By Vikram Jeet Singh and Kalindhi Bhatia
In the modern online world, a cyberattack is inevitable. The question is not if, but when, and how. While the Information Technology Act, 2000, defines cybersecurity, it does not set up an IT sector regulator. India’s nodal agency for dealing with cyber threats is the India Computer Emergency Response Team, or CERT-In, which has been tasked with addressing and supporting measures against cyberattacks. CERT-In has been empowered by a set of 2013 rules, later revised in 2022, that enables it to ask for details of cyberattacks from affected parties in India. In addition to coordinating cyber responses, CERT-In is also tasked with issuing guidelines and vulnerability advisories on IT security.
In addition to CERT-In rules, there are also sectoral regulations on cybersecurity that are overseen by various sectoral regulators. The Reserve Bank of India has had longstanding guidance on Cyber Security Framework in Banks that requires licensed banks to share information on cyberattacks with the regulator. The securities market regulator, SEBI, has also recently come up with a new cyber security and cyber resilience framework, prescribing standards for incident management, incident response, and also proactive measures such as ID management, authentication, and access control measures to be implemented. Similar rules and standards on cybersecurity are also prescribed by Indian telecom, insurance, and other sectoral regulators.
Indian law requires cyber incidents to be reported to CERT-In. A new set of rules from 2022 mandate all entities to report cyber security incidents to CERT-In within six hours of the relevant organisation “noticing” such incidents. The list of cyber security incidents reportable was also expanded to include unauthorized access of IT systems/ data, compromise of critical systems, data breach, identity theft and phishing, malicious malware affecting cloud computing systems, software(s) related to big data, block chain, virtual assets, drones; cyber threats/attacks to social media accounts, payment systems, and on IoT devices.
Sectoral laws such as banking laws also require cybersecurity incidents to be reported to the relevant regulator. This leads to entities in India being made to report to, and deal with, multiple government agencies for a single cyber incident. The situation is set to become more complex with the forthcoming Digital Personal Data Protection Act, 2023, that requires reporting of personal data breaches to the Data Protection Board. This requirement is in addition to those under other laws.
There is no overarching set of “minimum” security standards that apply to all IT systems in India. A set of privacy rules dating back to 2011 suggest that entities handling personally identifiable data and information adhere to ISO-27001 standards for security. Again, sectoral regulators in India may require additional compliances based on the sector and the “industry standard”. For example, there are regulations requiring Indian banks to abide by the PCI-DSS framework for card security. The SEBI rules also require audit by auditors who are certified in standards such as CISA or ISC.
In 2024, India’s new criminal code, the Bharatiya Nyaya Sanhita, 2023, replaced the Indian Penal Code, 1860. This new law refers to “cybercrime” as a part of “organised crime” (Section 111). That said, the term “cybercrime” itself is not defined in the new code. What may be more effectual is that the new code applies to any offence committed by any person in any place within and beyond India targeting a computer resource located in India [Section 1(5)(c)]. In addition, cybersecurity incidents also continue to be covered under heads such as theft, extortion, and criminal conspiracy.
In addition, the venerable Information Technology Act, 2000, also penalizes “computer related offences”, including receiving stolen computer goods, violation of privacy, and “cyber terrorism”. These offences are typically policed by “cyber cells” of various jurisdictional police departments in India. But even such penal provisions have not deterred offences such as phishing, etc., from occurring in India, pointing to an issue with enforcement.
Indian regulations on cybersecurity are often vague on technical standards, perhaps understandably so. Technology is constantly evolving and there is no “right answer” for a country like India when it comes to the vexed question of cyberattacks. That said, private players in India are required to comply with “adequate” security standards without a minimum guidance level being provided. In the banking, telecom and critical infrastructure sectors, a little more guidance is provided, but this is still in the nature of broad level guidance and not mandatory minimum standards.
The other “gap” in the cybersecurity framework is the lack of any enforcement by an agency that has “teeth”. While CERT-In can in theory levy fines for non-reporting, it almost never does so. There is then, in practice, no downside to a private entity foregoing its reporting obligations to CERT-In. There is also a downside to only relying on “one-way” legal requirements, such as incident reporting, and this may lead to a culture of entities “filling out” the required forms without focusing on creating an effective governance framework for the future.
India’s rapid digitisation has led to increased dependence on critical IT infrastructure, and the security and resilience of such infrastructure remains central to India’s future growth plans. The emergence of Artificial Intelligence (AI) and machine learning (ML) has the potential to supercharge the cybersecurity conversation.
As the World Economic Forum’s cybersecurity report notes, AI and ML are double-edged swords for cybersecurity. Barring the European Union that has just enacted an AI governance law, there is lack of clarity on how governments will ensure that AI and ML are used as “force multipliers” in support of cybersecurity, and not against it.
One way to view this fight is that there is no one “silver bullet” solution. Cybersecurity is a holistic pursuit in which a number of solutions and models should work collaboratively to achieve common goals. The need of the hour is to align regulatory guidance with organizational priorities and individual training. Educating relevant stakeholders about cybersecurity practices would be a big part of any regulatory framework. Cybersecurity compliance will need to be internalized into organizations and individuals, such that it does not remain a mere “check box” exercise, but also encompasses measures that encourage a culture of IT security in India.
—The writers are partners, BTG Advaya