SEBI, Trustees, and Technology: What Fund Sponsors Need to Know

Introduction

Technology has become inseparable from how Alternative Investment Funds (AIFs) operate. From investor onboarding and reporting to portfolio monitoring, compliance, and communication, almost every critical fund activity today relies on digital systems, cloud platforms, and third-party service providers. As this dependence has increased, so has regulatory and fiduciary scrutiny around how technology risks are governed, overseen, and controlled.

For fund sponsors, the relationship between SEBI, trustees, and technology is no longer abstract or peripheral. It is central to how accountability is assessed. The Securities and Exchange Board of India increasingly views technology not merely as an operational enabler, but as a material risk vector, one that can directly impact investor protection, market integrity, and fund continuity. Trustees, acting as fiduciaries on behalf of investors, are likewise expected to understand and oversee technology and cybersecurity risks, even if they do not manage systems directly.

This creates a new reality for fund sponsors. They must ensure that technology governance is clear, defensible, and demonstrable, not only to SEBI, but also to trustees, auditors, evidence for AIF, and Limited Partners (LPs). This article explains how SEBI, trustees, and technology intersect in the AIF ecosystem, what fund sponsors are expected to know and do, and how to meet these expectations without turning lean investment organisations into IT-heavy enterprises.

Why Technology Is Now a Governance Issue, Not an IT Issue

Historically, technology in AIFs was treated as a support function, email, document storage, basic accounting systems. Governance focused on investment decisions, conflicts of interest, valuation, and compliance. That separation no longer exists.

Today:

• Investor data is stored digitally
• Deal pipelines and valuations are cloud-based
• Regulatory reporting depends on technology platforms
• Outsourcing and SaaS tools are deeply embedded

As a result, failures in technology controls can:

• Expose investor information
• Disrupt capital calls or reporting
• Trigger regulatory scrutiny
• Damage sponsor credibility

SEBI therefore assesses technology risk through a governance and fiduciary lens, not a technical one.

SEBI’s Perspective: Technology as Foreseeable Risk

SEBI does not expect fund sponsors to be technologists. What it expects is recognition that:

• Technology risks are foreseeable
• Cyber incidents are no longer rare
• Controls exist to mitigate these risks

From SEBI’s standpoint, failure to govern technology risks is not an accident. It is a lapse in due care. This is why inspections increasingly probe areas such as IT governance, cybersecurity readiness, vendor risk management, and business continuity, even when there has been no incident.

The Role of Trustees in Technology Oversight

Trustees occupy a unique position in the AIF structure. They do not run day-to-day operations, but they are responsible for ensuring that fund activities, including technology usage, align with fiduciary obligations and regulatory expectations.

In the context of technology, trustees are expected to:

• Seek assurance that material technology risks are identified
• Understand how those risks are managed
• Ensure that incidents are escalated appropriately
• Confirm that corrective actions are taken when gaps are identified

Trustees are not expected to review system logs or security configurations. They are expected to exercise informed oversight.

What Trustees Typically Ask About Technology

In practice, trustee questions often focus on:

• Whether the fund has defined IT and cyber risk ownership
• Whether policies and frameworks exist
• Whether critical vendors are governed
• Whether incident response and BCP or DR plans are in place
• Whether audits or reviews have highlighted issues

Fund sponsors should be prepared to answer these questions clearly and consistently.

Fund Sponsors: The Ultimate Accountability Layer

While trustees provide oversight and SEBI provides regulation, fund sponsors remain ultimately accountable for how technology third party risks are managed. Delegation, to internal teams, administrators, or managed service providers, does not remove this accountability.

For sponsors, this means:

• Owning the governance framework
• Ensuring execution happens
• Verifying that oversight is effective
• Being able to demonstrate all of the above

SEBI scrutiny often traces gaps back to sponsor-level oversight, even if execution failures occurred elsewhere.

Technology Governance: What “Good” Looks Like

From a regulatory and trustee perspective, good technology governance is characterised by:

• Clear ownership and escalation paths
• Defined policies that reflect fund operations
• Risk-based prioritisation of controls
• Periodic review and reporting
• Documented decisions and remediation

It is not defined by the number of tools deployed or the size of the IT team.

Cybersecurity as a Fiduciary Responsibility

Cybersecurity has moved firmly into the fiduciary domain. This shift is driven by:

• The sensitivity of investor and deal data
• The prevalence of phishing and ransomware
• The increasing role of third-party platforms

SEBI and trustees view cybersecurity failures as failures to protect investor interests. Sponsors must therefore treat cyber risk with the same seriousness as financial or compliance risk.

Outsourcing and Technology: Where Sponsors Often Misjudge Risk

Most AIFs outsource significant portions of their technology stack, to fund administrators, cloud providers, MSPs industry trends, and SaaS vendors. Outsourcing brings efficiency, but also introduces risk concentration.

A common misjudgement is assuming that outsourcing transfers responsibility. In reality:

• Vendors execute controls
• Sponsors remain accountable
• Trustees expect oversight

SEBI inspections frequently highlight situations where outsourcing exists without corresponding governance.

Vendor Risk Management as a Trustee Concern

Trustees increasingly focus on vendor-related technology risk because:

• Many cyber incidents originate at third parties
• Data often flows outside the fund’s direct control
• Operational disruption at a vendor impacts the fund

Sponsors must ensure that vendor risk management is structured, proportionate, and documented, especially for critical service providers.

Incident Response: The Moment Governance Is Tested

Nothing tests the SEBI, trustee, sponsor relationship like a technology incident. When incidents occur, regulators and trustees focus less on technical details and more on:

• Speed of recognition and escalation
• Clarity of decision-making
• Quality of communication
• Effectiveness of remediation

Sponsors who have not pre-defined roles and processes often struggle under this scrutiny.

Business Continuity and Disaster Recovery Expectations

BCP or DR is no longer viewed as a theoretical exercise. Trustees and SEBI increasingly expect assurance that:

• Critical fund operations can continue during disruptions
• Data can be recovered reliably
• Vendor outages are accounted for

For sponsors, BCP or DR readiness demonstrates foresight and operational maturity.

Why One-Time Audits Are Not Enough

Many sponsors rely heavily on periodic IT audits to satisfy trustee or regulatory expectations. While audits are valuable, SEBI increasingly expects continuous governance, not episodic validation.

Trustees often ask:

• What happens between audits?
• How are changes managed?
• How are emerging risks addressed?

Sponsors must therefore ensure that audit findings translate into ongoing oversight.

Evidence: The Common Language Between SEBI and Trustees

One of the most important insights for fund sponsors is that evidence bridges the gap between intent and assurance. Policies, controls, and frameworks only matter if they can be demonstrated.

Trustees and SEBI typically look for:

• Reports showing execution
• Records of reviews and decisions
• Evidence of remediation

Sponsors who invest in evidence discipline significantly reduce friction during inspections and reviews.

Balancing Oversight With Lean Operating Models

A common concern among sponsors is that increased technology governance will slow down operations or inflate costs. In practice, effective governance is about clarity and discipline, not bureaucracy.

Lean funds can meet expectations by:

• Focusing on critical risks
• Using managed services wisely
• Standardising processes
• Reporting periodically rather than continuously

Over-engineering is neither expected nor rewarded.

The Growing Alignment Between SEBI, Trustees, and LPs

An important trend is the convergence of expectations. SEBI inspections, trustee reviews, and LP due diligence increasingly ask similar questions about:

• Technology governance
• Cyber risk management
• Incident readiness
• Vendor oversight

Sponsors who address these areas holistically avoid duplication and inconsistent narratives.

How Infodot Helps Fund Sponsors Navigate SEBI and Trustee Expectations

Infodot Technology works with fund sponsors to design practical, SEBI-aligned technology governance models that trustees can rely on and regulators can assess confidently.

Infodot helps by:

• Establishing clear IT and cyber governance frameworks
• Supporting managed execution with oversight reporting
• Preparing trustee- and inspection-ready evidence packs
• Assisting with incident response and BCP or DR readiness
• Acting as an ongoing technology governance partner

This allows sponsors to maintain control and confidence without expanding internal IT teams.

Conclusion

For fund sponsors, technology is no longer a background function. It is a core governance responsibility. SEBI’s expectations, trustee oversight duties, and LP scrutiny have converged to raise the bar on how technology risks are understood, managed, and evidenced in AIFs.

Sponsors do not need to become technology experts. They do need to ensure that governance is clear, oversight is active, and evidence is readily available. Those who approach technology with the same discipline applied to investment and compliance decisions are better positioned to withstand regulatory scrutiny, trustee questioning, and investor evaluation.

In today’s environment, strong technology governance is not a constraint on fund performance. It is a foundation for trust, resilience, and long-term credibility.

FAQs

Why is SEBI focusing more on technology in AIFs?
Because technology failures directly impact investor protection, operational resilience, and market integrity.

Are fund sponsors responsible for IT risks?
Yes, sponsors remain ultimately accountable for governance, even if execution is delegated.

What role do trustees play in technology oversight?
Trustees provide fiduciary oversight and seek assurance that material technology risks are managed.

Does SEBI prescribe specific IT tools?
No, SEBI focuses on governance outcomes, not specific technologies.

Is cybersecurity considered a fiduciary responsibility?
Yes, because cyber risks are foreseeable and impact investor interests.

Do trustees need technical expertise?
No, trustees need sufficient understanding to exercise informed oversight.

Can outsourcing reduce sponsor accountability?
No, outsourcing execution does not transfer accountability under SEBI expectations.

What technology areas concern trustees most?
Cybersecurity, vendor risk, incident response, and business continuity are common focus areas.

Is documentation important for trustee assurance?
Yes, documentation provides evidence that oversight and controls exist.

Do trustees review IT audit reports?
Yes, but they also expect updates beyond periodic audits.

Are one-time audits sufficient for SEBI compliance?
No, continuous governance and oversight are increasingly expected.

How should sponsors handle vendor technology risk?
By classifying vendors, performing due diligence, and maintaining ongoing oversight.

What happens if a technology incident occurs?
Trustees and regulators assess response quality, escalation, and remediation, not just root cause.

Is BCP or DR mandatory for AIFs?
While not prescriptive, BCP or DR readiness is strongly expected.

Can lean funds meet technology expectations?
Yes, through proportionate controls and disciplined governance.

Do LPs also assess technology governance?
Yes, LP due diligence increasingly overlaps with SEBI and trustee expectations.

What evidence do trustees typically request?
Risk summaries, audit findings, incident logs, and remediation updates.

Is technology governance a one-time exercise?
No, it is an ongoing responsibility.

Do sponsors need a CISO or CIO?
Not necessarily. Clear ownership and managed support can suffice.

How often should technology risks be reviewed?
Periodically, based on risk and material changes.

Can MSPs satisfy trustee expectations?
Yes, if sponsor oversight and reporting are clearly defined.

What is the biggest technology governance gap in AIFs?
Lack of documented oversight and evidence.

Are cloud platforms automatically compliant?
No, funds must govern access, data, and usage.

Does SEBI expect zero technology incidents?
No, SEBI expects preparedness and effective response.

Is vendor reputation enough assurance?
No, structured oversight is required regardless of reputation.

Can technology governance slow fund operations?
When designed poorly, yes. When designed well, it enhances resilience without friction.

Do trustees expect regular technology reporting?
Increasingly, yes, especially for material risks.

How does evidence support fiduciary duty?
Evidence shows that sponsors exercised due care and oversight.

Are technology risks included in risk registers?
They should be, to demonstrate integrated risk management.

Can sponsors rely solely on administrators for IT risk?
No, administrators support operations but do not replace sponsor governance.

What is SEBI’s view on cyber incidents?
Incidents are evaluated based on preparedness and response quality.

Is technology governance relevant to fundraising?
Yes, strong governance improves LP confidence.

Do trustees escalate technology concerns to SEBI?
They may, if material risks are unmanaged.

How does Infodot support sponsors and trustees?
By providing governance frameworks, managed execution, and audit-ready evidence.

What is the key takeaway for fund sponsors?
Technology governance is a core fiduciary responsibility, not an optional IT concern.