As part of the government’s push to strengthen oversight of artificial intelligence (AI) across Corporate India, company boards might soon have to formally disclose their exposure to AI and digital risks under new reporting obligations.
According to an official familiar with the discussions, the ministry of corporate affairs (MCA) might expand the disclosure requirements under the Companies Act to ensure that boards take bigger responsibility for AI-related risks such as data privacy, algorithmic bias, IP infringement, operational disruptions and cybersecurity vulnerabilities. “The timing is right for AI-related risks to be part of board-level disclosures, considering the increasing integration of AI into business operations,” the official said.
The move comes as the government aims to strengthen the corporate governance norms amid the surge in AI adoption across sectors. The official noted that these disclosures could come in the form of a ‘AI & digital risk statement’ as part of the board’s report. “These may not initially emerge as standalone disclosures, and could instead evolve as an expansion of the existing cybersecurity and digital risk disclosure framework,” he said.
Strengthening Statutory Base
Currently, under Section 134(3) of the Companies Act, 2013, companies are mandated to attach a Board of Directors’ report to their financial statements. The report must include a statement on the company’s risk management policy, including identification and mitigation of risk factors that could impact the company’s existence. Similarly, SEBI (Listing Obligations and Disclosure Requirements) regulations, 2015 mandate top listed companies to constitute a risk management committee whose responsibility is to oversee cybersecurity and digital threats in addition to other risks.
The move builds on the MCA’s purported introduction of AI Risk Disclosure Format (AIRDF), a disclosure requirement within board reports, wherein companies have to disclose details of AI tools used in critical business decision-making, including their purpose, scope, vendors, associated risks and mitigation measures.
Experts said that a certain class of companies are already required to disclose risk management details and form risk management committees as part of their corporate governance. “It’s likely that the government could modify the existing disclosure requirements on risk mitigation mechanism through amendments in the relevant Rules under the Companies Act” said Lokesh Dhyani, partner at Aekom Legal.
Corporate Readiness Deficit
The proposal comes at a time when domestic firms are rapidly integrating AI tools and machine learning (ML) into their business operations. There are growing concerns that large-scale deployment of AI systems could expose companies to different kinds of vulnerabilities, and therefore, there’s a need for a new board-level reporting mechanism that treats AI and digital risks at par with financial, operational and environmental risks.
“AI-related risks strategically affect businesses today, and board of every company has to understand, mitigate and report these risks. I think these risks are a necessary part of the board’s report,” said Vinod Kothari, managing partner at Vinod Kothari & Company.
Some experts, however, point out to the low level of preparedness among Indian boardrooms to tackle such fresh requirements. “The broader objective appears to be strengthening board accountability in relation to technology-driven risks. Possible areas of disclosure could include AI governance policies, internal controls, human oversight mechanisms, cybersecurity preparedness, bias and error monitoring and data privacy safeguards. But are Indian boards really prepared to step up their internal controls and ensure proper risk mitigation,” said Ruhi Jain, executive director at CMS INDUSLAW.