Skip to main content
GT Legal AssociatesAdvocates & Legal Counsel
GT Legal Associates office
Founder Governance

Cyber Risk Governance for Founders

A founder-focused guide to cyber risk governance, including board oversight, policies, vendor risk, incident response and legal accountability.

Published 24 May 20267 min readBy GT Legal AssociatesLast updated 24 May 2026
Main Article

Founders of technology companies are familiar with the operational risks of building a product — technical debt, scaling challenges, recruitment. Cyber risk is frequently treated as an operational matter delegated to the CTO or IT function, to be addressed through security tooling and periodic audits. This framing is increasingly inadequate. Cyber risk is a legal and governance risk: a significant breach can trigger regulatory penalties, shareholder disputes, contractual indemnity claims, and personal liability for directors under the Companies Act, 2013. For a startup seeking institutional investment, an unremediated significant incident, or the absence of a credible cyber governance framework, can derail due diligence. This article sets out the cyber risk governance obligations and best practices that founders should understand and implement.

Board-Level Oversight

The Companies Act, 2013 imposes duties of care, skill, and diligence on directors that extend to the management of material risks. A significant cyber incident that causes financial loss, customer data exposure, or operational disruption is a material risk, and a board that has not engaged with cyber risk at a strategic level — establishing risk appetite, reviewing incident response capability, and overseeing remediation of known vulnerabilities — is potentially exposed to claims of fiduciary breach. Founders who are directors should ensure that cyber risk is a standing board agenda item, that the board receives regular reporting on the organisation’s cyber risk posture, and that material incidents are escalated promptly with documented decisions recorded in board minutes.

Policies, Minimum Controls and CERT-In Obligations

Foundational cyber governance requires board-approved policies covering: information security (aligned to ISO/IEC 27001 or an equivalent standard), acceptable use of IT systems, access management, data classification, incident response, and vendor security requirements. Beyond policies, a minimum set of technical controls — multi-factor authentication, endpoint protection, network segmentation, vulnerability management, and encrypted backups — should be implemented and periodically tested. CERT-In’s April 2022 Directions require covered entities to maintain a designated point of contact, report specified incidents within six hours, and retain logs for 180 days. These are regulatory minimum requirements, not optional best practices, and non-compliance exposes the organisation to enforcement action independently of whether any incident has occurred.

Vendor and Supply Chain Risk

A significant proportion of cyber incidents affecting businesses originate in third-party vendors — SaaS providers, cloud infrastructure, payment processors, and outsourced development teams. Founders must ensure that vendor contracts include security requirements (including a right to audit), incident notification obligations (typically within 24 hours for a security incident affecting the organisation’s data), and data processing provisions consistent with the organisation’s obligations under the Digital Personal Data Protection Act, 2023. Where a vendor suffers an incident that affects the organisation’s data, the organisation remains responsible to its own regulators and customers — the vendor’s contractual obligation to notify and remediate does not transfer the organisation’s regulatory exposure.

DPDP Act Obligations and Pre-Incident Preparation

Founders of businesses that process personal data must embed their obligations under the Digital Personal Data Protection Act, 2023 in the organisation’s operating procedures before an incident occurs. The Act’s notification obligation — to the Data Protection Board and affected individuals upon a personal data breach — carries a penalty of up to ₹250 crore for non-compliance. The obligation to appoint a Data Protection Officer (for Significant Data Fiduciaries), to maintain a grievance mechanism, and to ensure processor agreements contain the required data protection provisions are legal requirements with financial consequences, not voluntary governance choices. Founders should pre-establish an incident response retainer with external legal and forensic counsel, so that governance decisions in the first hours of an incident are made with qualified advice — those first-hour decisions are the most consequential and the most difficult to correct after the fact.

Vendor and Third-Party Risk Management

Most Indian companies process data and run critical systems through third-party vendors — cloud providers, SaaS platforms, payment processors, logistics partners. Under the DPDP Act, a Data Fiduciary remains accountable for the processing carried out by its Data Processors, and a vendor-caused breach exposes the principal company to regulatory liability. Effective cyber governance requires a vendor risk management programme: contractual data processing agreements with all vendors handling personal data, security assessment of high-risk vendors before onboarding, and periodic review of vendor access rights. Board governance of vendor risk means establishing minimum security requirements for vendor procurement and receiving periodic reporting on critical vendor risk from management.

Incident Response and Board Accountability

When a material cyber incident occurs, the board's conduct in the response period is subject to scrutiny — by regulators, insurers, and potentially shareholders. Directors who received adequate advance briefing on cyber risks, approved an incident response plan, and ensured that the plan was tested through simulation exercises are in a fundamentally different position to those who had no prior engagement with the subject. Founders who serve on their own boards should ensure that board minutes record cyber risk oversight activities throughout the year: risk appetite discussions, incident response plan approvals, CERT-In compliance confirmations, and audit findings. This documentation protects directors by demonstrating that their fiduciary duty of care extended to cyber risk management before any incident arose.

Key Takeaways

  • Cyber risk is a board governance obligation for founders who are directors — the board must engage with cyber risk strategically, and documented oversight is the primary defence against post-incident fiduciary claims.
  • CERT-In’s April 2022 Directions impose minimum requirements: a designated point of contact, six-hour reporting for specified incidents, and 180-day log retention — these are regulatory floors, not aspirational targets.
  • Vendor contracts must include security standards, notification obligations within 24 hours of a security incident, and audit rights — the organisation remains regulatorily responsible for vendor-side incidents affecting its data.
  • Pre-establish an incident response retainer with external legal and forensic counsel — governance decisions made in the first hours of an incident without qualified advice are the most expensive mistakes founders make.
  • DPDP Act 2023 obligations — breach notification, DPO appointment, processor agreements — carry penalties of up to ₹250 crore; these must be embedded in operating procedures before an incident, not after.

Article Tags

Digital Evidence Indian Law Forensic Advisory Compliance
How GT Legal Can Assist

Concerned about your organisation's cyber risk governance posture?

Founders and directors carry personal accountability for cyber risk governance failures — under the IT Act, the DPDP Act, and sector-specific regulatory frameworks. Whether you want to assess your current governance arrangements, understand your obligations as a director, review your organisation's CERT-In compliance posture, or advise your board on cyber risk oversight responsibilities, our team can provide practical guidance tailored to your organisation's size and sector.

Book Consultation

References

  • Companies Act, 2013 — director duties and board governance obligations, Ministry of Corporate Affairs.
  • CERT-In Directions on Cyber Security Incident Reporting, 28 April 2022 — designated contact, six-hour reporting, 180-day log retention.
  • Digital Personal Data Protection Act, 2023, Sections 8(6), 17 — breach notification and Significant Data Fiduciary obligations.
  • Information Technology Act, 2000, Section 43A — reasonable security practices for body corporates.
  • ISO/IEC 27001:2022 — Information Security Management Systems standard.
  • SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 — cyber incident disclosure for listed entities.

Disclaimer

This article is for general information only and does not constitute legal advice, solicitation or an advocate-client relationship. Readers should obtain advice based on their specific facts before acting on any legal, regulatory or forensic advisory issue.

Related Articles

Continue reading from our insights.

View All Insights
Corporate Law
22 Mar 2026 · 10 min read

Startup Legal Compliance Checklist 2026

Essential incorporation, IP protection, DPDP Act compliance, and fundraising legal steps before your startup scales.

Read Article
Data Privacy
22 Feb 2026 · 9 min read

Data Breach Legal Obligations in India

CERT-In 6-hour reporting requirements, DPDP Act obligations, and managing regulatory exposure after a personal data breach.

Read Article
Corporate Law
5 Apr 2026 · 9 min read

Due Diligence in Mergers and Acquisitions

Cyber risk, data privacy, and digital asset assessment as a critical component of M&A due diligence in India.

Read Article