Data breach costs in India hit ₹22 cr in FY25, CISOs need proactive strategies

The financial impact of data breaches in India has been escalating significantly, reflecting broader global trends and the growing complexity of cyber threats. 

IBM’s 2024 Cost of a Data Breach Report, released on Thursday, shows that the average cost of a data breach in India reached an all-time high of around In India, at ₹22 crore in 2025, which is about 13% higher than last year, when the average cost per data breach reached ₹19.5 crore.

The report, based on analysis of nearly 6,500 breaches over 20 years, flags a growing gap between the pace of artificial intelligence (AI) adoption and the implementation of adequate security and governance measures to protect AI systems. That said, while AI-related breaches are still relatively few, the findings suggest that unregulated AI systems are becoming an attractive target for cybercriminals.

“India’s accelerating AI adoption brings immense opportunity, but it’s also exposing enterprises to new and complex cyber threats,” said Viswanath Ramaswamy, Vice President, Technology, IBM India & South Asia. “The absence of access controls and AI governance tools is not just a technical oversight; it’s a strategic vulnerability.”

IBM’s study found that nearly 60% of Indian organisations that experienced a breach either had no AI governance policies in place or were still developing them. Only 37% had implemented AI access controls. Alarmingly, among the few with governance policies, just 34% actually use AI-specific governance technology, it said.

In India, the primary attack vectors for data breaches were phishing (18%), third-party vendor and supply chain compromises (17%), and vulnerability exploitation (13%). The average breach lifecycle in India decreased to a record low of 263 days, a 15-day improvement from 2024, due to faster identification by more experienced organisations. 

The research sector experienced the highest data breach costs, averaging ₹28.9 cr, followed by transportation (₹28.8 cr) and industrial sectors (₹26.4 cr). Despite data showing that AI and security automation can significantly reduce data breach costs, 73% of organisations surveyed reported limited or no use of these technologies.

The consequences of data breaches go well beyond direct financial losses, impacting an organisation’s operations, reputation, and long-term sustainability. While the cost of a data breach can be difficult to quantify, with an increasing number of organisations experiencing attacks and exposures, the financial impact is becoming increasingly evident.

Almost 60% of organisations experiencing breaches lack a fully implemented AI governance policy. Among those with policies, only 34% utilise AI governance technology. Shadow AI significantly contributes to breach costs, adding ₹1.7 cr on average in India, yet only 42% of organisations have policies to manage or detect it. Ramaswamy said that in such a scenario, CISOs must act decisively – embedding trust, transparency, and governance into AI systems by design. 

To be sure, a CISO report released on Thursday, which polled security experts from January–June 2025, also reveals that Indian firms are increasingly facing rising risks from misconfigurations, vulnerabilities, and unremediated custom applications. 

The report published by security consulting firm Infopercept, based on insights from 500 CISOs, found that 84% of Indian CISOs lack full visibility into their threat exposures, including misconfigurations, unpatched systems, unprotected applications, and human risk. Furthermore, only 19% have a mature threat management program or a comprehensive set of strategies and practices designed to identify, assess, and mitigate potential risks to an organisation's systems, data, and operations.. 

Satyakam Acharya, Director of Exposure Management at Infopercept, said, “The problem is not just the growing number of exposures, but also how unclear ownership, disconnected tools, and manual processes delay remediation. Attackers are exploiting these weak links faster than ever.”

These exposures, according to the research, represent vulnerabilities that organisations are failing to adequately address. Unlike traditional threat intelligence reports, this report focuses on internal vulnerabilities stemming from fragmented remediation, unclear ownership, and misaligned priorities.

The research reports and recent studies emphasise the fact that CISO and the board need proactive strategies for mitigating cybersecurity risks, which is now a boardroom priority, demanding organisation-wide collaboration and strong leadership. CISOs are central to this shift, bridging technology, strategy, and compliance. By implementing robust frameworks, cultivating accountability, and the right culture, CISOs can enhance organisational resilience and security posture.