Changes to SEBI’s Cyber Security and Cyber Resilience Framework for AIFs

SEBI had introduced the Cyber Security and Cyber Resilience Framework (CSCRF) in its circular no. SEBI/HO/ ITD-1/ITD_CSC_EXT/P/CIR/2024/113 dated August 20, 2024 (“August 2024 CSCRF Circular”) which required entities regulated by SEBI (“Regulated Entities” or “RE”) to adopt a structured and risk-based model for cybersecurity compliance by classifying into five broad categories:

• Market Infrastructure Institutions (MIIs)
• Qualified REs
• Mid-size REs
• Small-size REs
• Self-certification REs

As per the August CSCRF Circular, the thresholds for classification of Alternative Investment Funds (AIFs) based on their assets under management (AUM) were as follows:

• AIFs with an AUM of ₹1,000 crores and above would be Qualified REs;
• AIFs with an AUM of ₹500 crores and above, but less than ₹1,000 crores would be Mid-Size REs;
• AIFs with an AUM of ₹100 crores and above, but less than ₹500 crores would be Small-Size REs; and
• AIFs with an AUM of less than ₹100 crores would be Self-Certification REs.

The August 2024 CSCRF Circular required all REs to establish appropriate security monitoring mechanisms through Security Operation Centre (SOC). REs were permitted to onboard SOC through the RE’s own/ group SOC or Market SOC or any other third-party managed SOC for continuous monitoring of security events and timely detection of anomalous activities. Since compliance with the cybersecurity guidelines was expected to be onerous for smaller REs due to the lack of knowledge and expertise in cybersecurity and the cost factor involved in setting up own SOC, the August 2024 CSCRF Circular mandated NSE and BSE to set up a Market SOC (M-SOC) with the objective of providing cybersecurity solutions to such categories of REs.

On April 30, 2025 the SEBI issued a circular titled Clarifications to Cybersecurity and Cyber Resilience Framework (CSCRF) for SEBI Regulated Entities (REs) (“April 2025 CSCRF Circular”) which specified that, henceforth, AIF categorization is to be assessed at the level of the AIF’s investment manager. In cases where the manager also oversees Venture Capital Funds (VCFs), the combined corpus of all AIF and VCF schemes under the investment manager’s purview shall be considered for classification. The revised thresholds for categorization of AIFs, based on the aggregate AUM of the investment manager, are:

• Above ₹10,000 crores – Mid-size REs
• ₹3,000 crores to ₹10,000 crores – Small-size REs
• Up to ₹3,000 crores – Self-certification REs

The highest category for an AIF is Mid-size RE and no AIF shall be treated as a Qualified RE as per this revised categorisation. Further, AIFs classified as Self-certification REs and with a client base of less than 100 clients are exempt from the requirement to mandatorily implement the Market-SOC (M-SOC) requirement.

The category of REs shall be determined at the beginning of the financial year, based on data from the preceding financial year. Once classified, an RE shall retain its designated category throughout the financial year, regardless of any changes in the relevant parameters during that period.

Investment managers of AIFs and VCFs classified as self-certification REs and with a client base of less than 100 have been exempted from the mandatory MarketSOC (M-SOC) requirement.

The April 2025 CSCRF Circular has reduced the compliance burden on AIFs that was imposed by the August 2024 CSCRF Circular. The Market-SOC (M-SOC) requirement entails the establishment of a Security Operations Centre (SOC) providing services such as 24×7 security monitoring, incident management, SIEM (Security Information and Event Management) implementation, threat intelligence, log retention, dashboard reporting, and compliance reporting. Under the August 2024 CSCRF Circular, onboarding SOC was mandatory for all AIFs. Now under the April 2025 CSCRF Circular, M-SOC is not mandatory for AIFs classified as Self-Certification REs having a client base of less than 100 clients.

Further, as per SEBI’s circular dated March 6, 2023, under the ‘Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)’, Qualified Regulated Entities must mandatorily implement a dedicated Hardware Security Module (HSM) by June 30, 2025. However, mid-size, small-size, and self-certification Regulated Entities may adopt alternative security measures in place of an HSM, provided such alternatives are supported by a risk assessment duly approved by the Regulated Entities’ Board, Partners, or Proprietor, as applicable, and implemented no later than June 30, 2025. Since the highest classification for an AIF under the April 2025 CSCRF Circular is that of a Mid-Size, all AIFs may use alternative security measures in place of an HSM.