CERT-In Audits for AIFs: Understanding SEBI’s Cybersecurity Guidance

Introduction
In August 2024, the Securities and Exchange Board of India (SEBI) issued the Cyber Security and Cyber Resilience Framework (CSCRF), a comprehensive set of requirements for all regulated entities. For Category I and II Alternative Investment Funds (AIFs), the deadline for full compliance is August 31, 2025.
One of the most important aspects of this framework is the requirement to undergo annual cybersecurity audits conducted by CERT-In empanelled firms. This move brings cybersecurity in the AIF industry under a uniform, government-backed audit structure.
Why CERT-In Audits Are Required
Regulatory credibility
SEBI has made it clear that only CERT-In empanelled auditing organizations can carry out audits under CSCRF. These firms follow detailed audit principles issued by the Indian Computer Emergency Response Team (CERT-In), ensuring consistency, independence, and quality across all audits.
National oversight
Audit results do not stay within the fund manager’s internal files. CERT-In requires auditors to share audit metadata within 5 days of completion. This means that cyber risk at the fund level also feeds into India’s larger national security and regulatory ecosystem.
Governance and accountability
Audit findings are no longer just technical reports. SEBI mandates that Boards or Trustees must formally review and approve cybersecurity policies, critical systems inventories, and audit outcomes. This elevates cybersecurity from a purely IT concern to a boardroom responsibility.
What the Audit Involves
A CERT-In audit under CSCRF follows a structured cycle:
- Vulnerability Assessment and Penetration Testing (VAPT)
- Must be conducted annually by a CERT-In empanelled firm.
- Requires 100% coverage of critical systems and at least 25% coverage of non-critical systems.
- Remediation and Revalidation
- High- and medium-severity issues must be closed within 90 days.
- A revalidation by the same CERT-In auditor must happen within 5 months to confirm fixes.
- Independent Cybersecurity Audit
- Mandatory for Small-size (₹3,000–10,000 Cr AUM) and Mid-size (>₹10,000 Cr AUM) AIF managers.
- Conducted by a CERT-In auditor who is independent from the VAPT vendor.
- Must cover governance, SOC monitoring, incident response, and vendor oversight.
- Reporting
- Audit reports must be submitted to SEBI within 1 month of completion.
- Boards/Trustees must review and approve remediation action plans before submission.
- Audit Rotation
- AIF managers must rotate their auditors every 3 years to preserve independence and objectivity.
For detailed guidance, we published a practical guide sometime back. Click on this link to download.
Responsibilities for AIF Managers
- Classification: Managers must classify themselves as Self-certified, Small-size, or Mid-size based on AUM as of March 31 each year. This classification determines audit obligations.
- Documentation: Managers must maintain up-to-date system inventories, risk registers, SOC logs, and remediation trackers to remain “audit ready.”
- Vendor management: Only CERT-In empanelled auditors may be engaged. Early selection is essential to avoid last-minute capacity crunches in 2025.
- Board engagement: Boards/Trustees are directly responsible for approving cybersecurity policies and reviewing audit outcomes. Evidence of Board oversight must be documented for compliance submissions.
Implications of Non-Compliance
Failing to comply with CSCRF requirements can result in:
- Regulatory action such as warning letters, mandated special audits, or restrictions on investor onboarding.
- Reputational risk with investors, especially global LPs that conduct detailed operational due diligence.
- Operational exposure to ransomware, data breaches, or service disruptions—events that SEBI now treats as fiduciary risks.
Best Practices for AIFs
- Engage auditors early: With deadlines converging, CERT-In auditors may face scheduling bottlenecks.
- Institutionalize governance: Add cybersecurity reviews to quarterly board agendas.
- Integrate compliance calendars: Align VAPT, remediation, audit, and SEBI submission deadlines into a single compliance calendar.
- Document thoroughly: Keep detailed evidence—system inventories, action taken reports, and SOC outputs—for Board and SEBI review.
- Communicate with investors: Position strong cybersecurity oversight as part of your operational risk management framework.
Conclusion
The integration of CERT-In audits into SEBI’s CSCRF marks a major shift in how AIFs are expected to manage cyber risk. This framework is not only about protecting investor data—it is about embedding cyber resilience into fiduciary governance.
For AIF managers, the message is clear: cybersecurity compliance is no longer optional, technical, or back-office. It is now a core governance responsibility—and an opportunity to strengthen trust with regulators, Boards, and investors.