SEBI’s Cybersecurity Mandate for AIFs – Compliance Deadline: June 30, 2025

GET PDF

The Securities and Exchange Board of India (SEBI) has introduced a new cybersecurity mandate for Alternative Investment Funds (AIFs), making it mandatory for these funds to implement robust cybersecurity measures. This directive is part of SEBI’s ongoing efforts to safeguard financial systems, mitigate cybersecurity risks, and enhance investor protection in India’s rapidly evolving financial ecosystem.

The deadline to comply with SEBI’s new mandate is June 30, 2025, and it applies to all AIFs, regardless of their size or category. It is critical that AIFs begin taking the necessary steps to meet these requirements to avoid potential regulatory actions or penalties.

Key Requirements of SEBI’s Cybersecurity Mandate

The following are the key measures that AIFs must implement:

1. Appointment of a Full-Time CISO
   AIFs must appoint a dedicated, full-time Chief Information Security Officer (CISO) or a group-level CISO who will oversee the cybersecurity framework of the fund. This role cannot be part-time, reflecting the growing importance of cybersecurity in the financial sector.
   
2. Cloud Usage Compliance
   AIFs must ensure that they are using only MeitY-empanelled and STQC-certified platforms for their cloud-based services. This is to ensure compliance with the government’s standards for cloud security. Platforms like personal Dropbox or Google Drive are prohibited for official use.
   
3. Maintenance of Software Bill of Materials (SBOM)
   AIFs must maintain a Software Bill of Materials for all critical systems. This will help track and manage the software components used across various platforms, ensuring that all parts of the system are secure and up to date.
   
4. Annual VAPT (Vulnerability Assessment and Penetration Testing) & Cybersecurity Audits
   To identify vulnerabilities and mitigate risks, AIFs must conduct annual VAPT and cybersecurity audits. These audits should be done by CERT-In certified agencies, which will assess the fund’s cybersecurity infrastructure and protocols.
   
5. SOC Reporting (Security Operations Center)
   AIFs that are self-certified or have fewer than 100 clients may be exempted from this requirement. However, for others, regular SOC reporting is mandatory to ensure real-time monitoring of security incidents and vulnerabilities.
   
6. Incident Response Readiness
   AIFs must develop an incident response plan, which includes regular drills and forensic audits. This ensures that they are prepared to respond quickly and efficiently to any cyberattack or security breach.
   

How Can AIFs Prepare for SEBI’s Mandate?

As the deadline approaches, AIFs should take immediate action to ensure compliance with these new requirements. Here are some steps that funds can take to get started:

1. Conduct a Gap Assessment
   Evaluate your current cybersecurity measures and identify any gaps. A thorough gap assessment will help you understand what needs to be updated or implemented to meet SEBI’s requirements.
   
2. Appoint a Full-Time CISO
   If you don’t already have a CISO in place, start the hiring process. A skilled and experienced CISO will play a pivotal role in ensuring your cybersecurity protocols are up to standard.
   
3. Ensure Cloud Compliance
   Make sure all cloud platforms used by your AIF are MeitY-empanelled and STQC-certified. Transition from any non-compliant platforms well before the deadline.
   
4. Schedule VAPT and Cybersecurity Audits
   Arrange for a VAPT and cybersecurity audit to be conducted. It is advisable to begin these processes early to avoid any last-minute rush and ensure adequate time for any remediation.
   
5. Develop Incident Response Plans
   Start preparing your incident response plan if you haven’t already. Include measures for drills, forensic audits, and data recovery plans to ensure business continuity in the event of a cyber incident.
   

Conclusion

Compliance with SEBI’s cybersecurity mandate is not just a regulatory requirement; it is a vital step in safeguarding the integrity of your AIF’s operations and protecting investors’ assets. By acting proactively and taking the necessary steps now, AIFs can ensure they are fully compliant by the June 30, 2025 deadline.

For further assistance in preparing for SEBI’s cybersecurity requirements or conducting gap assessments, contact us at aif@treelife.in. Our team of experts is ready to guide you through every step of the compliance process.

About the Author

Share

• Link copied to clipboard!
  https://treelife.in/quick-takes/sebi-cybersecurity-mandate-for-aifs/
  
• 
• 
• 
• 

Priya Kapasi Shah

Associate Partner | Tax & Regulatory | priya.k@treelife.in

Heads Treelife’s Financial Advisory practice, specializing in investment structuring, cross-border transactions, and tax and regulatory advisory. Also leads on AIF setups and advisory services for GIFT IFSC.