HomeGuidesGovernance & Leadership › GL-02
GL-02 Governance & Leadership 10% of OML score

Has management formally acknowledged cybersecurity and data protection as business risks?

Does your company's senior management (owner, MD, board) formally recognize that cyber attacks and data breaches are real business risks—not just IT problems? Have they put this recognition in writing and tied it to business decisions like budgets and hiring?

Why This Matters to Your Business

Without leadership buy-in, cybersecurity stays underfunded, reactive, and siloed in IT. A typical scenario: your e-commerce business handles customer payment data but management views security spending as 'wasting money on IT.' When a breach exposes 50,000 customer records, you face DPDP Act fines (up to ₹50 crore), lawsuits, lost customers, and mandatory notification costs. Your insurance won't cover it because you had no documented risk management process. Customers and partners stop trusting you, and regulatory audits find systemic negligence.

📊
What Each Maturity Level Looks Like

Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.

Level 0
Absent

You walk in and find no written cybersecurity policy, no mention of cyber risk in board minutes, and no budget line for security. Management views it as 'something IT handles if needed'.

Level 1
Initial

You find an email or informal note from the MD saying 'cybersecurity is important,' but no formal policy, no risk assessment, and security budget remains ad-hoc and squeezed during cost cuts.

Level 2
Developing

You find a signed cybersecurity policy statement from management acknowledging data breach and cyber risk, included in the annual business risk register, and a small dedicated security budget approved in the annual plan.

Level 3
Defined

You find a formal risk assessment document (even a simple one) that lists cyber and data protection risks, a board-approved cybersecurity strategy with clear ownership, and security budget allocated separately with sign-off from CFO and MD.

Level 4
Managed

You find quarterly board reports on cybersecurity metrics and incidents, documented linkage between cyber risks and business objectives, regular management review meetings on security posture, and budget tied to identified risks with a multi-year roadmap.

Level 5
Optimised

You find an integrated governance structure where cyber risk sits alongside financial and operational risk, executive KPIs include security metrics, independent audit findings are discussed at board level, and security investment is treated as business resilience spending.

🚀
How to Move Up — Practical Steps
StepWhat to DoWhoEffort
0 → 1 Schedule a 1-hour meeting with MD/owner and IT lead. Walk through one real breach scenario relevant to your industry (e.g., ransomware shutting down operations, customer data leak). Get verbal acknowledgment and ask MD to send one email to staff saying 'cybersecurity is a priority.' Document this email. MD/Owner + IT Lead 1 day
1 → 2 Draft a one-page Cybersecurity Risk Acknowledgment statement (template: 'Our company recognizes data breaches and cyber attacks as material business risks affecting [operations/reputation/compliance/revenue]. We commit to protecting customer and company data.'). Get MD signature. Add it to your annual business risk register or annual report. IT Lead (draft) + MD (approval) 1 week
2 → 3 Conduct or hire a simple risk assessment (₹20k-50k for a consultant, or use NIST CSF worksheet). Identify top 5 cyber risks specific to your business (e.g., ransomware, data theft, compliance violation). Create a one-page Risk Register and present to management. Tie security budget request to these risks. IT Lead (with external consultant if budget allows) 2-4 weeks
3 → 4 Develop a formal Cybersecurity Strategy document (3-5 pages) signed by MD with clear objectives (e.g., 'Achieve ISO 27001 certification by Q4 2025'), assign a Chief Information Security Officer or security owner (can be external consultant on retainer), and establish monthly security review meetings with management attendance. IT Lead + MD + External CISO (part-time, ₹30k-50k/month) 1-2 months
4 → 5 Establish quarterly board-level reporting on cybersecurity KPIs (e.g., incidents, patch status, audit findings), tie executive bonus/KPIs to security metrics, conduct annual independent security audit, and document risk management decisions in board minutes. Integrate cyber risk into enterprise risk management framework. CISO/Security Owner + CFO + MD + Board Secretary Ongoing
📁
Evidence You Should Have

Documents and records that prove your maturity level.

  • Signed Cybersecurity Risk Acknowledgment or Policy Statement from MD/Board dated within last 12 months
  • Cybersecurity or Data Protection Risk included in formal Business Risk Register with management sign-off
  • Board Minutes or Management Meeting Minutes showing discussion of cyber risk (at least annually)
  • Annual Budget or Finance Plan with dedicated cybersecurity/security budget line item with approval signatures
  • Risk Assessment Report (internal or external) documenting identified cyber and data protection risks with ownership assigned
🔍
What an Auditor Will Ask

Prepare for these questions from customers or third-party reviewers.

  • "Can you show me the written statement where your board or senior management formally acknowledges cybersecurity and data protection as business risks?"
  • "How does your company's risk register address cyber and data protection risks? Who owns these risks and what is the mitigation plan?"
  • "What cybersecurity budget was approved in your last annual plan and by whom? Can you show the approval?"
  • "How does management monitor or review cybersecurity? Is this discussed in board meetings, and if so, how frequently?"
  • "Do your executives or KPIs include any cybersecurity or data protection metrics? Can you explain the link between business strategy and security decisions?"
🛠
Tools That Work in India
PurposeFree OptionPaid Option
Create a simple one-page Risk Register template and track cyber risks alongside other business risks Microsoft Excel or Google Sheets (use NIST CSF sample risk template from NIST.gov, free to download) LogicGate Risk Cloud (₹3-5 lakhs/year for SME tier) or Rsam GRC (custom pricing)
Assess and document your cybersecurity maturity against a framework so you can present to management NIST Cybersecurity Framework 2.0 (free PDF, self-assessment worksheet at nist.gov) Qualys CMMC assessment (₹5-10 lakhs for one-time) or Rapid7 InsightVM (₹10-15 lakhs/year)
Create professional cybersecurity policy documents with MD sign-off templates ISO 27001 Annex A control library (available free from various open sources) or use SANS Security Policy templates OnPolicy or SecurityStudio templates (₹50k-1 lakh for policy suite) or hire consultant (₹30k-50k)
🛡
How This Makes You More Resilient
When management formally acknowledges cyber risk, security investments get funded and prioritized before a breach happens—not after. This means vulnerabilities get fixed, staff get trained, and incident response plans exist. When a breach does occur (it will), you have insurance coverage, a prepared response team, and evidence of due diligence that protects you from massive fines and lawsuits. Your business survives and recovers faster.
⚠️
Common Pitfalls in India
  • Owner says 'yes, security matters' verbally but never puts it in writing or budget—so when an incident happens, no evidence exists that management knew the risk, leading to regulatory penalty for negligence
  • Cybersecurity is treated as 100% IT department responsibility with no board visibility, so security stays invisible and underfunded while the MD wonders why IT keeps asking for money
  • A one-time 'risk assessment' is done by a consultant and then filed away; management never reviews it, updates it, or ties it to decisions—so it becomes a checkbox, not a tool
  • Security budget is cut during downturns because 'nothing has happened yet,' leaving the company vulnerable exactly when economic stress makes cyber criminals more aggressive
  • Foreign investors, insurance auditors, or large customers ask for management's cybersecurity commitment and the company has no document to show, losing deals or facing insurance denial
⚖️
Compliance References
StandardRelevant Section
DPDP Act 2023 Section 8 (governance and responsibility of data processor) and Section 4 (lawful basis and risk assessment) require organizations to assess and document data protection risks
CERT-In Guidelines 2013 Incident Reporting Guidelines (updated 2022) require organizations to have documented cybersecurity policies and incident management frameworks reviewed by management
ISO 27001:2022 Clause 5 (Leadership) requires top management to demonstrate commitment to information security and integrate it into business processes; Annex A.5.1 (Policies for information security)
NIST CSF 2.0 Govern Function (GV) / GV.RO Risk and Oversight category - organizational context and risk management strategy must be defined and communicated by leadership

Ready to assess your organisation?

Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.

Start Free Self-Assessment →