Sify Technologies Limited and its subsidiaries have processes in place for assessing, identifying, and managing material risks from potential unauthorized access to its information systems that could adversely affect the confidentiality, integrity, or availability of the information systems or the information stored on those systems. These include a wide variety of mechanisms, controls, technologies, methods, systems, and other processes that are designed to prevent, identify, detect, recover & respond, or mitigate data loss, theft, misuse, unauthorized access, or other security incidents or vulnerabilities affecting the data.

From a business perspective, this means protecting key information assets and complying with applicable international and national data privacy and protection laws, information security policies and contractual obligations. The Company’s Information Security Policy, adopted in information security management objectives and principles, and the Data Protection Policy, provides for a consistent level of enterprise-wide data protection. The data includes confidential, proprietary, business and personal information that is collected, processed, stored, and transmitted as part of business, including on behalf of third parties. The Company also uses systems and processes designed to reduce the impact of a security incident at a third-party vendor or customer. Additionally, the Company uses processes to oversee and identify material risks from cybersecurity threats associated with our use of third-party technology and systems, including technology and systems we use for encryption, authentication, employee email and other functions.

The organization policies are applicable to Sify Technologies and its subsidiaries and are part of the overall Information Security Management System (ISMS) that is currently being operationalized. Processes for assessing, identifying, and managing material risks from cybersecurity threats are integrated into the overall enterprise risk management system, which is developed with input from internal and external experts. The company collaborates with external experts to maintain our security posture and conduct periodic vulnerability assessment and penetration testing done. The main cyber and information security objectives are to maintain information confidentiality, integrity, and availability.

As part of the risk management process, we conduct application security assessments, vulnerability management, penetration testing, security audits, and ongoing risk assessments. The organization has a robust incident response process which includes identify, detect, reporting, response and recover process to comply with various regulatory requirements, when incidents are detected. All employees are required to mandatorily undertake data protection, security and compliance programs annually.  Our senior leadership oversees our efforts to prevent, detect, mitigate, and remediate cybersecurity risks and incidents through various means, which may include briefings from internal security personnel; information obtained from governmental, public or private sources, including external consultants engaged by us; and alerts and reports produced by security tools (including AI-enabled security tools) deployed in our IT Systems environment.

In addition to the internal cybersecurity capabilities, as and when required, we also engage assessors, consultants, auditors, or other third parties to assist with assessing, identifying, and managing cybersecurity risks.

During the year ending March 31, 2026, the Company did not identify any material cybersecurity incidents that may have materially affected us, but we face certain ongoing risks from cybersecurity threats that, if realized, are reasonably likely to affect us which can be referred in the “Risks Related to our Company and Industry” section  under heading "Cybersecurity threats could damage our reputation or result in liability to us”