Role Of Directors In Corporate Cybersecurity: A Critical Analysis

Apoorva Saxena, LLM, Chandigarh University

Dr Amrita Rathi, Associate Professor, UILS, Chandigarh University

ABSTRACT

The board of directors plays a pivotal role in governing corporate cybersecurity, especially in India’s rapidly digitizing economy. Directors are expected to act with due diligence, integrating cyber risk management into overall governance. Indian corporate law and regulators have gradually recognized this need: the Companies Act, 2013 imposes a duty of care on directors and SEBI’s Listing Obligations mandate risk management systems. The Information Technology Act, 2000 (as amended) and CERT-In directives require organizations to report cyber incidents promptly, while the new Digital Personal Data Protection Act, 2023 compels data fiduciaries to implement strong safeguards.

This paper critically examines how these laws and guidelines impact directors’ responsibilities. It surveys judicial trends (e.g. Shiv Kumar Jatia v. Delhi) stressing that directors are not automatically liable for corporate crimes absent evidence of personal wrongdoing and analyses enforcement patterns under the IT Act and data protection laws. Contemporary challenges – including directors limited technical expertise and fast-evolving cyber threats – are discussed, and best practices (board-level cyber committees, periodic audits, expert training) are recommended to strengthen corporate resilience. Throughout, an Indian legal perspective is foregrounded, with relevant case studies and comparative insights.