1. Protection of Financial and Stakeholder Data

• Public Limited Companies must ensure the confidentiality, integrity, and availability of sensitive financial, operational, and shareholder data.
  
• Listed companies, in particular, are required to safeguard investor information, trading data, and business communications from breaches or leaks.
  
• Breach of sensitive data could lead to loss of reputation, legal action, and regulatory penalties.
  

2. Compliance with Legal and Regulatory Frameworks

• Companies must comply with:
  
  • Information Technology Act, 2000 and its rules on data protection and cyber offences
    
  • SEBI (LODR) Regulations for listed companies, which mandate disclosure of cyber incidents affecting the financial or operational status
    
  • CERT-In guidelines (Computer Emergency Response Team – India) require reporting of cybersecurity incidents within 6 hours.
    
  • Data Privacy Rules, especially when handling personal or financial information of employees, clients, or investors
    
• Public companies dealing with EU citizens or U.S. markets may also need to comply with GDPR or SOX regulations, respectively.
  

3. Implementation of Cybersecurity Measures

• Must deploy firewalls, anti-virus tools, intrusion detection systems, and endpoint protection across networks and devices.
  
• Companies should enforce strong access controls, encryption protocols, multi-factor authentication (MFA), and secure backup systems.
  
• Regular patch management and system updates are essential to close vulnerabilities.
  
• All critical systems must have business continuity and disaster recovery plans.
  

4. Risk Management and Internal Governance

• Public Limited Companies must integrate cybersecurity into their enterprise risk management (ERM) framework.
  
• The Audit Committee or Risk Management Committee of the board should periodically review cybersecurity posture and incidents.
  
• SEBI and stock exchanges encourage companies to establish a cybersecurity policy, with clear roles and responsibilities for the Chief Information Security Officer (CISO) or equivalent role.
  
• Periodic vulnerability assessments and penetration testing (VAPT) should be conducted by independent auditors.
  

5. Disclosure and Incident Response Obligations

• In case of data breach or cyberattack, companies must:
  
  • Inform CERT-In within the stipulated time.
    
  • Notify stock exchanges and investors if the incident materially affects company operations
    .
  • Maintain an incident response plan to contain, investigate, and recover from attacks.
    
• All such events must be documented, with post-incident reviews and corrective measures undertaken.