Overview
Cybersecurity incidents today create simultaneous operational, legal, regulatory and reputational exposure of a kind that organisations are rarely prepared to manage without legal guidance. The CERT-In Directions of April 2022 introduced mandatory six-hour incident reporting obligations, log retention requirements, and virtual asset provider registration — with non-compliance carrying criminal liability. Simultaneously, RBI, SEBI, IRDAI and TRAI have each issued their own cybersecurity frameworks and circulars applicable to regulated entities, creating a dense web of sectoral obligations that must be satisfied in parallel. Against this backdrop, enterprises face increasing pressure from boards, insurers, and regulators to demonstrate robust cyber governance, not just technical security controls.
Our Cybersecurity & Digital Risk advisory team bridges the gap between technical cybersecurity posture and legal regulatory compliance — translating complex technical environments into board-ready governance frameworks, policy structures, and compliance programmes that satisfy regulatory obligations while supporting commercial objectives. We work alongside CISOs, CROs, compliance teams, and boards to build cyber governance that is legally defensible, operationally practical, and appropriately calibrated to enterprise risk appetite.
Our Services
End-to-end governance and compliance advisory for enterprise cybersecurity.
Regulatory Landscape
India's overlapping cybersecurity compliance obligations across regulators.
CERT-In Directions 2022
Mandatory six-hour cyber incident reporting, 180-day log retention, Virtual Private Server and Virtual Private Network provider registration, and synchronisation of ICT infrastructure clocks — with criminal liability for non-compliance under the IT Act.
RBI Cybersecurity Framework
Comprehensive cybersecurity framework for banks, NBFCs, and payment system operators — including baseline security controls, incident reporting to RBI within two to six hours, IS audit requirements, and CISO appointment obligations.
SEBI Cyber Security Circular
Cyber security and cyber resilience framework for stock exchanges, depositories, clearing corporations, KRAs, and registered intermediaries — including annual cyber audits, penetration testing, and board-level oversight requirements.
IRDAI Information & Cyber Security Guidelines
Information and cyber security guidelines for insurers — board-approved information security policy, CISO designation, annual cyber audits, vulnerability assessments, and incident reporting to IRDAI within 24 hours.
How We Work
A three-phase advisory engagement designed for enterprise deployment.
Risk Assessment & Compliance Mapping
We conduct a structured review of your current cybersecurity governance, existing policies, technical controls, and incident history against applicable regulatory obligations — including CERT-In, sectoral frameworks, and contractual requirements — producing a prioritised compliance and governance roadmap.
Governance Framework & Policy Design
We design and draft your enterprise cybersecurity governance framework — board-approved security policy, incident response policy, CERT-In compliance procedures, third-party risk protocols, and reporting structures — tailored to your sector, scale, and risk environment.
Implementation Support & Board Reporting
We support implementation across legal, compliance, and technology teams, coordinate cyber audits, assist with regulatory interaction and incident notifications, and prepare board-ready cyber risk reports and governance updates throughout the engagement.
