IS MATERIAL INCIDENT HAPPENTING IN A
LISTED COMPANY IS TO BE REPORTED
TO STOCK EXCHANGES ?
IHCL (THE INDIAN HOTELS COMPANY LIMITED) RECENT
INTIMATION TO STOCK EXCHANGE ABOUT CYBER
INCIDENTS.
INCREASING CYBER SECURITY INCIDENTS IN INDIA
India’s rapid digitalization — from UPI payments to cloud-based enterprise systems — has created a fertile ground for innovation, efficiency, and financial inclusion. However, this same interconnected ecosystem has also widened the attack surface for cybercriminals. CERT-In reported a record number of cyber incidents in 2024, ranging from ransomware targeting financial institutions to malware infiltrations in manufacturing and service companies.
THE RECENT IHCL MALWARE INCIDENT
The recent IHCL (The Indian Hotels Company Limited) malware disclosure is a stark reminder of this reality. On September 4, 2025, IHCL formally notified the stock exchanges that it had detected a malware incident affecting select IT systems. Immediate containment measures were taken, relevant authorities were informed, and the company emphasized that business operations continued as usual.
DISCLOSURE OF CYBERSECURITY INCIDENTS BY LISTED
ENTITIES TO STOCK EXCHANGES
SEBI’s regulation (LODR Reg. 27(2)(ba)) has raised the baseline for disclosure of cybersecurity incidents by listed entities.
When a listed entity faces an incident of IT security breach by hackers, it may fall under material events that require disclosure to the stock exchanges (NSE/BSE) under SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (SEBI LODR).
SEBI Circular dated July 13, 2023 (Enhanced Disclosure Requirements): Tightened disclosure for cyber security breaches, especially for market infrastructure institutions, but principles extend to listed companies as well.
MATERIALITY TEST
The company must evaluate whether the breach is material by considering:
Impact on business operations (downtime, inability to serve customers).
Compromise of sensitive financial / customer data.
Financial loss or exposure to regulatory penalties.
Reputational damage or litigation risk.
If material → immediate disclosure is mandatory.
TIMELINE FOR DISCLOSURE
Immediate disclosure (within 24 hours) from the occurrence of the breach.
Any delay must be explained to the exchange.
EARLIER INCIDENT OF CYBER SECURITY REPORTING BY
LISTED COMPANIES TO STOCK EXCHANGES
While companies like Sun Pharma, Polycab, Max Financial,
and Star Health have followed transparent reporting channels, others like Motilal Oswal and Air India present more ambiguous disclosure patterns.
CONSEQUENCES OF NON-DISCLOSURE
Penal action under SEBI LODR.
Reputational harm due to delayed or incomplete communication.
Investor lawsuits for withholding material information.
CONCLUDING THOUGHTS
A listed company must promptly report any material
IT/cyber security breach to the stock exchanges with clear
disclosure of impact, actions, and future course of action.
R V SECKAR, FCS , LLB 79047 19295