As India strengthens its data protection framework, financial institutions are facing a shift in how cyber risks are evaluated. The focus is no longer only on preventing breaches, but on how organisations respond when incidents occur.
The Digital Personal Data Protection Act, 2023, along with the Digital Personal Data Protection Rules, 2025, has turned data breaches into time-bound regulatory events. For banks and insurers, this marks a move from technical compliance to real-time accountability, where response speed and decision-making are closely examined.
Under the DPDP framework, “reasonable security safeguards” are judged based on outcomes. Regulators now assess whether organisations could detect incidents quickly, preserve evidence, and make defensible decisions. The Rules clearly define breach reporting timelines, including a mandatory 72-hour reporting window to the Data Protection Board and immediate customer notification.
Regulators are expected to focus on key questions such as when suspicious activity was first detected, when data impact was confirmed, what evidence supports decisions, and whether actions were documented in real time. Delays or reconstructed explanations may invite stricter scrutiny.
The 72-hour window is seen as a critical stress test, especially for BFSI firms managing complex systems and large datasets. While full investigations are not expected within this period, organisations must demonstrate early assessment, evidence-based reasoning, and clear containment actions.
Customer notification has also become part of incident response, not a post-event step. Regulators are more accepting of incomplete but timely disclosures than delayed communication due to ongoing investigations.
A key challenge for BFSI players is parallel reporting. Institutions may need to inform multiple regulators, including the Reserve Bank of India, the Insurance Regulatory and Development Authority of India, and CERT-In. This increases the risk of inconsistent reporting, timeline conflicts, and gaps in evidence.
Experts highlight that strong governance requires pre-approved response templates, clear authority delegation, regular simulation exercises, and strict vendor reporting timelines. Early forensic readiness, decision logs, and board-level visibility are critical to managing regulatory expectations.
Ultimately, success under the DPDP regime will depend not on avoiding breaches, but on demonstrating the ability to respond effectively and responsibly when they occur.
Also read: Viksit Workforce for a Viksit Bharat
Do Follow: The Mainstream LinkedIn | The Mainstream Facebook | The Mainstream Youtube | The Mainstream Twitter
About us:
The Mainstream is a premier platform delivering the latest updates and informed perspectives across the technology business and cyber landscape. Built on research-driven, thought leadership and original intellectual property, The Mainstream also curates summits & conferences that convene decision makers to explore how technology reshapes industries and leadership. With a growing presence in India and globally across the Middle East, Africa, ASEAN, the USA, the UK and Australia, The Mainstream carries a vision to bring the latest happenings and insights to 8.2 billion people and to place technology at the centre of conversation for leaders navigating the future.
