BFSI breach response

Why data breach response is a board-critical cyber risk issue for BFSI

EY
EY India

Multidisciplinary professional services organization

5 minute read 15 Apr 2026

The first 72 hours of a breach can determine an organization’s regulatory, financial and reputational outcomes.

In brief

  • Regulatory scrutiny now relies on the speed, quality and evidence behind breach‑response decisions, not the existence of controls.
  • The first 72 hours are a decisive pressure test, requiring coordinated forensics, clear documentation and aligned communication across multiple regulators.
  • Board‑level preparedness, strong vendor obligations and early forensic triage significantly reduce exposure under the DPDP framework.

Over the past decade, financial institutions in India have invested heavily in cybersecurity controls, but the most significant regulatory failures rarely stem from the absence of controls. They emerge from how organizations respond once those controls fail.

The Digital Personal Data Protection Act, 2023, and the Digital Personal Data Protection Rules, 2025, fundamentally reframe data breaches — from technical incidents into time-bound regulatory events. For banks and insurers, this is not simply another compliance layer; it is a test of incident maturity, decision-making discipline and board-level oversight under pressure.

The DPDP Act established accountability. The Rules introduce measurability. Under DPDP, ‘reasonable security safeguards’ will increasingly be judged in hindsight — not by what was procured, but by whether safeguards enabled timely detection, evidence preservation and defensible decision-making. The Rules then operationalize this expectation by asking a simple but powerful question after every breach: How quickly did you detect, assess, contain and report using evidence, not hindsight explanations?

The Draft Rules hinted at this, but the final DPDP Rules 2025 remove ambiguity. Breach reporting timelines are defined, notification obligations are explicit and the role of incident documentation is central. Every breach is now a potential regulatory reconstruction exercise.

What will regulators examine after a breach?

India’s DPDP enforcement trajectory is likely to mirror global privacy regulators’ behavior, wherein penalties may vary, but scrutiny will focus relentlessly on organizational conduct during the regulator notification process in the first hours and days of a breach. They will focus on the organization’s DPDP breach response.

Key forensic questions regulators are likely to ask:

  • When did the organization first detect suspicious activity?
  • When did it internally conclude that personal data was affected?
  • What evidence supports that conclusion?
  • Why did notifications occur when they did?
  • Were decisions documented contemporaneously or reconstructed later?

The DPDP Rules make asking these questions unavoidable by mandating 72-hour reporting to the Data Protection Board and customer notification without delay. Most regulatory penalties in cyber incidents are not driven by how a breach occurred, but by what organizations did, or failed to do, upon discovery. 

The 72-hour window: A forensic stress test

The 72-hour data breach reporting requirement does not provide much time to deal with a live cyber incident, especially in BFSI environments with complex legacy systems, multiple vendors and large customer datasets. However, the Rules do not expect a completed forensic investigation within 72 hours. They expect forensic incident maturity, reflected as:

  • A defensible preliminary assessment
  • Evidence-based reasoning
  • Demonstrable containment actions

A strong response uses forensics to answer just enough questions early:

  • Is personal data involved?
  • What categories of data?
  • Approximate scale?
  • Is there plausible harm?

Waiting for certainty is the fastest way to miss statutory deadlines.

Customer notification as part of regulatory breach obligations

The requirement to notify affected individuals “without delay” introduces a uniquely difficult balancing act, especially for banks and insurers. 

What this means for various stakeholders in an organization: 

  • For CISOs: detection, evidence, escalation speed
  • For General Counsel: defensible decision logs, regulator alignment
  • For Boards: authority delegation, simulation participation

Regulators are far more forgiving of incomplete but honest notifications about data breach reporting than of delayed disclosures justified by “ongoing investigation.”

Boards should understand that customer notifications are now part of incident containment, not a post-incident activity.

The overlooked challenge: Parallel regulator reporting

In BFSI, DPDP reporting rarely occurs in isolation. Banks and NBFCs should continue reporting cyber incidents to the Reserve Bank of India, often on an immediate or near-real-time basis. Insurers face similar expectations from the Insurance Regulatory and Development Authority of India. Certain incidents also trigger reporting to CERT-In.

From a forensic coordination standpoint, this creates three risks:

  • Inconsistent narratives across regulators
  • Timeline conflicts between cyber and privacy reporting
  • Evidence gaps caused by parallel, uncoordinated disclosures

Mature organizations treat breach response as a single orchestration problem, with tailored outputs for each regulator.

The strongest signals of board readiness are:

  • Pre-approved regulator and customer notification templates
  • Clear delegation of authority during incidents
  • Regular breach simulation exercises involving legal, IT, compliance and communications
  • Vendor contracts that support 72-hour reporting

Cybersecurity Performance Management | Analyze | Visualize | Govern

Cybersecurity Performance Management is a modular SecDataOps platform that unifies cybersecurity posture, exposure, detection, and response for full risk visibility, prioritization, and decision intelligence.

Know more

Forensic preparedness

Based on incident post-mortems across financial services, these measures can reduce DPDP exposure:

  • Early forensic triage capability: Rapid log preservation, endpoint isolation and timeline reconstruction matter more than deep root-cause analysis in the first phase.
  • Decision logs: Regulators assess intent and diligence. Time-stamped decisions and rationales are often as important as technical findings.
  • Vendor breach escalation disciplines: Many DPDP failures will originate with third parties. Without contractual “hours-not-days” notification clauses, compliance becomes aspirational.
  • Board visibility during incidents: Silent boards create documentation gaps. Informed boards build defensible cyber governance maturity and maintain records.

Key next steps

For banks and insurers, success under the DPDP regime will not depend on whether a breach occurs. It will depend on whether the organization can demonstrate forensic readiness.
 

From a cyber risk and forensic perspective, preparedness is no longer optional; it is the primary defense. To enable good financial sector cyber governance, organizations do not need to wonder if they have enough controls, but rather analyze if they can act responsibly when those controls fail.

FAQs

Summary

India’s DPDP Act and Rules shift data breaches from technical failures to time‑bound regulatory events, requiring financial institutions to demonstrate rapid detection, disciplined decision‑making and defensible documentation. Regulators will scrutinize the first 72 hours after an incident, focusing not on how the breach occurred but on how the organization responded. Banks and insurers should manage simultaneous reporting to multiple regulators, enable consistent narratives and strengthen forensic readiness. Boards also play a critical role by enabling preparedness, approving clear authority structures and participating in simulations. Under this regime, organizational maturity and not technology, determines regulatory outcomes and reputational resilience.

How EY can help

Related articles

CARO disclosures: Tracing whistleblower trends across India Inc

Read about the three year analysis of CARO disclosures for rising fraud detection, stronger audit assertiveness and increased whistleblower activity across India.

ArunBalaji Alagappan

Preparing enterprise crisis management strategy for geopolitical shifts 

Enterprise crisis management is now strategic, guided by geopolitics, ethics and compliance to enhance resilient decision-making and organizational readiness.

Arpinder Singh

How AI and cybersecurity are driving the next wave of business resilience

Learn how artificial intelligence is reshaping cybersecurity, addressing emerging risks like deepfakes while helping organizations strengthen protection, response, and overall resilience.

EY India

    About this article

    EY
    EY India
    Multidisciplinary professional services organization
    Related topics
    Forensics
    Cybersecurity
    Risk
    Digital

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.