With cyber sovereignty at stake, it is high time India brings in uniform cybersecurity law

Recently, the National Cyber Security Coordinator Rajesh Pant highlighted cybersecurity threats to be the biggest risk to Indian national security. He also underlined the need to develop and maintain cyber hygiene. This is a sage advice, seeing as it comes close on the heels of the latest cyber hacking incident on online insurance broker Policybazaar. The World Economic Forum’s Global Risks Report 2022 projects that the possibility of ‘failure of cybersecurity measures’ to protect government, business and household cybersecurity infrastructure will be a significant global risk for several nation-states and industries over the next decade.

Besides, growing interconnectedness among multiple geographies, markets and sectors due to widespread digitisation, it has also increased the likelihood of cyberattacks on Indian individuals and corporate entities alike. As of February 2022, India’s nodal cybersecurity agency CERT-In has witnessed more than 2.12 lakh cybersecurity incidents. In 2021, CERT-In handled more than 14 lakh cyber incidents cumulatively. To be sure, corporate entities are just as vulnerable as individuals to disruptions resulting from cyberattacks seeing how coronavirus has pushed most business activities online. The 2022 Thales Data Threat Report: Asia-Pacific, which surveyed public and private enterprises in multiple sectors reported that half of the respondents experienced a security breach at some point, and of these, 32 per cent experienced a breach in the last 12 months.

Leverage board governance to address cybersecurity risks

With sophisticated cyberattacks on India at an all-time high, it is crucial to delineate the role and responsibilities of the board of directors (‘board’) of Indian corporate entities, both private and public, for the effective governance of cybersecurity risks, particularly ransomware. At present, India lacks a dedicated cybersecurity legislation. Furthermore, the extant National Cyber Security Policy 2013 is characteristically laconic in its content, on the fiduciary obligation of boards, in ensuring cyber readiness. Considering the relative absence of hard law obligations directly governing domestic actors, it becomes imperative to refer to and rely on the traditional legal instruments in place to decode the role of boards in post-pandemic times.

At this juncture, Section 166 of the Companies Act 2013 (India) provides much-needed guidance on this matter. Inter alia it makes corporate boards statutorily duty-bound to exercise due and reasonable care, skill and diligence, and independent judgment so as to promote the objects of the company consistent with the larger public interest. This is somewhat akin to the so-called ‘business judgement rule’ in Australia and the USA which presumes that boards owe a duty of care to the corporation. It is, therefore, axiomatic that the board as a whole bears responsibility for the management and mitigation of cyber threats. For effective board governance of cybersecurity risks, India must undertake a multi-pronged approach in a structured manner. For starters, the three interventions detailed below can broadly provide direction to the cybersecurity efforts of Indian boards.

Modify behavioural aspects of cybersecurity risk management

First, boards should be encouraged to conceptualise and approach cybersecurity as a ‘strategic enterprise-wide risk’ and not merely an ‘IT risk’. Such a shift in outlook towards cybersecurity will help engender a positive cybersecurity culture within organisations. Herein, boards will need to take the lead in setting clear and specific cyber-related objectives and provide oversight of cyber risk management measures for the organisation. In this changing paradigm, boards will hereinafter need to ensure that the entire organisation, from the board to its management and employees, are informed and trained in a way that makes them adequately adept to play their respective parts in upholding cybersecurity standards within organisations. Furthermore, the hope is also that increased emphasis on sustainable compliance awareness will lead to adequate board time being allocated to discussions around cyber risks, keeping in mind the organisation’s financial and legal risk exposure.

Another desirable behavioural change is to eschew a zero-tolerance approach to cyber risks. Practically speaking, organisations need to appreciate that cyber risks cannot be avoided altogether. Any organisation that adheres to a zero-tolerance approach runs the risk of stifling digital innovation. More profitable for any organisation is the creation of board approved ‘tolerance threshold’ for cyber risks. Such a risk appetite statement can be tailored to the needs of the organisation and may be informed by a variety of peculiarities specific to that organisation (such as the size, sector, organisation’s role in critical infrastructure, etc.).

Ensure adequate financial investment

Second, traditionally an organisation’s cybersecurity budget was frequently clubbed together with the IT budget. At present no jurisdiction requires corporate entities to mandatorily earmark a specific budget for implementing cybersecurity initiatives. Companies of a particular size and those operating in certain sectors (such as the financial and banking sectors) will be well-advised to reserve a particular percentage of their annual organisation budget as an intended investment for cybersecurity measures. Correspondingly, a budgeting process for requisitioning additional cybersecurity funds or staff may be set up via the internal regulations of the organisation. Next, with sufficient financial backing in place, corporates will do well to focus on two heads – investment in human resources and investment in technology.

On the human resources front, regular training of organisation personnel through briefings, training sessions, workshops, e-learning modules, and director-education programmes in relevant cybersecurity and digital skills are essential. However, one needs to manage their expectations since it is anyone’s guess how amenable the old guard of various boards will be to these initiatives. On the technological front, the need of the hour is to update or replace legacy IT infrastructure and outdated software security. Boards may also consider investing in automated technology to increase the efficacy of security operations to ensure compliance with the information security policy of the organisation.

Bring in expertise on boards

Third, engaging personnel with relevant expertise to assist with oversight responsibilities on boards or relevant committees may help to set the right ‘tone at the top’. Expert engagement can take many forms such as – recruiting board members with relevant cybersecurity/privacy/consumer law/IT expertise, engaging external experts on an ad-hoc or retainer basis, requiring technical experts to formulate a bespoke cyber risk management plan, seeking expert opinion of external auditors if internal audit’s coverage, skills, capacity and capabilities are insufficient, etc. An interesting development on this front is the draft Cybersecurity Disclosure Act 2021 of the USA which requires publicly traded companies to mandatorily disclose to investors whether they have cybersecurity expertise or experience on their board of directors, and if not, to explain their absence.

Nevertheless, to be fair, while there is inter-jurisdictional consensus for engaging external experts on cybersecurity-related matters, this cross-border consensus is marked by stark differences in the degree to which such engagement is envisioned in each jurisdiction. It is important to note that for each jurisdiction like the USA which is open to engaging experts on boards, there are many more who adopt a more conservative approach. Moreover, a major obstacle hindering boards from working with experts is the severe global paucity of cybersecurity professionals with the requisite expertise. This is more so for developing countries like India where access to experts may be difficult since the area of cybersecurity is still fledgling.

Moving ahead: Challenges and opportunities

In conclusion, while much remains to be done, in the short term, India will do well to diligently implement the aforementioned interventions to keep cyber incidents at bay. It is also pertinent to note that India’s digital transformation cannot be fashioned on the foundations of decades-old legal infrastructure like the Information Technology Act 2000, National Cyber Security Policy 2013, etc. Per contra, neither can sporadic law-making by executive fiat (like the recent CERT-In directions mandating all organisations to report cyber incidents within six hours) be considered satisfactory substitutes for more permanent solutions.

With its cyber sovereignty at stake, it is high time that India brought in a uniform cybersecurity law that clearly and comprehensively outlines baseline cyber compliance benchmarks for the country. Such a move will ensure that the digital inhabitants of India do not find themselves falling through the cracks of inadequate legal infrastructure, which at present, does not cater to the shifting realities of a rapidly changing digital landscape.

The writer is with the National Law School of India University, Bangalore. Views expressed are personal.

Read all the Latest News , Trending News , Cricket News , Bollywood News , India News and Entertainment News here. Follow us on Facebook , Twitter and Instagram .