Why Leadership Transitions in Fintech Signal Broader Security Risks for Indian SMBs

What Happened

Mohit Bedi, cofounder and Chief Business Officer of fintech startup Kiwi, recently stepped down from his executive position citing personal reasons. While leadership transitions are common in the startup ecosystem, this particular move raises important questions about governance, operational continuity, and—most critically—data security during periods of organizational instability.

Kiwi, a fintech platform operating in India's competitive payment and lending space, now faces the challenge of maintaining business continuity while ensuring that sensitive customer financial data remains protected. Leadership departures in financial services companies create a window of vulnerability: reduced oversight, unclear accountability chains, and potential gaps in security protocols that bad actors can exploit.

This transition reflects a broader pattern across Indian startups—when key executives leave, security often becomes an afterthought in the rush to stabilize operations.

Why This Matters for Indian Businesses

If you're running an Indian SMB—whether in fintech, healthcare, e-commerce, or SaaS—leadership transitions should trigger an immediate security audit, not just a management reshuffle.

The DPDP Act Connection: Under India's Digital Personal Data Protection (DPDP) Act, 2023, every organization handling customer data is responsible for maintaining security standards. A leadership vacuum doesn't exempt you from compliance. The absence of clear accountability during transitions can increase your liability if a breach occurs.

CERT-In's 6-Hour Mandate: During leadership transitions, communication channels often break down—meaning you might miss the critical 6-hour breach notification window, inviting regulatory penalties.

RBI Guidelines for Fintech: If you operate in fintech (like Kiwi), the Reserve Bank of India's cybersecurity framework mandates continuous oversight of data access, third-party integrations, and employee privileges. When a CBO leaves, who's reviewing logs? These questions often go unanswered.

The SMB Reality: In large organizations, when one executive leaves, five others ensure continuity. Indian SMBs rarely have this luxury. A single departure can create a security blind spot for weeks or months.

Technical Breakdown: How Leadership Transitions Create Security Gaps

graph TD
    A["Executive Departure"] -->|Reduced Oversight| B["Unmonitored Access"]
    B -->|No Access Reviews| C["Dormant Credentials Active"]
    C -->|Insider Risk| D["Data Exfiltration"]
    A -->|Unclear Accountability| E["Delayed Incident Detection"]
    E -->|Missed CERT-In Window| F["Regulatory Penalty"]
    A -->|Process Gaps| G["Third-Party Access Unreviewed"]
    G -->|Supply Chain Risk| H["Lateral Movement"]
    style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
    style D fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style F fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0
    style H fill:#5f1e1e,stroke:#EF4444,color:#e2e8f0

1. Unrevoked Access Credentials

When an executive leaves, their system access often remains active for days or weeks. Departing employees can retain:

1. Database admin credentials
2. Email forwarding rules still active
3. VPN access to production systems
4. API keys embedded in old scripts

2. Unmonitored Data Access

During leadership transitions, no one is reviewing access logs. This creates a window where bulk data exports go unnoticed, unusual login patterns aren't flagged, and third-party integrations continue pulling data without oversight.

3. Broken Incident Response Chain

Most Indian SMBs have incident response procedures that rely on specific people. When those people leave:

1. Alert escalation chains break
2. Security team doesn't know who to report to
3. CERT-In notification delays exceed the 6-hour window

4. Third-Party and Vendor Risks

A departing executive often had relationships with vendors, payment processors, or data integration partners. Without proper handoff, access credentials shared with vendors remain active and API integrations continue operating with outdated permissions.

-- Quick audit: Check for active credentials of departed executives
SELECT username, last_login, account_status 
FROM user_accounts 
WHERE last_login < DATE_SUB(NOW(), INTERVAL 30 DAY) 
AND account_status = 'ACTIVE';

-- Disable stale accounts immediately
ALTER USER 'departed_executive'@'localhost' ACCOUNT LOCK;

How to Protect Your Business During Leadership Transitions

Pre-Departure Security Checklist

Immediate Actions (Day 1)

#!/bin/bash
# Quick security checklist for executive departure

# 1. List all active sessions for the departing executive
echo "=== Active SSH Sessions ==="
w | grep departed_executive

# 2. Check database access
echo "=== Database User Status ==="
mysql -u root -p -e "SELECT user, host, account_locked FROM mysql.user WHERE user='departed_executive';"

# 3. Audit AWS IAM access
echo "=== AWS IAM User Policies ==="
aws iam list-attached-user-policies --user-name departed_executive

# 4. Review recent file access
echo "=== Recent File Access ==="
auditctl -w /data/sensitive/ -p wa -k sensitive_data_access
auditctl -l | grep sensitive_data_access

Post-Departure Monitoring (30-90 Days)

Week 1-2:

1. Monitor all data access logs for anomalies
2. Check for unusual API calls or database queries
3. Review email forwarding and shared drive access

1. Audit third-party integrations and vendor access
2. Review payment processor logs for suspicious transactions
3. Check cloud storage for unauthorized downloads

1. Conduct a full VAPT assessment
2. Review access control policies and update them based on lessons learned
3. Implement automated access reviews to prevent this in the future

How Bachao.AI Detects These Risks

Bachao.AI by Dhisattva AI Pvt Ltd was built to catch the governance gaps that Indian SMBs miss during leadership transitions. The platform's VAPT scan discovers dormant credentials, unmonitored access points, and weak access control configurations that emerge during leadership changes. Cloud security audits check AWS/GCP/Azure environments for overprivileged accounts and unreviewed service accounts. API security scanning identifies keys and tokens embedded in code repositories that belonged to departed executives.

For DPDP compliance, Bachao.AI audits access control and data governance policies including proper offboarding procedures—and provides 24/7 incident response support if a departing executive has already exfiltrated data, handling CERT-In notification within the 6-hour window.

Real-World Example: What I've Seen

One SaaS startup had a departing VP of Operations who still retained access months after leaving:

1. Customer database access (never revoked)
2. AWS console credentials (password never changed)
3. Slack admin privileges (never removed)
4. SSH keys on the production server (never rotated)

Key Takeaways

1. Leadership transitions create a 30-90 day vulnerability window. Treat them as security incidents, not just HR events.
2. DPDP Act and CERT-In compliance require continuous oversight. A departing executive doesn't exempt you from your obligations.
3. Automate access reviews. Don't rely on manual checklists.
4. Monitor for 90 days post-departure. Insider threats don't always happen immediately.
5. Update your incident response plan. Ensure your team knows who to escalate to when an executive leaves.

Frequently Asked Questions

Q: What's the legal liability if a departing employee accesses data after their last day? A: Under the IT Act 2000 and DPDP Act, unauthorized access to data systems constitutes a criminal offense. However, if your organization failed to revoke access, you may share liability in any resulting breach. CERT-In expects evidence that you maintained proper access controls—failure to revoke is treated as a security failure, not just an HR failure.

Q: How quickly should we revoke access when an executive resigns? A: On the day of resignation announcement, not the last working day. Privileged access (admin consoles, database access, payment gateway dashboards) should be revoked immediately and transferred to another authorized person. General access (email, internal tools) can be managed through the notice period with enhanced monitoring.

Q: We use Google Workspace. How do we quickly audit a departed executive's access? A: Google Workspace Admin Console → Reports → Audit → Drive and User Activity. You can also suspend the account immediately (without deleting), transfer Drive files to a successor, and review forwarding rules under Gmail settings. For API access, check the Security dashboard for any OAuth apps the user authorized.

Q: Does the DPDP Act require us to notify affected users if a departing employee accessed their data? A: If the access constitutes a personal data breach (unauthorized access to personal data), yes—the DPDP Act requires notification to affected data principals and CERT-In within specified timeframes. Consult legal counsel immediately if you confirm unauthorized access by a departed employee.

Protect your business with Bachao.AI — India's automated vulnerability assessment and penetration testing platform. Get a comprehensive security scan of your web applications and infrastructure. Visit Bachao.AI to get started.

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow on LinkedIn for daily cybersecurity insights for Indian businesses.