Introduction
The question of corporate board responsibility for cybersecurity has evolved from a matter of technical management into one of the most pressing questions in contemporary corporate governance and IT law. As cyberattacks become more frequent, more sophisticated, and more consequential, the adequacy of board-level oversight of cybersecurity risks has become a subject of regulatory attention, shareholder scrutiny, and increasingly, legal liability. In India, this evolution is still in an early phase, with existing legal frameworks providing partial and sometimes inconsistent guidance, while international developments, particularly in the United States and the United Kingdom, are beginning to define a global standard of director accountability for cybersecurity governance that Indian law will eventually need to match.
The AIIMS Delhi ransomware attack of November 2022 served as a stark illustration of the systemic risks posed by inadequate cybersecurity governance in critical public infrastructure. The attack paralysed the hospital’s digital systems for weeks, forcing doctors to revert to paper-based records and affecting the treatment of thousands of patients. It raised fundamental questions about the cybersecurity governance standards applicable to government-run healthcare institutions, the preparedness of public sector entities to respond to cyber incidents, and the accountability mechanisms available when critical infrastructure fails to protect its digital systems.
This article examines the current Indian legal framework for corporate cybersecurity obligations, the specific role of board directors in cybersecurity governance, the CERT-In Directions of 2022, the emerging SEBI framework for listed companies, and the case for clearer personal director liability in cybersecurity matters.
Legal Framework
Section 43A of the Information Technology Act, 2000 provides the foundational basis for corporate liability arising from cybersecurity failures. It imposes on a “body corporate” that possesses, deals with, or handles sensitive personal data or information the obligation to maintain “reasonable security practices and procedures.” Where the body corporate fails to do so and thereby causes wrongful loss or wrongful gain to any person, it becomes liable to pay compensation. The provision was inserted by the IT (Amendment) Act, 2008 and represents an attempt to impose data security obligations on entities that handle personal data, predating the broader personal data protection framework subsequently developed.
The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, notified under Section 43A, define the categories of sensitive personal data (including passwords, financial information, health information, and biometric data) and specify that reasonable security practices means compliance with ISO/IEC 27001, or a security standard notified by the government, or as approved by a sectoral regulator. The ISO 27001 standard provides a comprehensive information security management system (ISMS) framework, and the 2011 Rules effectively incorporate it by reference as a safe harbour.
The CERT-In Directions issued in April 2022 under Section 70B of the IT Act significantly expanded the cybersecurity reporting obligations of Indian organisations. The Directions require any organisation, including government entities, private companies, and intermediaries, to report cybersecurity incidents to CERT-In within six hours of becoming aware of them. The categories of reportable incidents are broad and include data breaches, ransomware attacks, unauthorized access, network scanning, and identity theft attacks. The Directions also require organisations to maintain logs of their ICT systems for a rolling period of 180 days and to provide them to CERT-In when demanded.
The six-hour reporting window is among the most demanding in any jurisdiction globally; by comparison, the EU Network and Information Security Directive (NIS2) requires notification within 24 hours for significant incidents and 72 hours for confirmed incidents, while the US SEC’s 2023 cybersecurity disclosure rules require disclosure of material cybersecurity incidents within four business days of materiality determination. The CERT-In Directions attracted criticism from industry for the shortness of the reporting window, which may be insufficient for organisations to even identify the scope and nature of an incident before they are required to report it.
Judicial Developments
Indian courts have not yet delivered authoritative judgments on the personal liability of corporate directors for cybersecurity failures, and there have been few reported cases under Section 43A of the IT Act involving substantial judicial analysis of what constitutes reasonable security practices. This is partly because the compensation mechanism under Section 43A is a civil remedy, and parties frequently settle without reported judgments, and partly because the regulatory enforcement machinery has been slow to develop.
The Companies Act, 2013 provides some relevant governance obligations. Section 134 requires the Board of Directors to include in its annual report a statement on the company’s affairs, including risk management policy where applicable. For listed companies, the Securities and Exchange Board of India (SEBI) has imposed detailed risk management framework requirements through its Listing Obligations and Disclosure Requirements (LODR) Regulations, under which the Board is required to ensure that a Risk Management Committee is constituted and that material risks, including cyber risks, are disclosed. While these provisions do not specifically mandate cybersecurity governance standards at the board level, they create a framework within which cybersecurity risk management is a board-level responsibility.
SEBI’s June 2023 circular on Cybersecurity and Cyber Resilience Framework (CSCRF) for Securities Market Intermediaries marked a significant step toward formal board-level accountability in cybersecurity. The circular requires stock exchanges, depositories, clearing corporations, brokers, mutual funds, and other market participants to designate a Chief Information Security Officer (CISO), establish a cybersecurity governance framework with board oversight, conduct regular vulnerability assessments and penetration testing, and comply with specified incident response and business continuity requirements.
Contemporary Issues and Analysis
The AIIMS Delhi ransomware attack is a useful case study in cybersecurity governance failure at the institutional level. The hospital’s digital infrastructure, serving one of the world’s highest-volume referral hospitals, proved vulnerable to an attack that encrypted critical patient data and system files, demanding a ransom for decryption. The attack’s duration, the weeks-long disruption and the absence of rapid recovery, indicated not merely a failure of perimeter security but a failure of business continuity planning, incident response preparedness, and backup architecture.
The governance questions raised by the AIIMS attack are acute. Who at the institutional level was responsible for ensuring adequate cybersecurity standards? What regulatory framework governs cybersecurity in government hospitals? The Ministry of Health and Family Welfare’s Health Data Management Policy provides guidance on data governance but is not a mandatory cybersecurity standard with enforcement mechanisms. The Computer Emergency Response Teams at the central level and various states can provide post-incident support but do not have ex ante oversight authority comparable to a sectoral cybersecurity regulator.
For private corporations, the governance question is sharper because the legal framework for director liability, while not cybersecurity-specific, does impose general duties of care and filigree oversight on directors. Section 166 of the Companies Act, 2013 requires directors to act in good faith to promote the objects of the company and to exercise independent judgment. A director who fails to ensure adequate board-level oversight of cybersecurity risks, resulting in a material breach that causes harm to stakeholders, may arguably be in breach of their duty under Section 166 if the standard of oversight falls below what a reasonably diligent director in that sector would maintain.
The data protection dimension adds another layer. Under the DPDP Act 2023, a Data Fiduciary that fails to implement appropriate technical and organisational measures to protect personal data is liable for penalties. The Act’s penalty framework is tiered, with breaches resulting in personal data leaks attracting penalties of up to Rs. 250 crore. However, the DPDP Act’s liability framework is directed at the Data Fiduciary entity rather than its individual directors, and the question of when personal director liability arises for data protection failures is not clearly resolved.
Comparative and International Perspective
The US Securities and Exchange Commission’s cybersecurity disclosure rules, adopted in July 2023, require public companies to disclose material cybersecurity incidents within four business days of determining materiality and to provide annual disclosures about their cybersecurity risk management, strategy, and governance practices. Crucially, the annual disclosure must include information about board oversight of cybersecurity risks, including whether any board members have cybersecurity expertise and how the board is informed of cybersecurity risks. This framework directly places cybersecurity at the board level by requiring public accountability for board oversight quality.
In the UK, the Network and Information Systems (NIS) Regulations 2018 (implementing the EU’s original NIS Directive) impose obligations on operators of essential services and digital service providers, with the Information Commissioner’s Office and sector-specific competent authorities responsible for enforcement. The Regulations can impose penalties of up to £17 million for serious failures, and while they do not explicitly provide for director liability, the corporate penalty regime combined with Companies Act director duties creates indirect accountability pressure.
The EU’s NIS2 Directive, transposed into member state law by October 2024, strengthened this framework by explicitly requiring management bodies (equivalent to boards of directors) to approve cybersecurity risk management measures, oversee their implementation, and be held liable for infringements. Article 20 of NIS2 provides that member states shall ensure that management bodies of essential and important entities can be held liable for infringements, and that management body members may be temporarily prohibited from exercising managerial functions in cases of repeated or severe infringements. This represents the clearest statement in international law of personal director accountability for cybersecurity governance failures.
Practical and Policy Implications
For Indian corporate boards, the practical implications of the evolving cybersecurity governance landscape are significant. Boards of listed companies should ensure that cybersecurity risk is a standing agenda item in board meetings, that a designated board committee has explicit oversight responsibility, and that the board receives regular (at minimum quarterly) reports from the CISO on the organisation’s cybersecurity posture, incident history, and remediation status.
For SEBI-regulated entities, compliance with the CSCRF framework is mandatory, and the board-level governance requirements it imposes should be treated as minimum standards. Given the pace of regulatory evolution, many entities would benefit from exceeding these minimum standards in anticipation of more demanding requirements.
For companies handling sensitive personal data under the DPDP Act, the appointment of qualified information security professionals, the implementation of an ISMS compliant with ISO 27001 or an equivalent standard, and the maintenance of documented evidence of these practices are essential both for regulatory compliance and as a defence against potential claims under Section 43A of the IT Act.
Suggestions and Reforms
India should introduce a dedicated Cybersecurity Act that consolidates and strengthens the fragmented provisions currently spread across the IT Act, CERT-In Directions, SEBI regulations, and the DPDP Act. Such legislation should define clear cybersecurity standards for different categories of organisations (critical infrastructure operators, financial services providers, healthcare entities, and general businesses) based on a risk-tiered approach. It should impose explicit board-level oversight obligations, require mandatory CISO appointments for organisations above a defined size threshold, and establish a clear incident reporting framework that provides sufficient time for initial assessment while ensuring prompt regulatory notification.
On director liability specifically, the law should clarify that directors who fail to exercise reasonable oversight of cybersecurity governance, where that failure materially contributes to a significant breach, may be held personally liable alongside the corporate entity. This standard should not create disproportionate liability for directors who acted in good faith on reasonable advice, but it should deter the current widespread pattern of board-level disengagement from cybersecurity governance.
Conclusion
Corporate board responsibility for cybersecurity is no longer a peripheral concern of information technology management. It is a central dimension of corporate governance, regulatory compliance, and fiduciary duty. India’s legal framework, while providing some foundations through the IT Act, the CERT-In Directions, and the SEBI CSCRF, falls short of the integrated, board-centric accountability framework that the scale and sophistication of contemporary cyber threats require. The experiences of AIIMS Delhi and the global evolution of cybersecurity governance law provide both the justification and the template for reform. India’s corporate boards, regulators, and legislators must together recognise that in the digital economy, cybersecurity governance is governance itself.