Critical Analysis Of Cybersecurity Due Diligence And Its Impact On M&A Agreements Under The Digital Personal Data Protection Act, 2023 (DPDP Act)

Chandana S, B.Com LLB, St. Joseph’s College of Law

ABSTRACT

This paper undertakes a comprehensive and critical analysis of the evolving mandate and practical execution of cybersecurity due diligence (CDD) specifically within the Mergers and Acquisitions (M&A) landscape of India, following the enactment of the transformative Digital Personal Data Protection Act, 2023 (DPDP Act). The DPDP Act fundamentally reshapes the risk calculus for all Indian M&A transactions. It introduces a stringent statutory liability framework, demanding explicit and unambiguous consent, and imposing severe financial penalties that can escalate up to $₹250$ crore for a single data breach or compliance failure, a magnitude of risk previously unknown in the Indian corporate sector. Consequently, the acquiring entity, stepping into the role of a Data Fiduciary, directly inherits these significant, newly quantified liabilities, making a robust CDD process an indispensable requirement for accurate deal valuation and post-acquisition risk management. However, the theoretical imperative for thorough CDD faces significant and unique challenges in the Indian operational context, primarily stemming from the lack of a standardized and mandatory CDD protocol and critical procedural impediments. These issues include the non-cooperative stance of many target companies, who are hesitant to grant deep, invasive access to their internal security architecture and incident history due to deal confidentiality concerns; the accelerated, competitive timelines characteristic of Indian deal-making; and the absence of a clear, industry- accepted benchmark for 'reasonable security practices' post-DPDP Act. These real-world operational frictions directly compromise the effectiveness of the CDD, leading to incomplete risk identification and the acquisition of 'unknown' liabilities that are eventually addressed through the unreliable mechanism of contractual risk-shifting tools like warranties and indemnities. The research demonstrates that this reliance on post-facto contractual promises is an insufficient safeguard against the statutory fines and business disruption mandated by the DPDP Act. Ultimately, the DPDP Act’s rigorous accountability requirements have created a significant gap between the legal necessity for deep-dive cybersecurity assessments and the current deficient state of due diligence practice in India, thereby threatening deal value and market stability.

Keywords: Digital Personal Data Protection Act, M&A Due Diligence, Data Fiduciary Liability, Contractual Risk Allocation, Indian Cybersecurity Standards.