ICICI Lombard’s WhatsApp Slip Will Test SEBI’s Resolve

An insurance company built on pricing risk has just mispriced its own. ICICI Lombard General Insurance Company’s draft October–December results briefly appeared on the personal WhatsApp Status of a designated person. When Unpublished Price Sensitive Information is treated like a display picture, the question is not whether the regulator should act, but whether it can afford not to. 

The unaudited, draft financial results were posted on a personal WhatsApp Status and deleted within an hour. The company informed the stock exchanges the following day, promising an internal inquiry under SEBI regulations. The disclosure said that the numbers were only draft, that they were quickly deleted, and that the breach was promptly disclosed as a matter of good governance. What it does not say is how many people saw the status, or what exactly they saw. 

Even draft numbers can be directionally price sensitive for an insurance stock. Growth rates, loss ratios and combined ratios signal financial health long before auditors sign off. A WhatsApp Status is not a one-to-one message. It is a curated broadcast, potentially visible to hundreds of contacts at once. Any guess, how ICICI Lombard would act if a claim that was lodged against a Director Risk policy underwritten by it for a similar “inadvertent” act.

SEBI defines a “designated person” as someone with regular access to UPSI, who signs annual compliance undertakings, sits through mandatory training, and knows that every draft result, every board presentation and every management discussion note remains UPSI until it is put out in the public domain. Any breach by such a person speaks less of ignorance and more of a casual culture around information that moves markets.

The modern workplace complicates compliance in ways regulations did not anticipate. Designated persons now carry market‑moving information on devices that ping constantly with messages, notifications and status updates. WhatsApp was built for casual communication, yet companies continue to allow its use without the guardrails that banks and brokerages apply to their trading floors. When attention is fragmented and tools are designed for sharing rather than securing, treating every breach as pure negligence misses the deeper governance gap.

If SEBI wants to restore deterrence, ICICI Lombard’s case is a good place to start. It should trace who could view the status, reconstruct viewing and sharing patterns as far as device forensics allow, and examine whether any of those contacts, or their related entities, traded in the days ahead of the leak. It should also compare the leaked draft with the final board-approved results. If the numbers were close, the scope for abuse is obvious. If they were materially different, the company’s control over drafts looks even weaker than the leak itself suggests.

The second step is to relook at the penalty framework. Flat, modest fines do little to change behaviour for people who control information, in companies, worth billions. A meaningful reset would mean proportionately higher minimum penalties for designated persons in UPSI breaches, linked to market capitalisation or the implied price impact had the information been public. It would also mean mandatory cooling-off bans from compliance, secretarial and finance roles when such breaches occur. In white-collar misconduct, reputational and career consequences often deter more effectively than monetary penalty.

The most important fix, however, lies in technology and culture. Allowing designated persons to carry price-sensitive documents on personal phones should no longer be acceptable. The regulator can raise the floor by insisting on mobile phone management tools for insiders, tighter rules on the use of personal social media features for anything related to UPSI, and periodic certifications backed by surprise audits of how sensitive data is stored and shared. SEBI should plainly say, in a circular, that social media “accidents” will not be treated as exculpatory.

ICICI Lombard’s leak is not extraordinary, and that is why it matters. SEBI can treat this as another footnote in a long list of WhatsApp mishaps, or use it to align penalties, processes and expectations with the way information actually moves. Meaningful penalties and mandatory digital discipline will resonate through boardrooms. A modest fine and business as usual would do little to convince markets that information discipline is being taken seriously.