Saturday, September 6, 2025

IS MATERIAL INCIDENT HAPPENTING IN A LISTED COMPANY IS TO BE REPORTED TO STOCK EXCHANGES ?

 IS MATERIAL INCIDENT HAPPENTING IN A

LISTED COMPANY IS TO BE REPORTED

TO STOCK EXCHANGES ?  



IHCL (THE INDIAN HOTELS COMPANY LIMITED) RECENT

INTIMATION TO STOCK EXCHANGE ABOUT CYBER

INCIDENTS. 


INCREASING CYBER SECURITY INCIDENTS IN INDIA 
 

India’s rapid digitalization — from UPI payments to cloud-based enterprise systems — has created a fertile ground for innovation, efficiency, and financial inclusion. However, this same interconnected ecosystem has also widened the attack surface for cybercriminals. CERT-In reported a record number of cyber incidents in 2024, ranging from ransomware targeting financial institutions to malware infiltrations in manufacturing and service companies. 

 

THE RECENT IHCL MALWARE INCIDENT  

 

The recent IHCL (The Indian Hotels Company Limited) malware disclosure is a stark reminder of this reality. On September 4, 2025, IHCL formally notified the stock exchanges that it had detected a malware incident affecting select IT systems. Immediate containment measures were taken, relevant authorities were informed, and the company emphasized that business operations continued as usual. 

 

DISCLOSURE OF CYBERSECURITY INCIDENTS BY LISTED


ENTITIES TO STOCK EXCHANGES 


 

SEBI’s regulation (LODR Reg. 27(2)(ba)) has raised the baseline for disclosure of cybersecurity incidents by listed entities. 

 

When a listed entity faces an incident of IT security breach by hackers, it may fall under material events that require disclosure to the stock exchanges (NSE/BSE) under SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (SEBI LODR). 

 

SEBI Circular dated July 13, 2023 (Enhanced Disclosure Requirements): Tightened disclosure for cyber security breaches, especially for market infrastructure institutions, but principles extend to listed companies as well. 

MATERIALITY TEST 

The company must evaluate whether the breach is material by considering: 

  • Impact on business operations (downtime, inability to serve customers). 


  • Compromise of sensitive financial / customer data. 

  • Financial loss or exposure to regulatory penalties. 


  • Reputational damage or litigation risk. 

If material → immediate disclosure is mandatory. 

TIMELINE FOR DISCLOSURE 

  • Immediate disclosure (within 24 hours) from the occurrence of the breach. 


  • Any delay must be explained to the exchange. 

EARLIER INCIDENT OF CYBER SECURITY REPORTING BY

LISTED COMPANIES TO STOCK EXCHANGES 

 



While companies like Sun Pharma, Polycab, Max Financial,

and Star Health have followed transparent reporting channels, others like Motilal Oswal and Air India present more ambiguous disclosure patterns. 

 

CONSEQUENCES OF NON-DISCLOSURE 

  • Penal action under SEBI LODR. 


  • Reputational harm due to delayed or incomplete communication. 


  • Investor lawsuits for withholding material information. 

 

CONCLUDING THOUGHTS  

 

A listed company must promptly report any material


IT/cyber security breach to the stock exchanges with clear


disclosure of impact, actions, and future course of action.

 

 

R V SECKAR, FCS , LLB 79047 19295 

 


 

 


No comments:

Post a Comment