Introduction
Historically, cybersecurity was downgrade to the IT department—a necessary but somewhat isolated technical function. Today, however, cyber incidents don’t only affect systems they are also impacting people— like employees whose personal data might be exposed, customers whose trust might be betrayed, communities whose critical services might be disrupted.
In today’s interconnected world, our lives & businesses exist as much in digital spaces as physical ones, the way we think today about protecting ourselves has fundamentally changed. Now something that is demanding attention in the highest corridors of corporate power.
As we found in 2025, the growing complexity of cyber threats has transformed cybersecurity from a technical checkbox into a critical leadership concern that meet every aspect of organizational strategy and risk management. This evolution requires a more human-centred, thoughtful approach at the board level. For Indian companies navigating the complex digital ecosystem needs a dedicated cybersecurity committees at the board level is no longer optional and is strategically essential to safeguards not just data but corporate survival itself.
The Evolving Cybersecurity Landscape in India
India’s digital economy is booming, with the country’s digital transactions growing excessively and businesses across sectors taking up cloud technologies, AI implementation, and remote work models. This digital expansion, while driving growth, has simultaneously expanded the surface for cyber threats. Recently high-profile breaches at several major Indian corporations have highlighted the inadequacy of treating cybersecurity only as a compliance checkbox.
According to recent studies, India ranks among the top countries of the world facing cybersecurity incidents globally, with an estimated average data breach cost of ₹17.6 crore in 2024—a 28% increase from just two years ago. These are not just statistics they represent genuine business disruptions that impact stakeholder trust, regulatory standing, and corporate valuations.
Why Traditional Board Oversight Falls Short
Currently, most Indian companies follow the global trend of delegating the work of cybersecurity oversight to their audit committees. The National Association of Corporate Directors’ 2024 Audit Committee Practices Report reveals that cybersecurity and enterprise risk management (ERM) are now top priorities for audit committees worldwide, including those in India.
Let’s see how this approach presents serious limitations in the Indian context:
The Overburdened Audit Committee: Audit committees of Indian listed companies are already responsible for financial reporting oversight, internal controls, related party transactions, and compliance with complex regulatory frameworks including Companies Act and SEBI requirements. Adding the work of cybersecurity oversight to this already full plate inevitably means cybersecurity receives inadequate attention.
The Expertise Gap: Most audit committee members in Indian boards come from finance, accounting, or general management backgrounds. While they excel in financial field, they often lack the specialized knowledge to effectively evaluate cybersecurity risks, threat intelligence, or technological vulnerabilities unique to India’s business corporate environment.
The Strategic Disconnect: When cybersecurity is only one item on a crowded audit committee agenda, it tends to focus mainly on compliance rather than strategic risk management. This prevents boards from properly aligning cybersecurity risk with business objectives and innovation initiatives crucial for Indian companies competing globally.
The Cultural Challenge: Effective cybersecurity requires fostering a security-conscious culture across the organization something that demands dedicated leadership attention beyond what an already extended audit committee can provide.
Real-World Impact: Learning from Global Examples
Several forward-thinking Indian and global corporations have already welcome this approach with positive outcomes. For example, after a major security incident, one leading Indian IT services provider Infosys established a dedicated Technology and Cybersecurity Committee that works alongside its audit committee. This specialized oversight has not only strengthened their security posture but has become a competitive advantage in winning international clients concerned about data security.
Similarly, major global corporation like General Electric and Bristol-Myers Squibb have established dedicated cybersecurity committees that provide focused governance. Their experiences offer valuable lessons for Indian companies looking to strengthen board oversight of cyber risks.
For Indian companies, establishing dedicated cybersecurity committees offers several strategic advantages:
1. Enhanced Risk Oversight: A specialized committee can develop deeper expertise in increasing threats particular to India’s business landscape, from state-sponsored attacks to sector-specific vulnerabilities affecting financial services, healthcare, and IT services sectors where India has significant global presence.
2. Strategic Integration: Dedicated committees can ensure cybersecurity considerations are put together into business strategy discussions, particularly as Indian companies expand internationally and face cross-border regulatory requirements like GDPR and emerging Indian data protection laws.
3. Resource Optimization: With dedicated committee, boards can also make more informed decisions about cybersecurity investments, ensuring resources are allocated effectively across technology, talent, and processes that are critical for Indian companies that must balance security investments with growth initiatives.
4. Regulatory Readiness: As our India’s regulatory landscape evolves with the implementation of the Digital Personal Data Protection Act and other cybersecurity frameworks, dedicated committees can ensure proactive compliance and relationship management with regulatory bodies.
5. Crisis Response: When cybersecurity incidents occur as they inevitably and will happen a dedicated committee with established protocols and deep domain knowledge can respond more effectively, minimizing business impact and reputational damage.
Implementation in the Indian Context
For Indian corporations considering this as a approach, implementation should be thoughtfully structured:
Composition Matters: The cybersecurity committee should consist of at least one director with technical cybersecurity expertise, alongside members with risk management, business strategy, and regulatory backgrounds. For many Indian boards, this may require adding new directors with relevant experience or engaging external advisors.
Clear Charter and Mandate: Define the committee’s responsibilities, including oversight of cybersecurity strategy, risk assessment frameworks, incident response plans, and regular evaluation of security controls and technologies.
Regular Engagement: There should be Schedule dedicated sessions with the Chief Information Security Officer (CISO) and other security leaders, focusing on both current threats and long-term strategic security initiatives.
Performance Metrics: By Developing a meaningful cybersecurity key performance indicators that go beyond technical metrics to include business impact assessments and benchmarking against industry standards.
Cultural Integration: Ensure the committee champions security awareness across the organization, recognizing that human factors often present the greatest vulnerability.
The Path Forward for Indian Boards
As cyber threats grow more sophisticated and the regulatory landscape more complex, Indian boards must evolve their governance structures accordingly. Creating a dedicated cybersecurity committee show the stakeholders—including investors, customers, regulators, and employees that security is fundamental to the company’s strategy and operations.
For audit committees currently pushing cybersecurity responsibilities, transitioning to a specialized committee model provides relief from an unwarranted burden while improving oversight quality. This approach allows audit committees to focus on their core financial and compliance responsibilities while ensuring cybersecurity receives the dedicated attention it deserves.
In the current digital era, Indian corporate boards are no longer debating on whether cybersecurity deserves specialized governance attention the more urgent question is how swiftly and effectively such oversight structures can be implemented. Cyber threats have become pervasive, sophisticated, and deeply intertwined with enterprise value, making them a core concern for corporate governance rather than a IT issue.
Looking ahead into 2025, the strongest and future-ready Indian companies will likely be those whose boards recognize cybersecurity as a strategic business priority. These organizations understand that cyber risk is not merely a technical problem, but a critical threat to operational continuity, stakeholder trust, and regulatory compliance. By establishing dedicated cybersecurity committees, boards can have ensured that they possess both the focus and the expertise necessary to address evolving cyber threats with the seriousness they demand.
In this context, the formation of cybersecurity committees represents not only good governance but also a proactive step toward organizational strength, stakeholder confidence, and long-term competitiveness in an increasingly volatile digital environment.
Author: Aarti Mehta is a 3rd Year BBA LLB (Undergraduate course) student at KIIT School of Law, Bhubaneshwar
