The 12 Hardest Board Questions on Cybersecurity — Answered

The challenge is that each regulatory framework contains dozens or hundreds of individual controls, each of which must be implemented and evidenced. The IRDAI Cybersecurity Guidelines (2023, revised March 2025) contain 45 controls across 8 domains. SEBI CSCRF contains controls across 5 categories. RBI's Master Directions on Information Technology have an extensive control catalogue. Manual assessment cannot produce a current, accurate compliance picture — it produces a picture of what the compliance team last audited.

A defensible answer requires Unified Control Library (UCL) mapping — each of the organisation's controls mapped to the specific requirements it satisfies in each framework, with evidence freshness tracked continuously. When a control's evidence expires, the compliance score for every framework that control covers drops immediately.

The request for a number in rupees is entirely reasonable. Boards govern financial risk in quantitative terms — credit risk in basis points, market risk in VaR, operational risk in capital charge. There is no principled reason to exempt cyber risk from financial quantification.

The resistance to quantification is usually framed as "too many unknowns" or "cyber risk is different." Both positions are incorrect. FAIR v3.0 was designed specifically to handle uncertainty through probabilistic ranges — the output is not a precise single number but a defensible probability distribution that captures the uncertainty. The P95 figure tells the board the worst realistic scenario, not the worst conceivable one.

The CERT-In 6-hour window begins at the moment of detection — not at the moment the CISO is notified, not at the moment the incident is confirmed. This means the SOC analyst who first identifies an anomaly at 11 PM is the person who starts the clock. The process to escalate, classify, populate the CERT-In notification format, and submit must be capable of completing in under 6 hours from that moment.

Most IR processes fail not because they lack documentation but because they have never been exercised under the specific constraint of regulatory reporting. A tabletop exercise that practices internal containment but not regulatory notification is incomplete. The board should ask to see last quarter's incident SLA performance as a percentage — what fraction of incidents that required CERT-In notification were reported within 6 hours?

India's DPDP Act 2023 and its Rules 2025 impose clear obligations: Data Fiduciaries (banks, insurers, brokers) are responsible for ensuring that Data Processors (their vendors) handle personal data only as specified in a written DPA. The DPA must cover purpose, categories, retention, sub-processor controls, and deletion on contract end. Most organisations have some contracts, but few have a complete, auditable DPA register that they can produce instantly on demand.

The regulatory inspection question is blunt: "Show me all contracts with entities that process customer personal data and confirm each has a DPDP-compliant DPA." If the answer requires two weeks to compile, the organisation does not have adequate vendor data governance — and the next DPDP inspection or RBI examination will reflect that.

This is the question that most CISOs cannot answer with confidence, because it requires financial quantification of risk that most organisations have never undertaken. The framework for answering it is straightforward: calculate the unadjusted ALE for the top risk scenarios (what the losses would be without the current security programme), then calculate the adjusted ALE (with current controls), and compare the difference to the programme cost.

For a ₹22 crore programme to be "enough," it needs to demonstrably reduce ALE by more than ₹22 crore. For it to be "right-sized," the marginal cost of additional controls should not produce risk reduction that exceeds the marginal cost — in financial terms, the security portfolio should be optimised at the point where the last rupee of investment produces approximately one rupee of ALE reduction.

SEBI CSCRF is unusually specific about board-level accountability. The framework requires regulated entities — stock brokers, depositories, exchanges, mutual funds, and others — to establish a cybersecurity governance framework with board oversight. It mandates automated cybersecurity dashboards. It requires the board to set and periodically review cyber risk appetite.

The three specific board obligations under CSCRF are: (1) formally approve the cybersecurity policy and risk appetite annually; (2) review cyber risk posture via an automated dashboard — not a manually prepared report — with defined thresholds; and (3) ensure cybersecurity controls are independently assessed. Directors who do not have documentary evidence of having performed these functions are personally exposed in the event of a significant incident that triggers regulatory examination.

Peer comparison is difficult because most organisations don't publish their maturity levels. However, the question can be answered in terms of regulatory expectations. SEBI CSCRF, with its mandates for continuous monitoring, automated dashboards, and board-approved risk appetite, describes an organisation that is operating at NIST CSF Tier 3 (Repeatable) or above. IRDAI's board attestation requirement implies that the GOVERN function is at Tier 3. If an organisation's GOVERN function is at Tier 2, it is below the implied regulatory expectation.

The maturity gap is also actionable. Unlike a vague "we need to improve our security posture," a NIST CSF Tier gap analysis produces specific, measurable improvement targets — each function, each gap, each control investment required to close it.

IRDAI's requirement for board attestation is one of the most consequential governance obligations facing India's insurance sector. The IS audit report must be reviewed by the board, signed by both the external IS auditor and the board, and submitted to IRDAI within 90 days of the financial year end — or within 30 days of audit completion, whichever is earlier. Failure is not a technicality — it is a supervisory compliance breach that IRDAI examinations specifically check for.

The process breaks down in three ways in practice: (a) the audit takes longer than anticipated, leaving insufficient time for board review and submission; (b) the board review happens but is not properly documented — the minutes exist, but there is no evidence that the board specifically reviewed the IS audit findings; and (c) the submission happens but there is no tracking of the IRDAI receipt acknowledgement.

The liability landscape for directors of Indian BFSI organisations has become materially more serious in the past three years. The CERT-In Directions 2022 under Section 70B of the IT Act expose any person in charge of and responsible for the organisation to criminal liability for non-compliance — including missed notification deadlines. DPDP's penalties fall on the organisation, but enforcement history from GDPR (upon which DPDP is substantially modelled) shows that regulators can and do seek evidence of board-level governance failure when imposing maximum penalties.

The defence available to directors is demonstrating that they exercised appropriate oversight — that they reviewed the organisation's cybersecurity posture regularly, that they were provided with adequate information, that they set and tracked risk appetite, and that they approved appropriate resource allocation. Directors who can produce a signed, time-stamped board dashboard showing that they reviewed the organisation's CERT-In readiness in the quarter before an incident are materially better positioned than directors whose only engagement with cybersecurity was an annual narrative briefing.

A posture percentage without a trend is a snapshot. A trend without an explanation is a mystery. A trend with an explanation but without a remediation plan is a problem. The board is entitled to all three: trend, root cause, and remediation status.

Control drift — the degradation of compliance posture between audit cycles — is one of the most common and least-tracked phenomena in enterprise GRC. Evidence for a control expires. A monitoring rule fails silently. A control implementation is revoked as part of a system change. In each case, the posture score drops, but nobody is notified unless there is an active drift detection system in place.

Cyber insurance decisions in most Indian BFSI organisations are made by procurement teams with minimal input from the security function and no input from quantitative risk analysis. The coverage amount is often a round number — ₹10 crore, ₹15 crore, ₹25 crore — selected based on industry practice or broker recommendation rather than analysis of actual exposure.

The insurer question is also important. Most cyber insurance policies contain disclosure obligations — the insured must disclose material facts about its risk profile. Unremitted VAPT findings, unpatched CRITICAL vulnerabilities, and known deficiencies in incident response capability could all be considered material facts. Non-disclosure may void coverage at the point of claim.

This question reveals the governance gap that most boards have not yet addressed. The board meets quarterly. Cyber incidents happen continuously. A critical vulnerability may be discovered, exploited, and cause damage in the six weeks between board meetings with no board-level visibility until the next scheduled review.

Effective board-level oversight requires defined escalation triggers: specific thresholds at which the CISO is obligated to notify the board chair or the audit committee immediately — outside the normal quarterly cycle. These triggers might include a CRITICAL VAPT finding in a customer-facing system that is not remediated within the defined SLA, a CERT-In notification that was made within the 6-hour window but where the incident severity is above a defined threshold, or a posture deterioration of more than 10 percentage points in any single framework.