In an era where technology defines competitiveness, the financial services industry stands at the crossroads of innovation and risk. For Darshan Chavan, Chief Information Security Officer at Canara Robeco Asset Management Company, cybersecurity is no longer about checking regulatory boxes — it’s about embedding resilience into the organisation’s DNA.
“Many organisations still think that regulations are supposed to be a checklist,” he observes. “But when the regulator introduces new norms, there’s deeper reasoning behind it. Regulations exist to protect you from one aspect of risk — but true cyber resilience begins when you understand your own business, processes, and standard operating procedures, and align your controls accordingly.”
For Chavan, this is the essence of proactive cybersecurity — going beyond compliance to anticipate and neutralise threats. “Controls are just a preventive approach,” he explains. “You have to be proactive — dig deep into every single process, ensure it’s covered, and remember that hackers are constantly evolving. You have to be smarter.”
Beyond compliance: Building a culture of privacy
As India moves closer to enforcing the Digital Personal Data Protection (DPDP) Act, organisations are gearing up for a new era of accountability. But Chavan points out that responsible data management should not wait for regulation to take effect.
“The DPDP Act will soon be a reality, but the core principles of data privacy have existed for years,” he says. “We’ve had frameworks like the EU’s GDPR or Singapore’s privacy laws to guide us. The time to act was yesterday — and the next best time is now.”
He believes many enterprises underestimate the depth and complexity of privacy governance. “A lot of businesses think that cybersecurity professionals are also privacy officers — but that’s not the case,” Chavan cautions. “Privacy involves a significant legal dimension — understanding how data flows across systems, how it’s stored, where it resides, and who accesses it. Technology is just 20% of the story; the remaining 80% lies in compliance, vendor management, and policy design.”
He advocates for organisations to build dual leadership in privacy and security — with specialised experts driving each domain. “It’s not a single-person job anymore,” he emphasises. “A privacy officer has a much broader role than a cybersecurity expert, and both functions must work in tandem.”
The first step, he says, is data assessment — understanding what data the enterprise holds, its sensitivity, and associated risks. “You need data audits, data assessments, and data risk frameworks in place,” Chavan adds. “Many organisations still miss this foundational step.”
AI and GenAI: Promise meets prudence
Artificial Intelligence (AI) and its latest evolution, Generative AI (GenAI), are reshaping the way financial institutions analyse data, engage customers, and streamline operations. Yet Chavan remains pragmatic about its current maturity.
“GenAI is still evolving — it’s not yet integrated deeply into most businesses,” he explains. “There’s a lot of excitement, but also a lot of misunderstanding about how machine learning or large language models truly work.”
For him, responsible adoption begins with understanding the business framework. “Before integrating AI, I would first analyse the business architecture,” he says. “Only after creating a proper database and understanding process dependencies would I begin gradual integration — step by step, in areas like management information systems or back-office automation. Going haphazardly would be a mistake.”
Chavan’s cautious optimism reflects a broader sentiment in the financial services community: that AI’s power must be balanced with governance. He warns that risks such as data poisoning, model manipulation, or unauthorised data exposure will require new kinds of defense. “You can’t defend what you don’t understand,” he notes. “AI risk management must be as dynamic as the technology itself.”
The hidden risk: Third-party and vendor dependence
In an increasingly outsourced technology ecosystem, third-party and vendor risk has become one of the most critical blind spots in cybersecurity. Chavan points out that many organisations wrongly assume that outsourcing a service also transfers the associated risk.
“When you outsource something, you don’t outsource the risk,” he asserts. “The regulator has made this very clear — the accountability stays with the organisation. For us, investor trust matters more than anything else.”
At Canara Robeco, vendor due diligence is a deeply ingrained process. “Whenever we onboard a vendor, we conduct detailed diligence — understanding whether their systems are cloud-based, localised within geographical boundaries, how they manage data privacy and IT security,” Chavan says. “These may be uncomfortable questions for vendors, but it’s our job to ask them.”
He underscores the importance of embedding security clauses within legal agreements. “Contracts must clearly define privacy and cybersecurity obligations,” he advises. “Vendor management is not just about onboarding; it’s also about monitoring, classifying vendors by criticality, and having clear exit strategies.”
According to him, regulators are increasingly scrutinising both outsourcing partners and financial institutions, holding both accountable for data breaches or operational lapses. “It doesn’t reflect well on anyone when such incidents reach the media or public domain,” he warns. “It’s always better to be careful than sorry.”
The regulatory push and the rise of the cybersecurity voice
Chavan has witnessed a remarkable shift over the past decade in how businesses view cybersecurity. “When I started my career in 2008, cybersecurity was rarely part of boardroom discussions,” he recalls. “Today, the conversation is much louder — not in noise, but in significance.”
The increased visibility of cybersecurity, he says, has given CISOs a strategic voice. “Frequent regulatory updates, data breaches in the news, and rising public awareness have made organisations realize that cybersecurity is fundamental to business continuity,” he explains. “Every organisation now understands that to operate in a fast-evolving digital landscape, you need a cybersecurity leader with authority — and frameworks, regulations, and policies that are implemented and accepted by the business.”
He views cybersecurity guidelines — whether from SEBI, RBI, or other regulatory bodies — as empowering rather than restrictive. “Regulation gives structure and voice to security leaders,” he says. “It ensures that cybersecurity is treated not as a cost centre but as a core enabler of business trust.”
Prioritising investor trust in a digital world
When asked about his top priorities for the coming years, Chavan’s response is immediate and deeply personal. “For me, investors come first,” he says firmly. “Business comes later.”
He believes data privacy is inseparable from investor confidence. “Privacy is personal — it’s about protecting not just business data, but the trust that investors place in us,” he explains. “Before I even think about any project roadmap, I focus on strengthening privacy technologies — data masking, data randomisation, encryption, and anonymisation.”
While he acknowledges that the DPDP Act will help formalise this journey, he refuses to wait for regulation to act. “I’m not waiting for the law to push me,” he says. “Tomorrow, investors will start asking how we manage their data, how we protect their bank account numbers, and how we ensure confidentiality. I want to be ready before those questions arise.”
Beyond data privacy, Chavan highlights network defense and layered security as ongoing imperatives. “Security is about layers,” he says. “Every layer — network, application, endpoint, data — must be protected. With new technologies like GenAI and AI-driven automation, complexity is increasing, so we must evolve our defenses continuously.”
He envisions a multi-year cybersecurity roadmap, extending beyond immediate threats. “Every cybersecurity professional should plan at least three to five years ahead,” Chavan concludes. “Build your roadmap, align it with business strategy, and start working on it now.”
A new era of cyber accountability
As the conversation draws to a close, one message stands out: in Chavan’s world, cybersecurity is not an IT function — it’s a business imperative. Regulations may set the baseline, but resilience is built on foresight, accountability, and an unrelenting focus on trust.
“The regulator has done its job by emphasising cyber safety,” he reflects. “Now it’s up to us — the cybersecurity professionals — to go beyond checklists, understand our business inside out, and protect what matters most: our investors, our data, and our reputation.”