As The World Grapples With Rampant

Download as txt, pdf, or txt
Download as txt, pdf, or txt
You are on page 1of 3

As the world grapples with rampant cyberattacks, policymakers in the region have

toughened their data security measures and business compliance is crucial

Several pieces of legislation, rules and sector-specific regulations govern India’s


legal, regulatory and institutional framework for cybersecurity, promoting
maintenance of security standards, defining cybercrimes and requiring incident
reporting.

Overviews

The Information Technology (IT) Act, 2000, is the primary legislation dealing with
cybersecurity, data protection and cybercrime.

Its key features are:

Granting statutory recognition and protection to electronic transactions and


communications;
Aiming to safeguard electronic data, information and records;
Aiming to prevent unauthorised or unlawful use of computer systems; and
Identifying activities such as hacking, denial-of-service attacks, phishing,
malware attacks, identity fraud and electronic theft as punishable offences.
Rules and regulations framed under the IT Act regulate different aspects of
cybersecurity as follows:

Information Technology (The Indian Computer Emergency Response Team and Manner of
Performing Functions and Duties) Rules, 2013 (2013 rules), established the Computer
Emergency Response Team (CERT-In) as the administrative agency responsible for
collecting, analysing and disseminating information on cybersecurity incidents, and
taking emergency response measures. These rules also put in place obligations on
intermediaries and service providers to report cybersecurity incidents to the CERT-
In.
Directions on information security practices, procedure, prevention, response and
reporting of cyber incidents for a safe and trusted internet, issued in 2022 by the
CERT-In, add to and modify existing cybersecurity incident reporting obligations
under the 2013 rules.
Information Technology (Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information) Rules, 2011 (SPDI rules) require companies that
process, collect, store or transfer sensitive personal data or information to
implement reasonable security practices and procedures.
The Information Technology (Guidelines for Intermediaries and Digital Media Ethics
Code Rules, 2021) require intermediaries to implement reasonable security practices
and procedures to secure their computer resources and information, maintaining safe
harbour protections. Intermediaries are also mandated to report cybersecurity
incidents to the CERT-In.
Information Technology (Information Security Practices and Procedures for Protected
System) Rules, 2018, oblige companies that have protected systems – as defined
under the IT Act – to put in place specific information security measures.
Other laws that contain cybersecurity-related provisions include the Indian Penal
Code 1860, which punishes offences committed in cyberspace (such as defamation,
cheating, criminal intimidation and obscenity), and the Companies (Management and
Administration) Rules 2014 which require companies to ensure that electronic
records and systems are secure from unauthorised access and tampering. There are
also sector-specific rules issued by regulators and agencies, including the Reserve
Bank of India, the Insurance Regulatory and Development Authority of India, the
Department of Telecommunications, the Securities Exchange Board of India, the
National Health Authority of India, among others, which mandate cybersecurity
standards to be maintained by their regulated entities

Cybersecurity of critical information infrastructure (CII) – defined as any


computer resource that can have a debilitating impact on national security, the
economy, public health or safety if incapacitated or destroyed – is regulated by
guidelines issued by the National Critical Information Infrastructure Protection
Centre (NCIIPC).

Under the IT Act, the government may notify any computer resource that affects the
facility of CII to be a protected system, prescribing cybersecurity obligations for
companies handling protected systems. Designated CII sectors include transport,
telecoms, banking and finance, power, energy and e-governance. Within these
sectors, the appropriate authority can notify certain computer systems as protected
systems. Sectoral regulators and agencies, including the Central Electricity
Authority, have also formulated rules and guidelines on cybersecurity and CII.

Institutional Framework

Since cybersecurity is a cross-cutting issue, India has a complex inter-ministerial


and inter-departmental institutional framework for cybersecurity, with several
ministries, departments and agencies performing key functions. For instance, the
Ministry for Electronics and Information Technology (MeitY) deals with policy
relating to IT, electronics and the internet, including cyber laws. It set up the
CERT-In as a nodal agency for co-ordination and handling of cyber incident response
activities.

The Ministry of Home Affairs looks at internal security, including cybersecurity.


For this purpose, it has set up the cyber and information security division,
comprising a cybercrime wing, cybersecurity wing and monitoring unit. To combat
cybercrime, it also established the Indian Cyber Crime Co-ordination Centre in
2018. The NCIIPC, the nodal agency for CII, is set up under the National Security
Adviser. The National Cyber Security Co-ordinator is the nodal officer for
cybersecurity, functioning under the Prime Minister’s Office and co-ordinating with
various agencies at federal level.

Security Measures

At the federal level, the IT Act places security obligations on organisations


handling sensitive personal data. These are laid out in SPDI rules requiring
companies to institute managerial, technical, operational and physical security
control measures. The rules are also subject to ISO/IEC 27001 international
standards on information security management, with body corporates subject to audit
checks by an independent government-approved auditor at least once a year, or as
and when they significantly upgrade processes and computer resources.

Sectoral regulators and nodal agencies also prescribe security measures. The
Reserve Bank of India prescribes standards for banks, including setting a mechanism
for dealing with and reporting incidents, cyber crisis management, and arrangements
for continuous surveillance of systems and the protection of customer information.
It also mandates banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards.

A similar framework is applicable to non-banking finance companies. The Securities


Exchange Board of India requires stock exchanges, depositories and clearing
corporations to follow standards such as ISO/IEC 27001, ISO/IEC 27002 and COBIT 5.

Cyber Incident Reporting

The 2013 rules require organisations to report incidents to the CERT-In within a
reasonable time. Incidents include denial of service attacks, phishing and
ransomware incidents, website defacements, and targeted scanning of networks or
websites.
In April 2022, the CERT-In issued a new directive modifying obligations under the
2013 rules, including requirements to report cybersecurity incidents within six
hours, syncing system clocks to the time provided by government servers,
maintaining security logs in India, and storing additional customer information.
The IT Rules 2021 also require intermediaries to notify the CERT-In of security
breaches as part of their due diligence obligations.

Various sector-specific reporting obligations also apply. For instance, in the


financial services sector, every bank is required to report incidents within two to
six hours of detection. Similarly, insurance companies must report cybersecurity
incidents to the Insurance Regulatory and Development Authority within 48 hours of
detection. Telecom licensees are required to establish a facility for monitoring
intrusions, attacks and frauds on their technical facilities, and to provide
reports of such incidents to the Department of Telecommunication.

Cybercrimes

Traditional criminal actions such as theft, fraud, forgery, defamation and mischief
– all of which are covered under the Indian Penal Code, 1860 – might be included in
cybercrimes. The IT Act addresses modern offences such as tampering, hacking,
publishing obscene information, unauthorised access to protected systems, breach of
confidentiality and privacy, and publishing false digital signature certificates.
Sending threatening messages by email, defamatory messages by email, forgery of
electronic records, cyber fraud, email spoofing, web-jacking and email abuse are
also punishable offences.

Future Path

The federal government, through the National Cyber Security Co-ordinator, is


formulating a new national cybersecurity strategy. This aims to address certain
gaps in India’s cybersecurity framework and enhance the country’s overall
cybersecurity posture.
The government is also considering revamping the IT Act to align with advances in
the global and domestic digital and technology environment. This may change the
existing cybercrime, incident reporting, and security measures and standards
framework.

You might also like