Cyber attacks, AI misuse and data privacy rules emerge as top boardroom risks for India Inc

Cybersecurity breaches, weak governance around artificial intelligence (AI) and rising scrutiny under India’s data-protection regime have emerged as some of the most pressing risks facing Indian businesses, according to the FICCI–EY Risk Survey 2026 released on 8 February.

The survey found that 61% of respondents identified cyber-attacks and data breaches as posing “significant financial and reputational risks” to their organisations, underscoring how digital risk has moved from an IT concern to a board-level priority.

“Cyber risk poses a direct threat to operations, revenue and trust and cyber readiness is central to business continuity and confidence,” the report noted, warning that ransomware, phishing and attacks on critical infrastructure are rising in scale and sophistication.

The survey also flagged growing concern over the rapid infusion of AI across business operations, particularly where governance and controls are weak. Around 60% of senior executives said inadequate adoption of emerging technologies, including AI, was negatively impacting operational effectiveness.

At the same time, more than 54% of respondents said AI-related risks, including ethical concerns, were not being effectively managed within their organisations, the report said.

“AI risk is now a core business risk and not merely a technology issue,” the survey said, highlighting threats such as hallucinations, data poisoning, model drift, deepfakes and so-called shadow AI, where employees use public AI tools for sensitive work without oversight.

The report warned that agentic AI systems, which can take autonomous actions with limited human intervention, introduce fresh legal and compliance ambiguity when contracts, payments or decisions are executed without approvals.

Cyber and AI risks are being compounded by tighter regulatory oversight, particularly around data protection. The survey showed that 56% of respondents flagged increasing scrutiny around data privacy as a major risk, while 67% said frequent regulatory changes required urgent attention from management and boards.

Strengthening data-protection regimes such as India’s Digital Personal Data Protection (DPDP) Act is pushing companies to rethink governance, internal controls and third-party oversight, the report said.

“Regulatory and compliance risk is a core business challenge and not a formality,” the survey noted, adding that weak governance or delayed compliance could trigger financial penalties, reputational damage and loss of investor confidence.

Taken together, the findings point to a rapidly converging risk landscape, where cyber threats, AI governance failures and data-privacy lapses can cascade into operational disruption and long-term credibility risks.

“Managing risk now requires integrated, enterprise-wide approaches that connect strategy, operations and governance,” the report said, urging Indian companies to move beyond siloed controls as digital dependence deepens.