Cybersecurity Governance: Why Boards Are Finally Taking It Seriously — and What That Means in Practice

CXO India has observed a marked change in how cybersecurity is discussed in Indian boardrooms over the past eighteen months. The topic has migrated from a standing item on the audit committee agenda — where it received fifteen minutes and a status-green assurance from the IT team — to a substantive strategic risk discussion at the full board level. Several factors have driven this shift, and understanding them helps boards avoid the most common governance mistakes as they raise their engagement. The regulatory factor is significant. SEBI's cybersecurity circular for market intermediaries, the RBI's ongoing enhancement of cybersecurity norms for regulated entities, and the Ministry of Electronics and IT's work on data protection compliance have collectively raised the governance stakes for Indian boards in a way that is hard to ignore. Directors who fail to provide adequate cybersecurity oversight now face more clearly articulated regulatory risk than they did two years ago. The incidents factor is perhaps more viscerally motivating. Several significant cyberattacks on prominent Indian organisations in 2024 and 2025 have made clear that large, well-resourced Indian companies are not immune to sophisticated attacks — and that the reputational and operational consequences of a significant breach are severe enough to constitute a material risk to shareholder value. The boards that are genuinely ahead of this challenge have taken several specific steps: they have appointed at least one director with substantive cybersecurity experience, they have separated the cybersecurity discussion from the general IT discussion, they have established a clear accountability structure for cyber risk management at the executive level, and they have conducted at least one tabletop exercise simulating a significant incident.