The Securities and Exchange Board of India (SEBI) vide circular SEBI/HO/ITD-1/ITD_CSC_EXT/P/CIR/2025/119 dated August 28, 2025, has issued technical clarifications to the Cybersecurity and Cyber Resilience Framework (CSCRF) applicable to all SEBI regulated entities, including Alternative Investment Funds (AIFs).

This circular builds on the earlier framework issued on August 20, 2024, and subsequent clarifications/extensions (December 31, 2024; March 28, 2025; April 30, 2025; June 30, 2025; FAQs dated June 11, 2025).

Circular Link: https://www.sebi.gov.in/legal/circulars/aug-2025/technical-clarifications-to-cybersecurity-and-cyber-resilience-framework-cscrf-for-sebi-regulated-entities-res-_96329.html

Key Highlights

• Applicability: The CSCRF continues to apply to all AIFs. Categorisation is done at the manager level (not at individual scheme level). Where an AIF manager also manages Venture Capital Funds (VCFs), the combined corpus of AIFs and VCFs is considered.

• Principle of Exclusivity & Equivalence:

  • Exclusivity: CSCRF applies only to systems/processes used exclusively for SEBI-regulated activities.

  • Equivalence: If similar cybersecurity controls are already mandated by another regulator (e.g., RBI for NBFC arms), compliance with that framework is considered valid under CSCRF.

• Critical Systems Definition: Expanded to cover not only directly critical systems but also any systems on the same network segment.

• Zero Trust Security Model: Access to critical systems (internal or external) must be denied by default and permitted only after authentication and authorisation.

• Security Operations Centre (SOC):

  • AIF managers must ensure continuous monitoring of security events through SOC (own/group/Market SOC).

  • Smaller managers classified as self-certification REs and with fewer than 100 clients are exempt from mandatory Market-SOC onboarding.

• Cybersecurity Audit Policy: To align with national standards, audits are to be conducted in line with CERT-In guidelines.

• Other Key Controls:

  • Data classification and protection standards (data localisation provisions remain in abeyance).

  • Patch management and vulnerability testing requirements.

  • Supply chain risk management obligations.

  • Log management and retention standards.

Timeline

• For AIF managers, the framework became effective April 1, 2025 (first-time applicability).

• Regulatory forbearance until March 31, 2025 was earlier provided, allowing managers to demonstrate meaningful progress without penalty.

• Technical clarifications issued under this circular apply with immediate effect.