Introduction
In recent years, India’s digital economy has expanded rapidly, with companies increasingly relying on technology for their operations and handling large volumes of sensitive data. However, this growth has also led to a rise in cyber threats such as data breaches, ransomware attacks, and hacking incidents. These cybersecurity incidents not only cause financial losses but also damage a company’s reputation and stakeholder trust.
Given this backdrop, corporate liability for cybersecurity failures has become a critical issue. While Indian laws and regulations related to cybersecurity are evolving, there remain significant challenges in holding companies accountable for cyber incidents. The legal framework is still developing, and enforcement is often complicated by technical and jurisdictional difficulties.
This article seeks to examine the current legal landscape governing corporate liability for cybersecurity in India. It will analyse key statutes, regulatory guidelines, and judicial pronouncements, while highlighting practical challenges faced by companies. Drawing comparisons with international practices, the article will also suggest measures to strengthen corporate governance and legal accountability in managing cyber risks.
Legal Framework on Cybersecurity in India
The legal framework addressing cybersecurity and corporate liability in India primarily revolves around the Information Technology Act, 2000 (IT Act), along with provisions under the Companies Act, 2013, and regulations issued by regulatory authorities such as SEBI and the Reserve Bank of India (RBI).
The IT Act, 2000 is the cornerstone of India’s cyber laws. Key provisions include Section 43A, which mandates that companies handling sensitive personal data must implement reasonable security practices and procedures. Failure to do so may result in liability for compensation. Section 66 deals with computer-related offenses, including hacking and identity theft, while Section 72A penalizes the disclosure of personal information in breach of lawful contract.
Under the Companies Act, 2013, corporate governance requirements indirectly relate to cybersecurity. Directors and key managerial personnel are expected to exercise due diligence in safeguarding company assets, which now increasingly include digital assets and data. Further, the law requires listed companies to make disclosures about material risks, which can include cybersecurity risks, in their annual reports.
The Securities and Exchange Board of India (SEBI) has recognized cybersecurity as a significant concern, especially for listed companies. SEBI’s Listing Obligations and Disclosure Requirements (LODR) Regulations mandate timely disclosure of material cyber incidents that may impact the company’s operations or reputation. These regulations aim to enhance transparency and protect investor interests.
In the financial sector, the RBI has issued comprehensive guidelines on cybersecurity and information security for banks and non-banking financial companies (NBFCs). These guidelines set out minimum standards for risk management, incident response, and reporting, reinforcing the accountability of financial institutions in the cyber domain.
Additionally, the Personal Data Protection Bill, currently under consideration, seeks to provide a comprehensive data protection regime in India. Once enacted, it will impose stricter obligations on companies regarding data processing, breach notifications, and penalties for non-compliance.
Together, these laws and regulations form the evolving framework within which Indian companies must manage cybersecurity risks and their potential liabilities. [1]
Corporate Liability in Cybersecurity Incidents
Corporate liability for cybersecurity failures arises when companies fail to implement adequate security measures, leading to breaches that compromise sensitive data. This liability can manifest in various forms, including financial penalties, reputational damage, and legal consequences.
[2]A pertinent example is the recent cyberattack on UK retailer Marks & Spencer (M&S), which has been linked to its IT service provider, Tata Consultancy Services (TCS). TCS, a long-term technology partner of M&S since 2018, is conducting an internal investigation to determine whether it served as the entry point for the breach. The attack, attributed to the hacking group Scattered Spider, utilized social engineering tactics to deceive employees into revealing passwords, facilitating unauthorized access to M&S’s systems.
The breach resulted in significant operational disruptions for M&S, including the shutdown of its online clothing operations for over three weeks and the disabling of certain food-related services. Financially, the company anticipates a loss of up to £300 million in operating profit for the current year, with a market capitalization decline exceeding £750 million.
This incident underscores the critical importance of robust cybersecurity measures and the potential liabilities companies face when their systems are compromised. It also highlights the need for comprehensive third-party risk management strategies, as vulnerabilities in service providers’ systems can have far-reaching consequences for client organizations. Directors and key managerial personnel bear responsibility for ensuring effective cybersecurity governance within the company. They are expected to integrate cyber risk management into overall enterprise risk frameworks and establish clear policies for incident response.
Under the IT Act and SEBI regulations, companies may face penalties, compensation claims, and reputational damage if they fail to protect data or disclose breaches promptly. For example, if a company’s negligence leads to a data breach exposing personal information, affected individuals may seek compensation. Indian courts have begun to recognize corporate liability in cyber matters, though judicial precedents are still limited. Globally, cases like the Equifax data breach demonstrate how companies can face multi-million-dollar lawsuits and regulatory fines for cybersecurity failures. [3]
Challenges in Enforcement and Compliance
Despite the evolving legal framework, enforcing corporate liability in cybersecurity remains challenging. Proving negligence or a breach of duty can be complicated, given the technical nature of cyber incidents. Jurisdictional issues also arise when cyberattacks originate from foreign countries, making enforcement difficult.
Further, many Indian companies lack sufficient expertise on cybersecurity within their boards or management. This gap makes it harder to implement effective governance and comply with regulatory expectations. The current laws also leave some ambiguity about the exact standards companies must meet, creating uncertainty and inconsistent enforcement. Regulators are still developing guidelines to address these gaps.
Regulatory Trends and Corporate Governance
Indian regulators are increasingly focusing on cybersecurity as an integral part of corporate governance. SEBI mandates listed companies to disclose material cyber risks, while the Ministry of Corporate Affairs encourages companies to adopt cyber risk management best practices. Boards of directors and audit committees are expected to actively oversee cybersecurity strategies. Independent directors play a crucial role in ensuring accountability and risk mitigation. Industry standards, certifications, and cyber insurance are also gaining traction as tools to manage and transfer cyber risks effectively.
Recommendations and Future Outlook
To address the challenges in corporate cybersecurity liability, India must develop clearer statutory provisions that define the standard of care expected from companies. This clarity will help regulators enforce compliance and provide companies with better guidance. Enhancing cybersecurity awareness and expertise on company boards is essential. Training directors and appointing cyber risk specialists can improve governance and decision-making. Companies should adopt comprehensive incident response plans, conduct regular audits, and invest in cyber insurance to mitigate risks. The enactment of the Personal Data Protection Bill will further strengthen data security obligations and provide a structured legal framework for accountability.
Conclusion
In today’s digital age, cybersecurity has become a critical concern for Indian companies as cyber threats continue to escalate in complexity and scale. The existing legal framework, centered around the IT Act, Companies Act, and regulatory guidelines from SEBI and RBI, lays the foundation for corporate liability in cybersecurity incidents but still faces challenges in enforcement, clarity, and technical expertise.
The recent TCS-Marks & Spencer breach exemplifies how vulnerabilities in third-party service providers can severely impact companies, causing substantial financial losses and operational disruptions, thereby highlighting the urgent need for robust cybersecurity governance and third-party risk management.
While Indian laws are evolving, international best practices, such as those under GDPR and US regulations, offer valuable lessons on transparency, breach notification, and corporate accountability. It is imperative for Indian companies to strengthen internal oversight, enhance board-level awareness, and adopt comprehensive cybersecurity measures to mitigate risks effectively.
The proposed Personal Data Protection Bill promises to add another layer of protection and accountability, further aligning India with global data protection standards. Ultimately, proactive legal compliance, effective corporate governance, and investment in cybersecurity resilience will be key for Indian companies to safeguard their assets, protect stakeholder interests, and maintain market confidence in an increasingly interconnected world.
[1] Khan, T.R. (2024) Cybersecurity law and corporate liability: Rising threats and legal responsibilities, LinkedIn. Available at: https://www.linkedin.com/pulse/cybersecurity-law-corporate-liability-rising-threats-rashid-khan-zvezc/ (Accessed: 29 May 2025).
[2] Chakraborty, A. (2025) TCS launches internal inquiry into M&S Cybersecurity Breach, Tech Monitor. Available at: https://www.techmonitor.ai/technology/cybersecurity/tcs-internal-inquiry-ms-cybersecurity-breach (Accessed: 29 May 2025).
[3] Chandra, A. (2024) Data breach liability: Corporate legal responsibilities in 2024 ” legalonus, LegalOnus. Available at: https://legalonus.com/data-breach-liability-corporate-legal-responsibilities-in-2024/ (Accessed: 29 May 2025).
Author: Naga Praseeda is a final-year law student at ICFAI Law School, Hyderabad.
