Blog

Cybersecurity and Corporate Liability in Digital Banking

India’s rapid shift to digital banking and fintech has heightened cyber risks and regulatory scrutiny. Directors and officers must balance business innovation with legal compliance. Under the Companies Act, 2013, directors owe fiduciary duties of due care, skill and diligence, which today include managing cyber risk.  

For example, Section 166 of the Act requires directors to act in good faith and in the company’s best interests; failing to address known cyber threats or inadequate risk controls can breach this duty.  

Likewise, Section 134(5) mandates that the board’s annual report describe the company’s risk management policy, implicitly covering cybersecurity risk. Audit Committees (Sec.177) and internal audits (Sec.143) must also oversee IT security and incident response.  

In practice, boards are advised to establish cyber-risk committees, educate members on technology threats, and include cyber risks explicitly in corporate risk policies. 

  • Due diligence duties: Directors must ensure adequate cyber defenses, evaluate network access controls, and enforce multi-factor authentication and monitoring on critical systems. Negligence in implementing reasonable security measures can breach fiduciary duties under Section 166. 
  • Compliance oversight: Boards must confirm that financial statements and disclosures reflect compliance with all laws, including the IT Act and cybersecurity policies. A failure to ensure adherence to legal security requirements may itself violate directors’ duties. 
  • Internal controls: Companies Act Sections 143 and 177 require oversight of internal controls and risk management. Inadequate incident response planning or outdated security strategy can violate these provisions. 

Disclosure and Reporting Norms 

Companies must also heed disclosure obligations related to cyber incidents. Even though the Companies Act does not explicitly mandate public breach reporting, several norms apply: 

  • Board’s report and risk policy: The Board’s annual report must discuss the company’s risk management framework. As noted by legal analysts, “such policies should also include cyber risks to manage uncertainty and limit negative impacts”. In practice, companies often disclose cybersecurity governance and internal controls in their management discussion, especially if incidents occur. 
  • Regulatory notifications: Under the IT Act, certified entities (banks, service providers, intermediaries, data centers, etc.) must report cyber incidents to the Indian Computer Emergency Response Team (CERT-In). New rules (issued April 2022 under Section 70B of the IT Act) impose a 6-hour reporting deadline for identified cybersecurity incidents. Failure to notify CERT-In can attract heavy fines or imprisonment. 
  • Listed company disclosures: SEBI’s Listing Regulations now explicitly require listed companies to disclose cyber incidents. Effective July 2023, Reg. 27(2)(ba) mandates that listed entities report any “cyber security incidents or breaches or loss of data or documents” in their quarterly corporate governance report. Stock exchanges have provided formats for these disclosures. The intent is that material cyber events must be affirmed to investors periodically. 
  • Data protection law: The new Digital Personal Data Protection Act, 2023 (DPDP Act) also requires data fiduciaries to notify affected individuals and the Data Protection Board about personal data breaches. Once operational, this law will add another layer of breach reporting (similar to GDPR). 

Taken together, these norms mean that corporations must have written incident-response plans, designate security officers, and conduct regular cyber audits. Legal commentators note that Indian law now “speaks of having appropriate technological and organisational measures and reasonable security safeguards to prevent a breach”. Boards often follow global best practices: appointing a Chief Information Security Officer (CISO), conducting pen‑tests, and reviewing vendor contracts for security clauses. 

Data Breaches and IT Act Liability 

The Information Technology Act, 2000 (IT Act) is India’s primary cyber law. It defines offences and liabilities for cybersecurity breaches. Key provisions include: 

  • Section 43A (compensation): A body corporate that “deals with sensitive personal data or information” must implement reasonable security practices; failure resulting in wrongful loss obligates the company to compensate victims. In HDFC Bank v. Nikhil Kothari (2020), the court found the bank negligent and held it liable under Sec. 43A for a customer’s unauthorized loss. The bank had “inadequate security measures,” and was ordered to compensate the affected customer. This case illustrates that companies can be sued civilly for data leaks. 
  • Sections 66, 66F (hacking/cyber terrorism): Section 66 criminalizes hacking (intentional damage or unauthorized access) with up to 3 years imprisonment or a fine. Section 66F punishes cyber-terrorism (attacks on critical systems) with imprisonment up to 7 years. These offences impose criminal liability on perpetrators, regardless of corporate status. 
  • Section 72A (privacy breach): This penalizes unauthorized disclosure of personal data by any person (including employees) with up to 3 years’ jail or ₹5 lakh fine. Any company that fails to enforce confidentiality may face prosecution if its officers are complicit. 
  • Section 43 (general penalty): Tampering, damage or unauthorized downloads of data (not covered above) incur penalties of up to ₹1 crore. The Act allows affected parties to sue for restitution under Sec. 43 (monetary compensation up to ₹1 crore per offence). 

Crucially, the IT Act treats corporate breaches seriously. Section 85 (“Offences by companies”) makes both the company and persons in charge (e.g. directors, senior managers) criminally liable for any IT Act contravention. In other words, if a company commits an IT Act offence (say, failing to protect data), “every person who… was in charge of and responsible for the conduct of the business… shall be guilty of the contravention,” unless they prove it occurred without their knowledge or due diligence. Thus, in practice directors and C‑suite executives of a breachful company can be prosecuted along with the company. 

  • Extraterritorial scope: Notably, Sections 75-76 of the IT Act extend to offences committed outside India by anyone using a computer resource in India. This means cross-border fintech transactions or foreign attackers targeting Indian data fall under Indian jurisdiction. Companies involved in international payments must recognize that Indian cyber laws can reach foreign actors if Indian servers or citizens are affected. 

Liabilities under the Companies Act 

While the Companies Act does not specify cybersecurity offences, its corporate governance provisions impose legal liabilities related to negligence and non-compliance. Key points include: 

  • Director penalties: Breach of directors’ duties (Section 166(7)) is itself a punishable offence. Under Sec. 166(7), any director who acts “without due and reasonable care” can be fined up to ₹1 lakh (and the company up to ₹25 lakh). Indian analysts note that whole-time directors are expected to be “custodians of ethical practices,” and failure to uphold duties (e.g. oversight of data security) can trigger these penalties. Repeat offences attract harsher sanctions. 
  • Officer-in-default: Under various chapters, “officers in default” (e.g. CEO, CFO, IT head) can face prosecution if the company fails to comply with statutory requirements. For example, lapses in maintaining statutory registers or filings can fine responsible officers. While not cyber-specific, this regime underscores that Indian law often prosecutes individuals behind corporate lapses. 
  • Civil actions: Shareholders or creditors may sue the company for losses from a data breach under general laws (e.g. alleging negligence or breach of confidence). Although India has no class‑action for data breaches yet, creditors have successfully sued over negligent cybersecurity before. For instance, in National Insurance v. IFFCO Tokio (2016), a court found an insurance firm negligent for inadequate cyber safeguards and awarded compensation. 
  • Corporate fraud: If a data breach involves internal fraud or deception, provisions like Section 447 (fraud) or Section 462 (presumptions in fraud) could apply, with severe penalties. Directors could face delinquency proceedings or disqualification under Section 164 for misconduct. 

Overall, companies using digital banking must treat cybersecurity as part of corporate governance. Neglect can mean dual liability: violation of the Companies Act (for breach of duty) and of the IT Act (for cyber offences). For example, an entity’s failure to prevent a hack could trigger directors’ fiduciary-breach penalties and IT Act sanctions (fines/imprisonment) under Section 43A or 66. 

Implications for Fintech and Cross-Border Services 

The convergence of digital banking and fintech heightens these legal stakes. Fintech platforms and corporate banking solutions often involve cross-border data flows and payment networks. Under the IT Act’s extraterritorial provisions, Indian laws can apply to overseas actors affecting Indian systems. Conversely, foreign data protection laws (EU GDPR, forthcoming US or Asia regulations) may impose parallel obligations on Indian companies. For instance, the DPDP Act’s Chapter on cross-border data allows transfers except to barred jurisdictionsiapp.org. Compliance officers should therefore ensure that cross-border payment providers understand both Indian IT security rules and any foreign regulations applicable to their services. 

In summary, Indian directors and compliance officers must integrate cybersecurity into corporate governance. The Companies Act’s duty-of-care provisions now encompass cyber risk management. Failure to do so can be a breach of directors’ duties. Simultaneously, the IT Act imposes affirmative security obligations (and harsh penalties) for data breaches. Together, these laws create a dual-layered liability: corporates must both govern cyber risk effectively and meet the legal standards of data protection and network security. Boards should therefore stay abreast of cyber regulations, document their cybersecurity strategies, and ensure timely breach reporting as required.

Share:

Latest Posts

Send Us A Message

Disclaimer

This website is for informational purposes only and is not intended to advertise or solicit work as per the Bar Council of India rules. By accessing www.foresightlawoffices.com, you acknowledge that you are seeking information about Foresight Law voluntarily. Nothing on this site constitutes legal advice or creates a lawyer-client relationship. Foresight Law is not responsible for any actions taken based on the content here. External links do not imply endorsement. Please do not share confidential information via this website. For details, review our Privacy Policy and Terms of Use.

I Agree I Disagre

Scroll to Top