EY helps clients create long-term value for all stakeholders. Enabled by data and technology, our services and solutions provide trust through assurance and help clients transform, grow and operate.
At EY, our purpose is building a better working world. The insights and services we provide help to create long-term value for clients, people and society, and to build trust in the capital markets.
In the EY India Insights podcast, we examine why data breach response in the BFSI sector has evolved from a technical IT issue into a board‑level governance priority. With the introduction of India’s Digital Personal Data Protection Act (DPDP), 2023, there is increased focus on how organizations respond to data breaches now, considering that it directly impacts trust, regulatory outcomes and business continuity. Ranjeeth Bellary, Partner, Forensic & Integrity Services, EY India, shares perspectives on the critical decisions that should be taken in the first few hours of the breach, the role of forensic readiness and the importance of evidence‑led response frameworks. The discussion highlights what boards and leaders must do to build resilience, enable accountability and respond effectively under pressure.
Key takeaways
Data breach response in BFSI has become a board‑level responsibility, with regulatory expectations linking response quality directly to trust and accountability.
The first 72 hours of a breach are critical, requiring disciplined decisions on classification, containment, notification and customer protection.
Regulators assess decision discipline and evidence, making forensic readiness and documentation essential to demonstrate governance during breach response.
Organizations without strong data logs face delays, evidence gaps and higher regulatory exposure compared to those that maintain them.
Forensic readiness helps organizations reduces investigation costs, respond faster, and ensure timely, transparent reporting to regulators, customers and employees after breaches.
Ranjeeth Bellary
Partner, Forensic & Integrity Services, EY India
For your convenience, a full text transcript of this podcast is available on the link below:
Hello and welcome to EY India Insights.
I am Pallavi, your host for today. Today, we are discussing why data breach response in the BFSI sector has moved beyond IT and become a board level governance issue. With rising regulatory expectations, how organizations respond to a breach now defines trust, accountability, and outcomes.
Why has data breach response in BFSI shifted from a technical IT issue to a board critical governance and regulatory risk under India’s Digital Personal Data Protection Act, 2023 (DPDP) framework?
Ranjeet
It is a very relevant question for BFSI companies today because when you look at regulatory accountability, the DPDP Act expects so. Because whenever a breach happens, the direct impact is on customer trust, on fiduciary responsibility or business continuity.
That is where it has moved from a simple IT incident to governance, privacy conduct and regulatory accountability for a lot of organizations. Under DPDP, personal data breach must be notified to the Data Protection board and to impacted individuals. And what we have seen is that DPDP analysis ensures that a detailed board report is required within 72 hours, and failure to notify can attract penalties up to INR200 crore, which is a huge amount for any organization.
Today, the board is no longer asking only where we (were) attacked, they should also be asking if we responded lawfully, quickly, transparently and with the right evidence. And that is where the regulators are looking for the right reporting from an organizational standpoint. Not just RBI; different regulatory authorities are treating this as a board level matter.
That is where cyber security incident response, recovery management and cyber crisis management policies must be approved and reviewed by the board.
Pallavi
Building on the previous question, the first 72 hours of the breach are often decisive. What decisions during this window most strongly influence the regulatory, financial and reputational outcomes for the banks and the insurers?
Ranjeet
I will mention some of the top important decisions that organizations need to look at. First is classification – whether it is only a cyber incident or also a personal data breach. That will determine the regulatory reporting you need to do to different authorities, like to the DPDP board, whenever it is formed, to Indian Computer Emergency Response Team (CERT-In), and to RBI. From an insurance standpoint, it needs to go to the Insurance Regulatory and Development Authority of India (IRDAI). For customers, it could be law enforcement or could be contractual obligations if there is a third-party breach.
Second is containment without destroying evidence. Typically, what we have seen is that organizations shut their systems once they detect a breach. But from a forensic standpoint, that could do more harm because a lot of evidence gets lost in this process. The better decision is controlled containment, where the systems could be preserved for forensic imaging and the preservation of the relevant logs and chain of custody.
Third is the notification strategy. DPDP requires affected individuals and the board to be informed without delay with a detailed report to the board within 72 hours. CERT-In also requires specific circumstances to be reported within six hours of noticing that. So, having the right notification strategy is very important.
Finally, the last decision is customer protection. For example, for a bank or an insurer, the response should include account monitoring, card blocking, fraud watch lists, call center scripts and clear customary customer advisories. If I can give another quick example, let us say there is a customer KYC record that got exfiltrated, the question is not just whether the database was patched. The decisive questions are also who is affected, what data elements were exposed; what fraud risk arises; what customers should do and what evidence supports our conclusion?
Pallavi
How are regulators today assessing the quality of breach response, especially in terms of evidence, documentation and the decision discipline rather than just the existence of cybersecurity security controls?
Ranjeet
Regulators are increasingly looking beyond whether controls existed before the incident. They are looking for the decision discipline from the organizations. For example, can the institution prove what happened; when it knew and who decided; why the decision was made or whether the decision made was reasonable, and what was done to protect their customers?
These are some of the aspects that regulators are increasingly looking for. Not just from an India standpoint, globally also, that is what majority of regulators are looking for right now. Obviously, evidence matters like logs, endpoint telemetry, access records, data flow maps, meeting notes, legal privilege protocols, notification drafts and customer impact assessments.
From RBI's standpoint, RBI's IT covenants direction requires clear escalation and reporting plans to the board, senior management, customers and CERT-In. It also requires forensic analysis necessary to determine severity, impact and root cause. So, in a breach investigation, absence of evidence can look like absence of governance.
Pallavi
What role does forensic readiness, including the early triage and evidence preservation, play in creating a very defensible breach response for the organizations?
Ranjeet
Forensic readiness means pre-agreed incident playbooks, preserved logs, endpoint visibility, cloud audit trails, privileged access records, the right controls that were enabled within the different systems to ensure that a forensic (analysis) can happen and a well-trained forensic and crisis team.
RBI expects regulated entities to analyze cyber incidents, including through forensic analysis, if necessary, for severity, for impact and for root cause. For example, a bank that has 180 days of usable logs, synchronized timestamps, and mapped customer data repositories can produce a defensible breach report quickly. On the other hand, a bank that starts searching for logs after the breach, is already running against time. Forensic readiness plays a very important role for organizations, not only to reduce the cost of doing an analysis or an investigation post incident, but also to ensure that they are reporting timely to the regulatory authorities, to their customers and even to their employees, if the breach involves employee data.
So, forensic readiness is hugely helpful in that aspect.
Pallavi
From a board level perspective, what does the effective breach preparedness look like today, particularly when you are factoring third party risk, cross-functional coordination and accountability under pressure?
Ranjeet
From a board's perspective, preparedness has five elements majorly. The first is accountability – who is accountable or who is the executive owner across the organization? Is it the Chief Information Security Officer (CISO), Chief Information Officer (CIO), Data Protection Officer (DPO) or a legal/compliance/risk head? It is important to know who is accountable for different aspects, especially when dealing with a crisis or a data breach.
Second aspect is related to third party. Usually, organizations work with many third-party vendors, so contracts must require immediate breach notification, audit rights, log access, evidence preservation and cooperation. RBI specifically expects vendor risk controls to address legal or regulatory compliance from a customer data protection standpoint, from an availability standpoint and from a supply chain risk standpoint.
Third is crisis management. Oftentimes, we have seen organizations proactively spending on trying to address cyber and other risks.
However, when an incident happens, there is very little emphasis on how quickly they can detect and respond in the right way. That is where crisis management and tabletop exercises become hugely important. Tabletop simulations should involve not just idea or other teams, but also senior stakeholders like the CEO and the board. That is very important.
Fourth is regulatory readiness. The team should know what must be reported, to whom it must be reported within the stipulated timeline. Because today, a typical BFSI organization is looking at multiple regulators to which they need to report to, depending on the kind of business they operate in.
Lastly, a customer-first response framework is extremely important. Eventually regulators are looking at the accountability of the organizations from their customer standpoint. The board should test whether communications are clear, factual and protective rather than defensive. These are the five elements that are important for boards to look at from a preparedness standpoint.
Pallavi
Thank you, Ranjeet. That brings us to the end of this episode. Thank you so much once again for joining us and sharing all your perspectives to all our listeners.
Ranjeet
Thank you, Pallavi.
Pallavi
Thank you. Our takeaway from today's conversation is that cyber resilience is not just about prevention, it is about readiness, decision making and credibility under pressure. And for BFSI boards, breach response has become a core governance capability.
Thanks all for tuning in for the EY Indian Insights podcast. We look forward to sharing more perspectives that help leaders build trust and resilience. Until next time, this is Pallavi, signing off.
AI driven document verification solution with multi level checks, advanced algorithms, and fraud verification to help businesses ensure document authenticity.
Trusted Verification at EY supports organizations BGV process with employee background verification and screening services for informed hiring decisions.
Discover how EY's cybersecurity, strategy, risk, compliance & resilience teams can help your organization with its current cyber risk posture and capabilities.
