Quick Links
Connect us
Directors Databank (Empannel Yourself)
Become a faculty
Blog
Become an Awards Assessor
Publications
Contact Us
Digital Governance in the Age of AI
What Boards Must Know and Do about Cyber and Data Risk
Introduction
In today's business world, the question no longer is whether the digital technologies will transform businesses but how will they do it. Technologies such as Artificial Intelligence (AI), Big Data, cloud services, and Internet of Things (IoT) ecosystems enhance the operational efficiency and decision-making of businesses. However, adoption of such technologies has also resulted in increased cybersecurity breaches, failure to protect data, algorithmic biases and regulatory noncompliances. Broadly, there are 2 kinds of risks associated with the adoption of digital technologies – data privacy and cybersecurity. Yet, the complexity of these risks is bound to increase with technology (such as AI) being available to people at large. Increasingly, all such issues have moved under the board's purview thereby making 'Digital Governance' a strategic imperative and not just a business risk.
Impact of digital risks on firms
The World Economic Forum (WEF) report (2024) estimates that by 2030, digitalisation will add more than $100 trillion to the global economy, thereby creating immense opportunities for business innovation and growth. Yet, each technology infusion exposes the businesses to various kinds of technology risks such as cyber-attacks, data breaches, etc.
Indian firms faced more than 22.68 lakh cybersecurity related incidents in 2024.
• A report by Check Point, a cybersecurity firm, estimated that an average organisation faced more than 1,200 cyberattacks weekly in 2024, which was a 38% increase over the previous year. India was among the top 5 countries experiencing the most attacks.
• A report by IBM said that the cost of an average data breach in India resulted in a loss of INR 17.9 crores in 2024, that was an increase of 28% over 2023. And this is just the beginning of the story for firms embracing digitalization!
• Indian firms faced more than 22.68 lakh cybersecurity related incidents in 2024.
• Financial losses due to cyber frauds increased by 206% in 2024 to reach INR 22845 crores.
• Cyber-attacks on Indian firms are increasing by 46% year on year with firms facing almost 3200 attacks in a week. The most vulnerable sectors for such attacks are healthcare (21.8%), hospitality (19.6%), and banking and financial services (17.4%).
Though there have been hundreds of organisations affected by digitalisation risks, some of the well-known cases cited below show that digital risk is no longer an operational threat; rather, it has become a business risk with strategic implications.
• The All India Institute of Medical Sciences (AIIMS), Delhi in 2022 faced a ransomware attack that disrupted health care services for weeks. The attack led to exposure of critical data – patients records, research data and administrative information. The attack was staged by a ransomware gang LockBit which locked the servers for 6 days and demanded a ransom of INR 200 crores for restoring it back. Investigations revealed lapses in system patching, outdated softwares and insufficient backup protocols.
• In another incident a hacker named 'xenZen' gained access to 7.24 terabytes of data of Star Health Insurance company. The hacker issued death threats and sent extortion notice to hundreds of individuals. The threat was disseminated through telegram chatbots and other websites that were accessing patient and customer data.
• Wazir X, a cryptocurrency firm also experienced a cyberattack on its wallet infrastructure. Hackers discovered flaws in the smart contract execution and manipulated wallet permission to execute unauthorised withdrawals. This attack was carried out by the Lazarus group, a North Korea based firm. The trading was halted for several hours as the platform operations were disrupted.
Apart from these, there have been digital hacks and attacks on the banks, stock exchanges, government organisations, etc. causing disruptions and loss of reputation and goodwill besides a dip in revenues through loss in business.
So, what can the corporate boards do?
Normally, the boards have a mix of financial, legal and operational expertise among the board members. Now, the board members must be digitally literate i.e., have the ability to understand and question digital, cyber, data and AI strategies being adopted by the firms. Thus, the boards need to have open and clear discussions about the digital technologies that are being used by the firms, their merits and demerits, and all possible consequences. The boards can adopt the 5-point framework by CCCAiD to ensure that the companies are resilient and immune to digital attacks. The five-point framework is explained below:
a. Capacity Building – It is imperative that the board members undergo digital literacy programs and equip themselves with a basic understanding of technologies being used in business such as AI, Blockchain, Big Data, 5G, etc. The companies can insist that the board members be certified and has specific technical skills to assess digital needs of the company and provide risk analysis.
b. Culture – The board should encourage the management to allow the employees to experiment and develop their own insights about the use of technologies. They should be instructed to enable collaborative culture among the departments to support digital initiatives; and the boards should ensure that the company carries out 'digital drills' and ‘simulations' to ensure coordination and learning.
c. Cybersecurity – Since every company does business using internet in some form or the other, it is necessary that the company gets itself assessed for cybersecurity threats. In addition to the present measure taken, the boards can recommend to take up measures such as MTTD (Mean Time To Detect), MTTR (Mean Time To Respond) and MTTR (Mean Time To Recover) should be incorporated in the performance dashboards.
Cyber-attacks on Indian firms are increasing by 46% year on year with firms facing almost 3200 attacks in a week. The most vulnerable sectors for such attacks are healthcare (21.8%), hospitality (19.6%), and banking and financial services (17.4%).
d. AI governance – Boards must acknowledge the strategic importance of AI adoption. They should insist on having an agenda item in the board meetings to understand and discuss the adoption of AI in business operations or transformation. However, the boards must insist on the formation of an AI ethics committee to oversee the fairness, usability and accountability of AI usage in the company.
e. Data Privacy – The boards must ask the company to align itself with the DPDP Act, 2023 (Digital Personal Data Protection Act, 2023). The boards should also assess the overall data governance framework of the company to ensure that security measures such as encryption and access controls are robust. The company should be asked to conduct regular employee trainings about data privacy and the changing regulations. Also, regular audits must be carried to assess potential threats.
Apart from these measures, the boards are increasingly demanding appointment of a Chief Digital Officer, or a Data Protection Officer, or a Chief Digital Risk Officer to monitor and co-ordinate cross functional risk assessment and report the findings to the board.
Conclusion
As digitalisation in businesses is growing at an unprecedented rate, the governance is becoming more complex. Board members cannot be expected to remain mere spectators rather digital governance will soon become the core of corporate stewardship. Every director will need to ask – 'do I understand the digital risk faced by my company? And what can I do make the company more resilient? The IOD's 2024 theme becomes highly pertinent now: “Good governance is not about avoiding risk, but managing it with integrity and intelligence.” By taking ownership of digital governance, boards can steer their organisations not only through disruption, but into the next phase of value creation — safely, ethically and sustainably.
Back to HomeAuthor
Dr. Shalini Rahul Tiwari
She is an Associate Editor with the Emerald Emerging Markets Case Studies and a highly active trainer and facilitator, having delivered training programmes for leading organisations including Reckitt Benckiser, Maruti Suzuki, True Value, Coca-Cola India, GMR - Delhi Airport Authority of India, The Times of India, Amdocs, Airports Authority of India, Hero MotoCorp, Indian Postal Academy, upGrad, Jaro Education, and ImaginXP, among others. She also serves as a strategic advisor to a private equity firm, where she mentors startups, and is an Independent Director at Intec Capital Ltd. and Magnum Ventures Ltd.
Owned by: Institute of Directors, India
Disclaimer: The opinions expressed in the articles/ stories are the personal opinions of the author. IOD/ Editor is not responsible for the accuracy, completeness, suitability, or validity of any information in those articles. The information, facts or opinions expressed in the articles/ speeches do not reflect the views of IOD/ Editor and IOD/ Editor does not assume any responsibility or liability for the same.
