Deploy security AI extensively and save ₹13 crore per breach against a ₹19.5 crore average. That case makes itself. One caveat: Shadow AI — employees using AI tools without oversight — adds ₹1.79 crore per breach (IBM Cost of a Data Breach Report 2025, India). 60% of Indian organisations lack an AI governance policy or are still developing one — which means the risk is unmonitored, not absent. You cannot secure what you cannot see. Shadow AI is invisible by definition — and invisible risk does not stay theoretical.

What this means in one line: You are operating in a 6-hour regulatory environment with a 263-day detection reality. That gap is where your liability lives.

2. What India’s 2024 Breaches Actually Reveal

Healthcare accounted for 21% of malware cases, Hospitality 19%, BFSI 17%. Percentages don’t tell the real story — I’ve seen boards shrug at ‘only 17% BFSI’ until their own name lands in an IRDAI audit. What these numbers actually reveal is which regulatory controls were absent. Let’s be direct about what each of these incidents tells us.

The Pattern Across All Four Incidents

Third-party compromise, cloud misconfiguration, inadequate access controls, and absent continuous monitoring dominate India’s 2024 breach landscape. These are not exotic zero-days. Every one is controllable, and every regulator in India explicitly requires controls targeting each one. These breaches did not happen because the regulations were insufficient. They happened because the controls were not operational.

3. The Regulatory Stack — Seven Frameworks, One Organisation

India does not have a single cybersecurity law. Your compliance architecture is a multi-layered, sector-specific stack — and where frameworks overlap, the stricter control applies. A fintech regulated by both RBI and SEBI must comply with all applicable mandates — including the 6-hour incident reporting SLA shared by SEBI, CERT-In, RBI, and IRDAI. Full stop.

Enforcement Reality — FY 2024-25

RBI: 353 penalties totalling ₹54.78 crore. Kotak Mahindra Bank (₹3.95 crore for IT security lapses), Punjab National Bank (₹2 crore), Yes Bank (₹1.5 crore) — and named major institutions including ICICI Bank and Deutsche Bank India. Every tier of the financial system is in scope.

DPBI: Operational. Accepting breach notifications. Maximum penalty ₹250 crore per violation. First actions expected to target high-visibility organisations.

The Strictest Standard Obligation

Where mandates overlap, organisations must implement the stricter control and meet the shortest applicable SLA. Build your security programme for your most demanding regulator. Everything else will fall within that envelope.

4. CERT-In Directions 2022 — The Baseline You Cannot Opt Out Of

Every organisation in India — regardless of size, sector, or domicile — is subject to CERT-In’s 2022 Directions. The Directions apply broadly — across service providers, intermediaries, body corporates, data centres, and government organisations. CERT-In has empanelled 155 audit organisations. The infrastructure to enforce this is in place. And frankly, these four controls are where most organisations fall apart:

Four Controls That Fail Most Often

1. 6-Hour Incident Reporting. Not a forensic report — a signal: ‘We have an incident and are investigating.’ If your organisation cannot make that call within hours, your governance model is the failure point. India gives 6 hours. GDPR gives 72.
2. 180-Day ICT Log Retention. See the correction box below. The most expensive misconception in Indian compliance today.
3. NTP Time Synchronisation. Determines whether your forensic evidence stands or collapses. Incorrect timestamps invalidate logs. CERT-In auditors check this first.
4. 24×7 Point of Contact. A named individual reachable at 2am on a Sunday — not a shared mailbox, not a help desk. Nominating a PoC who only works business hours is exposure, not compliance.

CERT-In Log Retention — Two Rules, Two Entity Types

The CERT-In Directions 2022 create two separate retention obligations, frequently conflated in vendor presentations and compliance documents:

Rule 1 — All organisations (ICT system logs): 180 days, within Indian jurisdiction, tamper-evident, immediately producible on demand. This applies to every service provider, intermediary, data centre, body corporate and government organisation.

Rule 2 — Data Centres, VPS, Cloud and VPN providers only (subscriber data): 5 years after account termination — for validated subscriber/customer registration information (names, IPs, email, address, ownership pattern). Virtual asset service providers carry the same 5-year obligation for KYC and financial transaction records.

Why this matters: Organisations that apply the 5-year subscriber data rule to all ICT logs can spend 10× more on storage and SIEM than required — while still failing the Indian data residency and tamper-evidence requirements that CERT-In auditors actually examine. Know which rule applies to your entity type.

Board-level reality: if these four controls are not operational — not documented, not audited annually, but actively functioning — your organisation is not compliant, regardless of what your last IS audit report says.

5. DPDP Act 2023 — India’s ₹250 Crore Inflection Point

The Digital Personal Data Protection Act 2023, with Rules notified in November 2025, is the most consequential data legislation India has seen. Full enforcement is expected around May 13, 2027 — a date drawing closer every quarter based on current rule progression. The DPBI is already operational and accepting breach notifications. This is live now. And most boards will not admit it publicly — but their DPDP readiness is still zero.

Critical GDPR Difference

No ‘legitimate interests’ lawful basis. Consent is the near-exclusive basis under DPDP. This restructures marketing analytics, HR data processing, B2B profiling, and platform personalisation. Your GDPR framework cannot be redeployed. The consent architecture must be rebuilt from scratch.

The Timeline Is Running

The expected May 2027 enforcement window is drawing closer. A realistic DPDP readiness programme — enterprise data mapping, consent mechanism redesign, privacy notice overhaul, DSR workflow build, DPO hiring and onboarding, vendor contract amendments, staff training — takes a minimum of 12 months for any mid-sized organisation. If you have not started, you are already behind.

6. Sector Obligations — Named Penalties, Named Institutions

Each regulated sector carries its own overlay on top of CERT-In’s baseline. The key point: where mandates overlap, the stricter applies. A bank regulated by both RBI and SEBI does not get to choose the 6-hour SLA.

At this point, the question is no longer what the regulations say. The question is whether your organisation can execute against them.

7. Incident Response — Where Compliance Becomes Real

Most organisations discover their IR plan does not work during a live incident. That is the worst possible time to find out.

The average Indian organisation takes 263 days to identify and contain a breach (IBM India 2025) — with complex multi-environment incidents taking up to 327 days (IBM India 2024). Regulators expect notification within 6 hours. Most organisations have a documented incident response plan. What they do not have is a tested incident response capability. Those are not the same thing.

Most IR plans are written for auditors, not for incidents.

Most are never tested. Not once. Not under pressure. Not at 11pm on a Friday.

“One mid-sized insurance company we worked with last year had a beautifully documented IR plan — laminated, distributed, filed under Compliance. When we ran an unannounced tabletop simulation at 11pm on a Wednesday, it took the team 4 hours and 52 minutes just to get the right three people on a call. No CERT-In notification was ever filed. No one had been briefed on who to call first. The plan was written for the IS audit. Not for the incident.”

What This Means for the Board

• A documented IR plan that has never been executed under pressure is not a capability. Test it before a regulator does.
• Organisations that self-detect breaches contain and resolve incidents faster — IBM 2024 global data shows internal detection saved organisations ~USD $1 million per breach versus attacker-disclosed breaches. IR readiness is a direct cost-reduction mechanism.

Regulators measure response time. Attackers exploit detection delay. The gap between the two is where your liability lives.

SEBI, CERT-In, RBI, and IRDAI all require notification within 6 hours. DPDP gives 72 hours for personal data breaches. Build your IR capability to the 6-hour window — one SLA covers every Indian financial regulator.

8. Regulatory Heat Map — Controls at a Glance

This single-page reference shows the control status across all seven major Indian regulatory frameworks. Where mandates overlap, implement the stricter. M = Mandatory. R = Recommended. A = Advisory.

Note: Incident reporting timelines (SEBI/CERT-In/RBI/IRDAI/DoT: 6 hrs; DPDP: 72 hrs for personal data breaches). Organisations subject to multiple regulators must meet the shortest applicable SLA. This matrix is indicative — always refer to the primary circular for authoritative requirements.

Build to the 6-hour SLA — it covers SEBI, CERT-In, RBI, IRDAI and DoT simultaneously.

9. Five Compliance Failures That Repeat Across Every Sector

1. Log retention misconfigured — not stored in India, or wrongly sized. The 180-day ICT log mandate requires Indian data residency, tamper-evidence, and immediate producibility. Many organisations store logs in overseas cloud regions for cost reasons. Legally non-compliant. Operationally dangerous. And 33% of critical vulnerabilities remained unpatched for over 6 months in 2024 — the same gap that makes log evidence critical when an incident occurs.
2. Annual audit mistaken for continuous compliance. Boards treat the annual IS audit report as a clean bill of health. It is a snapshot. The threat landscape does not pause for your audit cycle. Compliance does not fail during audits. It fails during incidents. Between cycles, new systems go live, vendors change, controls drift — and nobody notices until the next audit, or worse, an incident. CERT-In’s empanelment of 155 audit firms, SEBI’s 6-monthly cycle, and RBI’s DAKSH platform are all signals pointing the same direction: continuous evidence, not an annual document.
3. Incident response plans that have never been tested. A plan in a SharePoint folder is not a capability. The real test is whether your team can execute it at 2am on a Sunday — inside the 4-hour window. Most cannot. Test yours before a regulator does.
4. Third-party risk managed contractually, not operationally. WazirX ($230M) and Signzy — a KYC provider serving 600+ financial institutions including India’s four largest banks, hit by malware in December 2024 — are the defining third-party risk incidents of 2024. A contract clause is the floor, not the ceiling. Vendors must be scored, assessed, and required to notify you within your own SLA window.
5. DPDP treated as a future problem. The DPBI is operational. Rules are notified. The clock is running. 60% of Indian organisations lack AI governance policies or are still developing one (IBM 2025, India) — compounding DPDP’s SDF obligations. If you begin readiness in early 2027, you will not have enough time.

10. Security Capabilities by Regulatory Category

Selecting security tooling for Indian regulatory compliance requires four criteria beyond the standard vendor evaluation: Indian data residency (contractually guaranteed, not just technically possible); CERT-In empanelment for audit-validity of IS audit work; MeitY empanelment for Government organisations using cloud services; and encryption standard compliance (AES-256 at rest, TLS 1.2+ in transit, Indian PKI compatibility where required).

One question I hear after almost every board presentation: ‘So what tools should we buy?’ It’s the wrong starting point — and it usually tells me the organisation is still at Stage 1, no matter how impressive their vendor shortlist looks.

India-Specific Procurement Considerations

• CERT-In empanelled auditors only: IS audits must use firms at cert-in.org.in. A globally reputable firm that isn’t empanelled does not satisfy the mandate.
• Local support SLA must match your notification window: A 6-hour regulatory SLA is meaningless if your security vendor’s India support opens at 9am.

11. The Board Dashboard — Five Questions to Ask Your CISO Every Quarter

Most boards receive cybersecurity updates as slide decks of technical indicators. The five KPIs below are the questions that distinguish a board actively governing cyber risk from one passively receiving reports. Ask them quarterly. If your CISO cannot answer them with data, that itself is the answer.

12. Implementation Roadmap — From Gap to Compliance

The Cost of Getting This Wrong

Most organisations underestimate this exposure because they think in probabilities. The board says ‘it probably won’t happen to us.’ The regulator does not think in probabilities. The regulator thinks in obligations.

The Strategic Upside — Why Getting This Right Is Also Good Business

Compliance with Indian cybersecurity frameworks is not just a risk-avoidance exercise. Organisations that build genuine capability — not just an IS audit report that satisfies a checkbox — gain measurable business advantages:

Every hour of operational disruption from a breach costs more than the regulatory fine. Boards that treat cybersecurity as a standing agenda item find this out once — and not from a penalty notice. Enterprise clients and global partners are now asking for DPDP and CERT-In compliance as a vendor qualification criterion. It is not optional for anyone in the supply chain of a regulated entity.

• In BFSI and healthcare, one breach destroys years of customer acquisition. Organisations that detect and contain breaches fast limit churn. Those whose breaches persist for months lose customers before they lose the regulatory battle.
• The board that owns this today is reducing its cost of capital tomorrow. ESG-focused institutional investors and credit rating agencies are beginning to factor cybersecurity governance into risk assessments. This is already happening.

Closing — The Question Is Whether You Are Ready

The numbers are not abstract. 369 million malware detections. ₹19.5 crore average breach cost. India is the second most targeted nation for data theft globally. ₹11,333 crore in cyber fraud losses in nine months of 2024. And regulators — RBI, SEBI, IRDAI, CERT-In, the DPBI — are actively, repeatedly enforcing, with named institutions as the examples.

Most boards I meet claim they recognise the problem. The gap is almost never awareness — it’s the distance between knowing and doing. The organisations that navigate this well share three traits: the board has genuinely internalised that cybersecurity is a strategic risk, not an IT line item. The CISO reports directly to the CEO or board. And incident response is practised — because the organisations that detect breaches internally contain them faster and at lower cost than those that learn from attackers or third parties.

That’s it. Three things. Most boards have none of them.

The organisations that will struggle are recognisable. They are still waiting for the ‘final’ DPDP guidance before acting. Their IR plans have never been tested under pressure. They manage third-party risk through contracts, not controls. And their log retention was built on the widely circulated — but wrong — 5-year CERT-In figure.

The board that treats cybersecurity as a standing agenda item today will not be the board explaining a ₹19.5 crore breach to shareholders tomorrow.

Cybersecurity in India is no longer a compliance exercise. It is an operational capability that will be tested without warning. The question is not whether your organisation is compliant. The question is whether it is ready.

THREE BOARD-LEVEL ACTIONS — THIS QUARTER

1. Commission a DPDP readiness assessment this quarter.

Map your data processing activities, identify consent mechanism gaps, and test your breach notification workflow end-to-end. IBM 2024 India data: organisations containing a breach within 200 days averaged ₹18.4 crore versus ₹20.5 crore for those exceeding 200 days. Readiness investment has a measurable return before it satisfies a compliance obligation.

2. Run a tabletop IR exercise — not a document review.

Simulate a ransomware attack at 11pm on a Friday. Time how long it takes to reach a decision-maker and file an initial CERT-In notification. If the exercise takes longer than 3 hours to reach a notification decision, your organisation will not meet any Indian regulator’s reporting SLA. This test costs one afternoon. The alternative is more expensive.

3. Audit your log storage configuration against the actual CERT-In mandate.

ICT logs = 180 days, within India, tamper-evident, immediately producible. Subscriber and customer data (for DCs, VPNs, cloud providers) = 5 years. If your architecture was built on the widely circulated but incorrect 5-year figure, you may be significantly overspending while still failing the Indian data residency requirement that CERT-In auditors actually examine.

SOURCES & DATA REFERENCES

• DSCI-Seqrite India Cyber Threat Report 2025 — 369M malware detections; 702 threats/min; 8.4M endpoints monitored
• IBM Cost of a Data Breach Report 2024 & 2025 (India) — ₹19.5Cr avg (2024); 327-day lifecycle; ₹13Cr AI savings (IBM comparative modelling); Shadow AI adds ₹1.79Cr (India-specific, IBM 2025); 60% of Indian organisations lack AI governance policy (2025)
• CloudSEK ThreatLandscape Report 2024 — India 2nd most targeted; Indusface India Cyber Attack Report 2025 — BFSI 2× global avg; 33% vulnerabilities unpatched 6+ months
• RBI Annual Report / Business Standard June 2025 — 353 penalties, ₹54.78Cr FY25; Named RBI enforcement notices: Kotak ₹3.95Cr, PNB ₹2Cr, Yes Bank ₹1.5Cr
• 63SATS / I4C — ₹11,333Cr cyber fraud losses, first 9 months 2024; Cisco Cybersecurity Readiness Index 2025 (India) — only 7% of Indian organisations at Mature readiness level
• CERT-In Directions 2022 (No. 20(3)/2022-CERT-In, 28-Apr-22) — 6-hour reporting, 180-day ICT log retention, 5-year subscriber data retention, NTP synchronisation
• DPDP Act 2023 + Rules 2025; RBI IT Master Direction April 2024; SEBI CSCRF August 2024; IRDAI Cyber Guidelines 2023; DoT Telecom Cybersecurity Rules November 2024

Disclaimer: This article is a reference guide based on publicly available Indian regulatory frameworks and published industry research as of March 2026. Breach cost and threat data are anchored to 2024/early 2025 reports — actual costs continue to trend upward. Figures vary based on methodology and sample size across reports; all data points are attributed to their primary sources. Regulatory requirements are subject to change — always consult primary circulars and qualified legal counsel for compliance decisions.

Quick reference: CERT-In (incident@cert-in.org.in, 6 hrs) · DPBI (dpbi.gov.in, 72 hrs) · RBI DAKSH (6 hrs) · SEBI SCORES (6 hrs) · IRDAI (6 hrs)