Notification

  • Image

    Webinar | Angel Investing in India: Mistakes First-Time Investors Avoid

    Book your seat

SEBI’s Cybersecurity Mandate for AIFs – Compliance Deadline: June 30, 2025

Get in touch with us

    Your information is confidential and secure


    AI Summary
    • SEBI has mandated new cybersecurity requirements for Alternative Investment Funds (AIFs) with a compliance deadline of 30/06/2025.
    • The mandate applies to all AIFs regardless of size or category, and non-compliance may attract regulatory action or penalties.
    • AIFs must appoint a dedicated full-time Chief Information Security Officer (CISO), or a group-level CISO, and this role cannot be part-time.
    • AIFs are required to use only MeitY-empanelled and STQC-certified platforms for cloud-based services, with personal Dropbox or Google Drive prohibited for official use.
    • AIFs must maintain a Software Bill of Materials (SBOM) for all critical systems to track and secure software components.
    • Annual Vulnerability Assessment and Penetration Testing (VAPT) and cybersecurity audits are mandatory and must be conducted by CERT-In certified agencies.
    • Self-certified AIFs or those with fewer than 100 clients may be exempted from Security Operations Center (SOC) reporting, while others must report regularly.
    • AIFs must develop an incident response plan that includes regular drills and forensic audits to ensure readiness against cyberattacks.
    • Recommended preparatory steps include conducting a gap assessment, hiring a full-time CISO, ensuring cloud compliance, scheduling VAPT audits, and developing incident response plans well before the deadline.

    Get in touch with us

      Your information is confidential and secure


      GET PDF

      The Securities and Exchange Board of India (SEBI) has introduced a new cybersecurity mandate for Alternative Investment Funds (AIFs), making it mandatory for these funds to implement robust cybersecurity measures. This directive is part of SEBI’s ongoing efforts to safeguard financial systems, mitigate cybersecurity risks, and enhance investor protection in India’s rapidly evolving financial ecosystem.

      The deadline to comply with SEBI’s new mandate is June 30, 2025, and it applies to all AIFs, regardless of their size or category. It is critical that AIFs begin taking the necessary steps to meet these requirements to avoid potential regulatory actions or penalties.

      Key Requirements of SEBI’s Cybersecurity Mandate

      The following are the key measures that AIFs must implement:

      1. Appointment of a Full-Time CISO
        AIFs must appoint a dedicated, full-time Chief Information Security Officer (CISO) or a group-level CISO who will oversee the cybersecurity framework of the fund. This role cannot be part-time, reflecting the growing importance of cybersecurity in the financial sector.
      2. Cloud Usage Compliance
        AIFs must ensure that they are using only MeitY-empanelled and STQC-certified platforms for their cloud-based services. This is to ensure compliance with the government’s standards for cloud security. Platforms like personal Dropbox or Google Drive are prohibited for official use.
      3. Maintenance of Software Bill of Materials (SBOM)
        AIFs must maintain a Software Bill of Materials for all critical systems. This will help track and manage the software components used across various platforms, ensuring that all parts of the system are secure and up to date.
      4. Annual VAPT (Vulnerability Assessment and Penetration Testing) & Cybersecurity Audits
        To identify vulnerabilities and mitigate risks, AIFs must conduct annual VAPT and cybersecurity audits. These audits should be done by CERT-In certified agencies, which will assess the fund’s cybersecurity infrastructure and protocols.
      5. SOC Reporting (Security Operations Center)
        AIFs that are self-certified or have fewer than 100 clients may be exempted from this requirement. However, for others, regular SOC reporting is mandatory to ensure real-time monitoring of security incidents and vulnerabilities.
      6. Incident Response Readiness
        AIFs must develop an incident response plan, which includes regular drills and forensic audits. This ensures that they are prepared to respond quickly and efficiently to any cyberattack or security breach.

      How Can AIFs Prepare for SEBI’s Mandate?

      As the deadline approaches, AIFs should take immediate action to ensure compliance with these new requirements. Here are some steps that funds can take to get started:

      1. Conduct a Gap Assessment
        Evaluate your current cybersecurity measures and identify any gaps. A thorough gap assessment will help you understand what needs to be updated or implemented to meet SEBI’s requirements.
      2. Appoint a Full-Time CISO
        If you don’t already have a CISO in place, start the hiring process. A skilled and experienced CISO will play a pivotal role in ensuring your cybersecurity protocols are up to standard.
      3. Ensure Cloud Compliance
        Make sure all cloud platforms used by your AIF are MeitY-empanelled and STQC-certified. Transition from any non-compliant platforms well before the deadline.
      4. Schedule VAPT and Cybersecurity Audits
        Arrange for a VAPT and cybersecurity audit to be conducted. It is advisable to begin these processes early to avoid any last-minute rush and ensure adequate time for any remediation.
      5. Develop Incident Response Plans
        Start preparing your incident response plan if you haven’t already. Include measures for drills, forensic audits, and data recovery plans to ensure business continuity in the event of a cyber incident.

      Conclusion

      Compliance with SEBI’s cybersecurity mandate is not just a regulatory requirement; it is a vital step in safeguarding the integrity of your AIF’s operations and protecting investors’ assets. By acting proactively and taking the necessary steps now, AIFs can ensure they are fully compliant by the June 30, 2025 deadline.

      For further assistance in preparing for SEBI’s cybersecurity requirements or conducting gap assessments, contact us at aif@treelife.in. Our team of experts is ready to guide you through every step of the compliance process.

      Powered By EmbedPress

      About the Author
      Priya Kapasi Shah
      Priya Kapasi Shah social-linkedin
      Associate Partner | Tax & Regulatory | priya.k@treelife.in

      Heads Treelife’s Financial Advisory practice, specializing in investment structuring, cross-border transactions, and tax and regulatory advisory. Also leads on AIF setups and advisory services for GIFT IFSC.

      We Are Problem Solvers. And Take Accountability.

      Related Posts

      Who Owns the Prompt? Modifying Employee IP Assignment Clauses for the GenAI Era
      Who Owns the Prompt? Modifying Employee IP Assignment Clauses for the GenAI Era

      Most Indian employment agreements assign to the employer everything an employee creates, develops, or invents during employment. That clause was...

      Learn MoreLearn More
      The AI Indemnity Trap: Negotiating Liability When Third-Party Algorithms Hallucinate
      The AI Indemnity Trap: Negotiating Liability When Third-Party Algorithms Hallucinate

      Every founder who has embedded a third-party AI model into their product has read an indemnity clause that sounds reassuring....

      Learn MoreLearn More
      Beyond Boilerplate: How to Draft AI Usage Disclaimers in B2B Tech Contracts
      Beyond Boilerplate: How to Draft AI Usage Disclaimers in B2B Tech Contracts

      The average Indian B2B tech contract today has exactly one sentence addressing artificial intelligence: "outputs generated by AI tools are...

      Learn MoreLearn More

      For Customer Support

      Mumbai | Delhi |
      Bangalore | GIFT City

      Speak to Us!

      We respond within 60 minutes.

        Your information is confidential and secure


        Let's talk.

        We've seen most founder problems before. Tell us yours.






          Typically responds within 4 hours
          Or reach out directly