INFODOT TECHNOLOGIES logo
Schedule a Free Consultation
Schedule a Free Consultation
General IT

SEBI IT & Cybersecurity Expectations for AIFs: A Practical Guide for Fund Managers

Contents
cybersecurity guidelines for AIFs

Introduction

For Alternative Investment Funds (AIFs) in India, regulatory expectations around IT and cybersecurity have changed decisively. What was once viewed as a support function or a hygiene factor is now treated by regulators as a core element of fiduciary responsibility. Fund managers, sponsors, and trustees are increasingly expected to demonstrate that technology risks, particularly cyber risks, are identified, governed, and mitigated with the same seriousness as financial and operational risks.

The Securities and Exchange Board of India has made it clear through inspections, observations, and supervisory interactions that weak IT systems or inadequate cybersecurity controls can directly compromise investor interests. A cyber incident at an AIF is no longer seen as a technical mishap. It is viewed as a governance failure with potential implications for market integrity, confidentiality of investor data, and continuity of fund operations.

This practical guide is written specifically for fund managers. It explains what SEBI expects from AIFs with respect to IT and CERT in cybersecurity, why these expectations exist, where most funds fall short during inspections, and how AIFs can operationalise compliance without overengineering. The focus is not on tools or jargon, but on governance, accountability, and defensible execution.

Why SEBI Is Focusing on IT and Cybersecurity for AIFs

SEBI’s regulatory mandate centres on investor protection, transparency, and market stability. In today’s digital investment ecosystem, these objectives are inseparable from IT systems and cybersecurity controls.

AIFs handle:

  • Sensitive investor and KYC data
  • Confidential deal pipelines and valuation models
  • Market-sensitive information related to exits and capital deployment
  • Digital communication across advisors, portfolio companies, and LPs

A failure in IT or cybersecurity can expose or manipulate this information, causing direct harm to investors and undermining trust in the market. SEBI therefore treats cyber risk as a foreseeable and material risk, not an abstract threat.

Cybersecurity as a Fiduciary Responsibility

One of the most important shifts in SEBI’s stance is the implicit linkage between cybersecurity and fiduciary duty. Fiduciary responsibility requires fund managers to act with due care, skill, and diligence in safeguarding investor interests. In a technology-driven environment, this duty extends naturally to protecting systems and data.

From a regulatory perspective:

  • Ignoring cyber risk is not defensible
  • Delegating IT entirely to vendors does not remove accountability
  • Lack of oversight is treated as negligence, not ignorance

SEBI expects fund leadership to understand cyber risk at a governance level, even if execution is outsourced.

What SEBI Practically Expects from AIFs

SEBI does not prescribe specific technologies or vendors. Instead, its expectations are principle-based and outcome-oriented. In practice, this means AIFs must be able to demonstrate:

  • Clear ownership of IT and cybersecurity
  • Structured governance and oversight
  • Proportionate controls aligned to fund size and risk
  • Evidence of implementation and monitoring
  • Preparedness for incidents and disruptions

Funds that can demonstrate these elements consistently are far better positioned during inspections.

IT Governance: The Foundation of SEBI Readiness

The most fundamental expectation is the presence of IT and AI enhances cybersecurity governance. Many AIFs struggle here because IT decisions are informal, undocumented, or entirely vendor-driven.

SEBI expects:

  • Defined roles and responsibilities for IT and cybersecurity
  • Oversight at the sponsor, trustee, or board level
  • Alignment between IT risk and overall fund risk management

Governance does not require a large committee structure, but it does require clarity and accountability.

Cyber Risk Identification and Risk Management

SEBI inspections increasingly assess whether cyber risk is formally identified and managed. This includes:

  • Inclusion of cyber risk in the risk register
  • Periodic risk assessments
  • Defined risk appetite and tolerance

AIFs are expected to show that cyber risk is recognised as a business risk, not merely an IT issue. Funds that cannot articulate their cyber risk exposure are often flagged for remediation.

Access Control and Privilege Management Expectations

One of the most common inspection findings relates to access control. SEBI expects AIFs to demonstrate that access to systems and data is:

  • Granted on a need-to-know basis
  • Reviewed periodically
  • Revoked promptly when roles change

Shared accounts, excessive administrative access, and lack of access reviews are viewed as high-risk practices. Given the sensitivity of deal and investor data, weak access controls are a serious concern.

Patch Management and System Hygiene

Unpatched systems remain one of the most exploited attack vectors. SEBI expects AIFs to have:

  • Defined patching policies
  • Clear timelines for applying updates
  • Oversight over third-party and cloud platforms

Ad-hoc or undocumented patching practices are typically flagged during inspections, especially when vulnerabilities are publicly known.

Visibility Over IT Assets and Applications

SEBI expects AIFs to know what systems and applications they use. This includes:

  • Endpoints and servers
  • Cloud platforms and SaaS tools
  • Data repositories and collaboration tools

A lack of asset and application inventory is viewed as a foundational weakness. Controls cannot be enforced or audited if assets are unknown.

Third-Party and Vendor Risk Oversight

Most AIFs rely heavily on third parties, including fund administrators, custodians, cloud providers, legal platforms, and IT service firms. SEBI accepts outsourcing but does not accept abdication of responsibility.

Expectations include:

  • Due diligence on vendors’ IT and cybersecurity posture
  • Defined SLAs and responsibilities
  • Ongoing oversight and review

If a vendor suffers a breach impacting the AIF, SEBI will assess the fund’s governance and oversight, not just the vendor’s actions.

Data Protection and Confidentiality Controls

Investor data and deal information are among AIF’s most valuable assets. SEBI expects funds to demonstrate:

  • Awareness of where sensitive data resides
  • Controls to prevent unauthorised access or leakage
  • Secure handling of data shared externally

Uncontrolled data sharing via email, personal devices, or unmanaged cloud storage is a frequent inspection concern.

Backup, Recovery, and Operational Resilience

Operational resilience is a growing regulatory focus globally, and SEBI is no exception. AIFs are expected to show that they can:

  • Recover critical systems and data
  • Continue operations after disruptions
  • Protect backups from compromise

Backups that are untested or easily accessible from primary systems are considered ineffective during inspections.

Incident Response and Breach Preparedness

SEBI increasingly expects AIFs to be prepared for cyber incidents. This includes:

  • Defined incident response procedures
  • Escalation and decision-making clarity
  • Communication plans for stakeholders and regulators

Funds that rely on improvisation during incidents are often asked to formalise their response capabilities.

Evidence, Documentation, and Audit Readiness

Perhaps the most underestimated expectation is evidence. During inspections, SEBI looks for:

  • Policies and procedures
  • Logs, reports, and reviews
  • Proof of periodic checks and actions

“Well understood but undocumented” controls rarely satisfy inspection requirements. Evidence is how fiduciary care is demonstrated.

Common Pitfalls That Lead to Adverse Observations

Across inspections, certain patterns recur:

  • Informal IT practices
  • Over-reliance on vendors without oversight
  • Absence of cyber risk discussions at leadership level
  • Lack of documentation and evidence

These pitfalls are not difficult to fix, but they require intent and structure.

Proportionality: What SEBI Does Not Expect

It is important to clarify what SEBI does not expect:

  • Enterprise-grade security teams at small funds
  • Excessive tooling without justification
  • One-size-fits-all maturity levels

SEBI’s expectations are proportional. What matters is that risks are understood, controls are reasonable, and governance is evident.

Why Early Preparation Matters

Many AIFs begin addressing IT and cybersecurity only after receiving inspection observations. This reactive approach increases:

  • Regulatory pressure
  • Remediation costs
  • Reputational risk

Proactive preparation allows funds to demonstrate control and maturity before scrutiny intensifies.

How Infodot Technology Helps AIFs Meet SEBI IT & Cybersecurity Expectations

Infodot Technology works with AIFs to translate SEBI’s expectations into practical, inspection-ready controls. Infodot’s approach is governance-first, ensuring that cybersecurity aligns with fiduciary responsibility rather than operating as a standalone IT function.

Infodot supports fund managers by:

  • Designing IT and cybersecurity governance frameworks
  • Conducting SEBI-aligned gap and risk assessments
  • Implementing access, patching, and monitoring controls
  • Establishing vendor oversight and accountability models
  • Creating incident response and resilience playbooks
  • Delivering audit-ready documentation and reporting

This enables fund leadership to confidently demonstrate due care, oversight, and preparedness during SEBI inspections.

Conclusion

SEBI’s expectations around IT and cybersecurity for AIFs are no longer implicit. They are becoming explicit through inspections and supervisory feedback. Fund managers who continue to view cybersecurity as a technical afterthought risk regulatory observations, investor concern, and reputational damage.

The good news is that SEBI’s expectations are practical and achievable. With structured governance, proportionate controls, and clear evidence, AIFs can meet regulatory requirements without excessive complexity.

For fund managers, the message is clear. IT and cybersecurity are now part of fiduciary responsibility. Those who embrace this reality proactively will be better positioned to protect investors, maintain regulatory confidence, and build long-term credibility in an increasingly digital investment landscape.

FAQs

Does SEBI explicitly mandate cybersecurity for AIFs?
SEBI expects proportionate cybersecurity controls as part of fiduciary responsibility and investor protection.

Are small AIFs also subject to IT scrutiny?
Yes, expectations apply to all AIFs, scaled according to size and risk profile.

Can AIFs outsource IT security entirely?
Execution can be outsourced, but accountability and oversight must remain with the AIF.

Is IT governance a board-level issue?
Yes, SEBI expects leadership oversight of IT and cyber risk.

Are cyber risks considered foreseeable?
Yes, cyber threats are well-documented and must be anticipated.

Does SEBI expect documented policies?
Yes, documentation is essential to demonstrate due care.

Are cloud platforms included in inspections?
Yes, cloud usage does not reduce regulatory accountability.

Is patch management important for AIFs?
Yes, unpatched systems are a common inspection finding.

Are access reviews mandatory?
Periodic access reviews are strongly expected.

Does SEBI expect incident response planning?
Yes, preparedness is a key inspection focus.

Are backups reviewed during inspections?
Yes, especially recovery readiness and isolation.

Can cyber issues impact investor confidence?
Yes, significantly, especially for institutional LPs.

Are third-party vendors scrutinised?
Yes, vendor oversight is an inspection focus.

Is evidence more important than intent?
Yes, evidence demonstrates fiduciary diligence.

Does SEBI mandate specific tools?
No, outcomes matter more than tools.

Is cyber insurance sufficient?
No, insurance does not replace controls.

Are trustees accountable for cyber oversight?
Yes, trustees are expected to ensure governance.

Can IT gaps lead to regulatory action?
Yes, adverse observations and remediation may follow.

Is cyber risk part of risk registers?
It should be formally included.

Does SEBI expect continuous monitoring?
Yes, not one-time compliance.

Are deal teams subject to IT controls?
Yes, access controls apply to all users.

Is training expected?
Yes, basic cyber awareness is often assessed.

Can MSPs support compliance?
Yes, under proper governance.

Are audits likely to increase?
Cyber scrutiny is increasing across inspections.

Is proportionality recognised by SEBI?
Yes, controls should match fund size and risk.

Can informal practices pass inspections?
Rarely, structure and evidence are required.

Is operational resilience important?
Yes, continuity of operations is a regulatory concern.

Are SaaS tools included?
Yes, all systems handling fund data are in scope.

Does SEBI align with global regulators?
Yes, cybersecurity governance is globally emphasised.

Can early preparation reduce risk?
Yes, proactive readiness reduces inspection pressure.

Does cybersecurity affect fundraising?
Yes, LPs increasingly assess cyber posture.

Are breach notifications expected?
Depending on severity, yes.

Is data classification important?
Yes, sensitive data must be identified and protected.

Can Infodot help with inspections?
Yes, through governance-led readiness and support.

Why should fund managers act now?
Because SEBI expectations are already being enforced.

Explore more related articles