFSCA imposes binding cyber controls on IFSC regulated entities for frontier-AI attack risks

IFSC regulated entities must adopt binding cyber controls against frontier-AI attack risks — including treating critical vulnerabilities as exploitable within hours, adding frontier AI as a defined risk-assessment scenario reviewed by the Board, maintaining an SBOM and API inventory, and imposing preparedness requirements on critical service providers — with immediate effect.

Change
On 4 June 2026, IFSCA issued a binding circular (in force immediately, under the IFSCA Act 2019) requiring all Regulated Entities in IFSCs to strengthen cyber controls against frontier-AI-driven attacks. Mandatory measures include presuming critical vulnerabilities are exploitable within hours, treating frontier AI as a defined scenario in Board-reviewed risk assessments, maintaining an SBOM and API inventory with throttling and whitelisting, requiring critical service providers to evidence preparedness, and ensuring human oversight of AI-generated code.
Why it matters
IFSCA's circular responds to frontier AI models that can find vulnerabilities and produce working exploits fast enough to shrink the disclosure-to-exploitation window from weeks to hours. It is binding on all Regulated Entities in the IFSCs with immediate effect and supplements, without diluting, IFSCA's existing cyber guidelines for Regulated Entities and Market Infrastructure Institutions. Annexure A's mandatory obligations require Regulated Entities to presume newly disclosed critical vulnerabilities are exploitable within hours and prepare for compressed patch waves; to incorporate frontier-AI capabilities as a defined scenario within cyber-security risk assessments, reviewed periodically and placed before the Board, and before the Standing Committee on Technology for Market Infrastructure Institutions; to maintain a Software Bill of Materials including open-source components; to maintain a comprehensive API inventory with rate-limiting, throttling and whitelisted connectivity; to require critical service providers to assess frontier-AI risk and provide evidence of preparedness, and to remediate third-party vulnerabilities; to strengthen monitoring and detection of AI-driven attack patterns; to control any transmission of source code, configurations, logs or regulated data to AI models; and to ensure human oversight and rigorous security testing of AI-generated or AI-remediated code before production. Additional measures — phishing-resistant multi-factor authentication, patch prioritisation, rapid credential-compromise response and adoption of AI-assisted detection tools — are encouraged but not mandated.
Implications
  • Regulated entities in the IFSCs must add frontier AI as a defined scenario in their cyber-security risk assessments and place those assessments before the Board — and before the Standing Committee on Technology for Market Infrastructure Institutions — so a risk-assessment framework that omits AI-driven exploit scenarios no longer meets the baseline.
  • Regulated entities must maintain a Software Bill of Materials covering open-source components and a comprehensive API inventory with rate-limiting, throttling and whitelisted connectivity, because the circular treats incomplete component and API visibility as a compliance gap during accelerated patch waves.
  • Regulated entities must require their critical service providers to assess frontier-AI risk and furnish evidence of preparedness for compressed exploit timelines, and ensure remediation of third-party vulnerabilities — extending the obligation into vendor and dependency management.
  • Regulated entities using AI tools that transmit source code, configurations, logs or regulated data must ensure such use is authorised, that data is not exposed to unapproved external services, and that provider data-handling terms are adequate, and must apply human oversight and security testing to AI-generated or AI-remediated code before production deployment.
Who is affected
  • Regulated entities operating in India's International Financial Services Centres, and their cyber-security and technology-risk functions
  • Market Infrastructure Institutions in the IFSCs, whose Standing Committee on Technology must review the frontier-AI risk assessments
  • Boards of IFSC regulated entities responsible for reviewing cyber-security risk assessments
  • Critical service providers and technology vendors supplying IFSC regulated entities

Reading more than one change? A free account gives you a monthly quota, saved history, and daily catch-up. Pro gives unlimited full briefs, Clarify, and real-time alerts.

View on IFSCA
Got Questions?

Ask what this change means — grounded in this brief. Source linked for final checks.

Clarify™ · Grounded, not generic

Why not a general AI assistant?

A general assistant will answer almost anything — including beyond what it actually knows, which is where drift and hallucination come from. Ask it the same question twice and you can get two different answers — no good when you need a record you can stand behind.

Clarify™ works differently. It answers only from the specific brief in front of you and its cited primary source. Ask something the brief doesn’t cover and it says so, rather than inventing an answer — and the same question returns a consistent, grounded answer every time. The trade-off is deliberate: narrower, but defensible enough to act on.

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Create a free account to keep clarifying

You asked:

You've used your free guest questions for now. A free account gives you more every month and saves your history — or start a Pro trial for unlimited Clarify and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

Free account: no card, ever. Pro trial: $29/month after 14 days, no card to start, cancel anytime.

Awareness was never the problem. Translation is.

Your team doesn't miss the change — it loses hours turning a 60-page regulator notice into “what do we actually do.” OwlBrief delivers that as a sourced, decision-ready brief the moment a change publishes.

Get the next brief free →
Similar briefs