What are the legal requirements for demonstrating due diligence in cybersecurity practices?

Introduction

As cyber threats continue to escalate in scale, frequency, and sophistication, organizations are under growing pressure to protect data, systems, and infrastructure. Merely having basic cybersecurity controls in place is no longer enough. Today’s legal and regulatory landscape demands demonstrable due diligence—concrete, proactive efforts taken by organizations to prevent, detect, and respond to cyber threats.

In India, demonstrating cybersecurity due diligence is a legal obligation under multiple laws and regulations, including the Information Technology Act, 2000, Digital Personal Data Protection Act, 2023 (DPDPA), and various sector-specific guidelines (from RBI, SEBI, IRDAI, etc.). Courts and regulatory bodies increasingly evaluate whether an organization acted with reasonable care and foresight to prevent cyber incidents.

Failure to demonstrate due diligence can result in regulatory penalties, civil liability, and even criminal consequences. This detailed explanation outlines what constitutes due diligence in cybersecurity, legal benchmarks in India, global expectations, and best practices with practical examples.

1. What Is Cybersecurity Due Diligence?

Cybersecurity due diligence refers to the process of actively identifying, assessing, managing, and documenting risks related to information security. It involves:

  • Assessing potential cyber risks to data and systems

  • Implementing appropriate technical and organizational safeguards

  • Monitoring compliance and security performance

  • Taking timely action to prevent or mitigate breaches

  • Demonstrating a consistent, documented security program

From a legal standpoint, due diligence is the evidence that an organization took all reasonable steps to prevent cyber incidents and protect data.

2. Legal Basis of Due Diligence in India

a. Section 43A of the IT Act, 2000

  • Requires body corporates that handle “sensitive personal data” to implement “reasonable security practices and procedures

  • In case of negligence leading to wrongful loss or gain, compensation is payable to affected parties

  • Companies must prove that they followed best practices to avoid liability

b. Section 72A of the IT Act

  • Penalizes disclosure of information obtained in the course of services without consent

  • If such disclosure happens due to negligence in implementing access control, the organization can be penalized

c. Digital Personal Data Protection Act (DPDPA), 2023

  • Requires data fiduciaries to protect personal data through technical and organizational measures

  • Section 8 mandates safeguards against data breach, unauthorized access, and misuse

  • Section 9 obligates prompt breach reporting to the Data Protection Board of India (DPBI)

If a breach occurs, organizations must demonstrate that they took reasonable and proportionate steps to prevent it—i.e., due diligence.

3. Key Components of Demonstrable Due Diligence

a. Risk Assessment and Mapping

  • Conduct regular cyber risk assessments

  • Identify critical assets, data flows, vulnerabilities, and exposure points

  • Document all assessments with timestamps and responsible personnel

b. Security Policy and Governance Framework

  • Maintain written security policies: data handling, password policies, access control, BYOD, remote work, etc.

  • Assign a Chief Information Security Officer (CISO) or Data Protection Officer (DPO)

  • Establish governance teams with defined roles and accountability

c. Technical and Organizational Safeguards

  • Use firewalls, antivirus, DLP (data loss prevention), encryption, MFA (multi-factor authentication), and patch management

  • Monitor logs, endpoint behavior, and intrusion attempts

  • Back up critical data and secure recovery systems

d. Employee Awareness and Training

  • Conduct regular cybersecurity awareness programs

  • Test users with simulated phishing attacks

  • Maintain attendance records and completion certificates

e. Vendor Due Diligence and Contracts

  • Vet third-party vendors for cybersecurity compliance

  • Include security clauses, breach notification terms, and indemnification in contracts

  • Audit vendor security posture annually

f. Incident Response Planning

  • Maintain an up-to-date incident response plan

  • Assign responsibilities and escalation points

  • Test the plan through tabletop exercises and simulations

g. Regulatory Compliance Audits

  • Document compliance with DPDPA, IT Act, and sector-specific laws (RBI Cybersecurity Framework, SEBI Guidelines, etc.)

  • Maintain audit trails, vulnerability scans, and penetration test reports

4. Evidence That Demonstrates Due Diligence

To legally prove due diligence, the following records and documentation should be maintained:

  • Risk assessment reports and remediation actions

  • Data protection impact assessments (DPIAs) for sensitive projects

  • Cybersecurity policy manuals and employee sign-off sheets

  • Internal audit and vulnerability scan reports

  • Contracts with third parties with security terms

  • Proof of encryption and access control in place

  • Copies of regulatory compliance certifications (e.g., ISO 27001, SOC 2)

  • Records of incident response activities and breach notifications

  • Cyber insurance policy with documented terms and coverage

Example:
If a company suffers a phishing-based data breach but has records showing employee training, phishing simulations, and regular audits, regulators may reduce penalties under the DPDPA or waive some liability—demonstrating due diligence saved the company.

5. Sector-Specific Guidelines Reinforcing Due Diligence

a. RBI Cybersecurity Framework
Banks must:

  • Conduct regular security audits

  • Report cyber incidents within tight timelines

  • Implement a Board-approved information security policy

  • Appoint a CISO and conduct cyber drills

b. SEBI Guidelines for Market Intermediaries

  • Perform periodic vulnerability assessments and penetration testing (VAPT)

  • Implement two-factor authentication

  • Maintain backup systems and disaster recovery policies

c. IRDAI Cybersecurity Framework (for insurers)

  • Maintain logs and reports for at least 5 years

  • Conduct annual third-party audits

  • Encrypt policyholder data in motion and at rest

Failure to comply with these sector-specific requirements may be considered absence of due diligence, inviting regulatory action.

6. Global Influence: GDPR, ISO Standards, and Industry Norms

a. GDPR (EU)

  • Mandates that data controllers/processors implement “appropriate technical and organizational measures

  • Requires proof of data protection by design and default

  • Violations can result in fines up to €20 million or 4% of annual turnover

b. ISO 27001

  • International standard for information security management

  • Companies certified under ISO 27001 are generally seen as exercising strong due diligence

  • Includes controls for access management, asset classification, incident handling, etc.

7. Legal Consequences of Failing to Show Due Diligence

If an organization cannot prove due diligence:

  • Penalties under DPDPA (up to ₹250 crore for data breach or non-compliance)

  • Compensation under IT Act for loss caused by negligence (Section 43A)

  • Class action lawsuits by consumers

  • Criminal liability for executives under Section 72A of the IT Act

  • Regulatory sanctions, suspension of licenses, or blacklisting (by RBI, SEBI, etc.)

  • Reputational damage and shareholder action

Example:
If a fintech company’s customer data is exposed, and it cannot show it had encrypted data, trained employees, or incident response mechanisms, it will be seen as negligent—even if the attack was external.

8. Court Interpretations and Regulatory Investigations

Indian courts and regulatory authorities have reinforced that due diligence is not just policy on paper—it must be backed by practice and evidence.

In previous cyber litigation, courts have ruled:

  • Having a cybersecurity policy without employee enforcement is insufficient

  • Ignoring known vulnerabilities or delaying patching constitutes negligence

  • Absence of breach reporting systems reflects lack of governance

9. Best Practices to Maintain Legal Compliance Through Due Diligence

  • Map all data flows and classify personal data

  • Review and update cybersecurity policies every 6–12 months

  • Establish board-level oversight on cybersecurity and data protection

  • Maintain incident logs, training records, and compliance dashboards

  • Include cybersecurity due diligence in M&A or vendor onboarding

  • Subscribe to threat intelligence services and CERT-In alerts

  • Stay updated with evolving laws and frameworks (e.g., DPDPA rules)

Conclusion

Cybersecurity due diligence is not a one-time exercise—it is a continuous, documented process that demonstrates a company’s commitment to legal compliance, customer trust, and operational resilience. In India, the IT Act and DPDPA, backed by sectoral regulations, make it mandatory to prove the adoption of reasonable security practices and show evidence of consistent effort.

Failure to demonstrate due diligence not only invites financial and legal penalties but also erodes brand trust and investor confidence. Conversely, companies that maintain a strong, documented cybersecurity program can minimize liability, protect their reputation, and navigate legal challenges more effectively.

In summary, in the eyes of the law, cybersecurity is not just a technical obligation—it is a governance responsibility that demands proactive, continuous, and demonstrable due diligence.

Priya Mehta

Posts