The Information Technology Act of 2000 and the National Cyber Security Policy of 2013, among others, are examples of decades-old legislative architecture that cannot serve as the basis for India’s digital revolution.
Cybersecurity threats are currently the biggest threat to Indian national security, according to National Cyber Security Coordinator Rajesh Pant. He emphasized the importance of establishing and upholding good cyber hygiene.
This is wise advice, especially in light of the recent cyber-hacking incident involving the website of the online insurance broker Policybazaar. The possibility of “failure of cybersecurity measures” to protect governmental, commercial, and household cybersecurity infrastructure is predicted to be a significant global risk for a number of nation-states and industries over the course of the next ten years by the World Economic Forum’s Global Risks Report 2022.
The extensive adoption of digital technology has enhanced interconnection across numerous locations, markets, and industries as well as the probability of cyberattacks on both Indian citizens and business entities. More than 2.12 lakh cybersecurity events were reported to India’s official cybersecurity body CERT-In as of February 2022. CERT-In managed more than 14 lakh cyber incidents in total in 2021.
Given that the coronavirus has moved the majority of business activity online, corporations are undoubtedly just as susceptible to interruptions brought on by cyberattacks as individuals. According to the 2022 Thales Data Threat Report: Asia-Pacific, which questioned public and private companies across a range of industries, 32% of respondents reported having experienced a security breach in the previous year.
Leverage board governance to address cybersecurity risks
It is critical to define the role and responsibilities of the board of directors (the “Board”) of Indian corporate entities, both private and public, for the effective governance of cybersecurity risks, particularly ransomware, at a time when the sophistication of cyberattacks against India is at an all-time high. India does not currently have any specific cybersecurity laws. Furthermore, the current National Cyber Security Policy 2013’s content on the fiduciary duty of boards to ensure cyber readiness is generally laconic. It is essential to refer to and rely on the established traditional legal instruments in order to understand the function of boards in the post-pandemic age given the relative lack of hard law requirements directly directing domestic actors.
Section 166 of the Companies Act 2013 (India) offers much-needed direction on this subject at this point. It, among other things, imposes legal obligations on corporate boards to use due and reasonable care, skill, diligence, and independent judgment in order to advance the goals of the business in a way that is consistent with the broader public interest. The so-called “business judgment rule” in Australia and the United States, which assumes that boards owe a duty of care to the corporation, is somewhat similar to this. Therefore, it follows that the management and mitigation of cyber hazards fall under the purview of the board as a whole. India needs to take a multifaceted, organized approach to board governance of cybersecurity concerns. The three measures listed below can, at the very least, provide Indian boards’ efforts in cybersecurity some general direction. Modify behavioral aspects of cybersecurity risk management
The first step is to convince boards to conceptualize and address cybersecurity as a “strategic enterprise-wide risk” rather than just an “IT issue.” A positive cybersecurity culture will develop within organizations as a result of this change in perspective. In this situation, boards will need to take the initiative in creating clear and detailed cyber-related objectives and overseeing the organization’s cyber risk management strategies. In light of this shifting paradigm, boards must now make sure that every member of the organization—from the board to the management and staff—is appropriately informed and equipped to perform their individual roles in sustaining cybersecurity standards within organizations.
Additionally, it is hoped that by placing more focus on sustainable compliance awareness, sufficient board time will be set aside for discussions on cyber hazards, keeping in mind the organization’s vulnerability to financial and legal risk.
Avoiding a zero-tolerance attitude toward cyber hazards is another recommended behavioral modification. Practically speaking, businesses need to understand that it is impossible to completely eliminate cyber dangers. A zero-tolerance policy poses the danger of limiting digital innovation in any organization that uses it. The establishment of a “tolerance threshold” for cyber hazards that has board approval is more beneficial for any organization. Such a declaration of risk appetite can be customized to the needs of the organization and may be based on a number of peculiarities unique to that organization (such as size, industry, involvement in vital infrastructure, etc.).
Ensure adequate financial investment
Second, historically, an organization’s IT budget and cybersecurity budget were frequently combined. No jurisdiction currently mandates that corporate organizations set aside a specified budget for undertaking cybersecurity activities. Businesses of a certain size and those engaged in specific industries (such as the banking and finance sectors) would be wise to set aside a specific portion of their annual operating budget as an investment in cybersecurity measures. Accordingly, the organization’s internal regulations may be used to establish a budgeting mechanism for requesting additional cybersecurity resources, such as money or personnel. Next, with adequate financial support in place, corporations would do well to concentrate on two areas: investment in technology and investment in human resources.
On the human resources front, it is crucial to regularly teach organization workers on pertinent cybersecurity and digital skills through briefings, training sessions, workshops, e-learning modules, and director-education programs. One must, however, keep expectations in check because it is unclear how receptive the various boards’ old guard will be to these measures. On the technological front, it is urgently necessary to update or replace out-of-date software security and aging IT infrastructure. In order to boost the effectiveness of security operations and assure adherence to the organization’s information security policy, boards may also think about investing in automated technology.
Bring in expertise on boards
Third, involving individuals with the necessary skills in oversight duties on boards or pertinent committees may help to create the correct “tone at the top.” Expert engagement can take many different forms, such as hiring board members with relevant cybersecurity, privacy, consumer law, or IT expertise, hiring external experts on an as-needed or retainer basis, asking technical experts to create a customized cyber risk management plan, or asking external auditors for their expert opinion if internal audit’s coverage, skills, capacity, and capabilities are insufficient. The draught Cybersecurity Disclosure Act 2021 of the USA is an intriguing move in this regard because it mandates that publicly traded corporations report to investors whether their board of directors has cybersecurity expertise or experience, and if not, why.
To be fair though, while there is cross-border agreement that external experts should be consulted on cybersecurity-related issues, there are significant variances in how much each jurisdiction envisions this involvement. It is crucial to remember that for every country, such as the USA, that is amenable to having specialists serve on boards, there are many more that take a more cautious stance. Additionally, the significant global shortage of cybersecurity personnel with the necessary skills prevents boards from collaborating with experts. This is especially true for underdeveloped nations like India where it may be challenging to get professionals because the field of cybersecurity is still in its infancy.
Moving ahead: Challenges and opportunities
In conclusion, even if there is still more to be done, India would do well to actively put the aforementioned interventions into practice in the near future to prevent cyber mishaps.
It is also important to remember that India cannot build its digital transformation on top of decades-old regulatory frameworks like the Information Technology Act of 2000, the National Cyber Security Policy of 2013, etc. In contrast, neither random executive-ordered laws nor new CERT-In directives requiring all organizations to disclose cyber incidents within six hours can be seen as adequate replacements for longer-lasting fixes.
India needs to enact a unified cybersecurity law that sets the country’s minimum requirements for cyber compliance and puts its cyber sovereignty in jeopardy. Such a measure will ensure that Indians who live a digital lifestyle do not end up falling between the cracks of an insufficient legal system, which at the moment does not take into account the altering reality of a quickly evolving digital landscape.
