At a glance: cybersecurity best practices in India – Lexology

Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

In addition to minimum statutory cybersecurity standards, various regulatory bodies have advised businesses to adopt more robust measures in areas of cybersecurity. For example, the Ministry of Communication and Information Technology released the National Cyber Security Policy in 2013, which recommended creating a secure cyber ecosystem, strengthening laws and creating mechanisms for the early warning of security threats, vulnerability management and the response to security threats. The policy intended to encourage all organisations to develop information security policies integrated with their business plans and implement the policies in accordance with international best practices.

Under the Digital India initiative, the Ministry of Electronics and Information Technology (MeitY) has set up the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre), operated by the Computer Emergency Response Team (CERT-In), to work with internet service providers and product or antivirus companies to provide information and tools to users on botnet and malware threats. Similar proactive measures are deployed by sector-specific regulators from time to time.

How does the government incentivise organisations to improve their cybersecurity?

In recent years, the government has rolled out some beneficial measures to incentivise both public and private sector organisations to improve cybersecurity standards. One example is the Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products notified by MeitY on 2 July 2018, wherein cybersecurity was named as a strategic sector, and it was further mentioned that government procurement agencies will give preference to domestically manufactured or produced cybersecurity products.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

In addition to the Information Technology Act 2000 and the applicable rules framed thereunder, industry-specific standards have been prescribed by specific regulators. Some examples are given below.

• Financial sector: the Reserve Bank of India has issued various guidelines for ensuring cybersecurity and the handling of cyber fraud within the banking sector. They can be accessed at www.rbi.org.in and include the following:
  • Cyber Security Framework in Banks, prescribing standards to be followed by banks for securing themselves against cybercrimes;
  • Basic Cyber Security Framework for Primary (Urban) Cooperative Banks, prescribing certain basic cybersecurity controls for primary urban cooperative banks;
  • Sharing of Information Technology Resources by Banks – Guidelines, ensuring that privacy, confidentiality, security and business continuity are fully met;
  • Information Technology Framework for the NBFC Sector, 2017, focusing on IT policy, IT governance information and cybersecurity; and
  • Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, prescribing IT policy and outsourcing guidelines and recommendations.
• Insurance sector: the insurance sector is subject to the ‘Guidelines on Information and Cyber Security for Insurers’ (Insurance Cyber Guidelines), issued by the Insurance Regulatory and Development Authority of India. Under these guidelines, the insurers are responsible for putting in place adequate measures to ensure that cybersecurity issues are addressed. Insurers are also mandated to appoint a chief information security officer (CISO), formulate a cyber crisis management plan and conduct audits.
• Telecommunications sector: the licence conditions for a unified licence granted by the Department of Telecommunication (DOT) prescribe various cybersecurity obligations on the licensee entity. For instance, the licensee is obligated to ensure the protection of privacy of communication and that unauthorised interception of messages does not take place; the licensee is to be completely responsible for security of their networks and must have an organisational policy on the security and security management of their networks, etc. Due to the large surge in cybersecurity incidents fuelled by large-scale remote work adoption during the covid-19 pandemic, the DOT has been issuing, inter alia, various security-related circulars to update stakeholders, such as Best Practices – Cyber Security, which provides protocols to be followed by organisations; and Unsafe Practices to be Avoided at Workplace for Cyber Security, which describes unsafe workplace practices that may be avoided, such as using common passwords, leaving devices unlocked, ignoring operating systems and software updates and downloading files without scanning.

Are there generally recommended best practices and procedures for responding to breaches?

Depending on the nature and the extent of the cybersecurity incident and the sensitivity of the sector, cyber incident response strategies may differ from one business to another. Some common measures that are recommended include:

• deploying a detailed information security policy to be approved by the board;
• conducting regular transaction monitoring;
• conducting information security risk assessments;
• setting up risk mitigation and transition plans;
• updating relevant stakeholders within the organisation on their role in advance; and
• allocating appropriate personnel to engage with regulatory authorities and to deal with clients, service providers, etc.

 

Many companies also prefer to conduct regular assessments of the vulnerabilities in their systems, including by inviting focused hacking. Depending on the sector, organisations can also reach out to CERT-In and seek advice on incident recovery, containing the damage and restoring their systems to operation. From time to time, CERT-In also issues advisories on actions recommended for parties that have been affected by cybersecurity incidents.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 require individuals and corporate entities affected by certain types of cybersecurity incidents to mandatorily report the incidents to CERT-In. In addition, it is also possible for individuals and organisations to voluntarily report any other cybersecurity incidents and vulnerabilities to CERT-In and seek requisite support and technical assistance to recover from them. Whether timely and voluntary reporting will help mitigate the imposition of a penalty for failing to implement reasonable security practices will be a fact-specific assessment.

In addition, the Securities Exchange Board of India (SEBI), in its ‘Cyber Security & Cyber Resilience Framework’ for Stock Brokers/Depository Participants, has mandated stockbrokers and depository participants to submit quarterly reports to stock exchanges and depositories with information on cyberattacks and threats experienced by such entities and the corresponding measures that were taken to mitigate the vulnerabilities, threats and attacks.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The government issues consultation papers to invite feedback and suggestions from the private sector, which aids the formulation of policies and laws in respect of cybersecurity. For instance, presently, the government is working with the private sector to develop its 2020 cybersecurity strategy. In addition, the National Cyber Security Coordinator and the Data Security Council of India have in 2019 launched an online repository on cyber tech called ‘Techsagar’ to facilitate exchange and collaboration on matters of innovation and cybersecurity between businesses and academia. It is intended to provide an overview of India’s cybersecurity preparedness and relevant stakeholders.

In a first of its kind public-private partnership, MeitY in 2018 launched ‘Cyber Surakshit Bharat’ to strengthen the cybersecurity ecosystem in India, by spreading awareness about cybercrime and undertaking capacity-building for CISOs and IT staff across all government departments. The founding partners of the consortium are IT companies Microsoft, Intel, WIPRO, Redhat and Dimension Data. Additionally, knowledge partners include CERT-In, NIC, NASSCOM and the FIDO Alliance and consultancy firms Deloitte and EY.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Cybersecurity insurance has gained momentum in India. It is aimed at shielding online users against the damage and loss that may arise as a result of unauthorised disclosure of or access to personal and financial data. Cyber insurance is prevalent in the banking, IT and ITES, retail and manufacturing sectors.

Furthermore, the much-awaited National Cyber Security Strategy 2020 is also expected to promote and provide a framework for cyber insurance in India, given the appreciated risk due to large-scale remote work adoption, including for protected and critical systems.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

09 December 2021.

The authors wish to thank Shagun Badhwar, Senior Associate and Suyash Tiwari, Associate for their assistance in the preparation of this chapter.

Source: https://www.lexology.com/library/detail.aspx?g=b9535c6b-50c8-4edb-b23b-445608b53633