Cyber Security Compliance in India

Cybersecurity in India has become a critical issue with the rapid growth of digitalization and the increasing reliance on technology in all aspects of life. As the world’s second-most populous country and the world’s fifth-largest economy, India has become a significant target for cybercriminals and state-sponsored hackers.

The Indian government has recognized the growing importance of cybersecurity and has taken several initiatives to address the challenges posed by cyber threats. In 2013, the government launched the National Cyber Security Policy, which aims to create a secure cyber ecosystem, enhance the resilience of critical information infrastructure, and build a skilled workforce for cybersecurity.

Furthermore, the Indian government has established several cybersecurity agencies and organizations, such as the National Critical Information Infrastructure Protection Centre (NCIIPC), the Indian Computer Emergency Response Team (CERT-In), and the Cyber Swachhta Kendra, to address cyber threats and protect critical information infrastructure.

However, despite these efforts, cybersecurity remains a significant challenge in India, with the country facing a growing number of cyber attacks, including data breaches, phishing scams, ransomware attacks, and malware infections. With the increasing use of digital technologies and the proliferation of connected devices, the need for robust cybersecurity measures in India has become more crucial than ever before.

Which are the top 8 Cybersecurity regulations in India 2023?

1. The Information Technology (IT) Act, 2000
2. The Personal Data Protection Bill, 2019
3. The National Cyber Security Policy, 2013
4. The Reserve Bank of India (RBI) Cyber Security Framework
5. The Securities and Exchange Board of India (SEBI) Cyber Security Framework
6. The Indian SPDI Rules, 2011
7. Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021
8. Know Your Customer (KYC) regulations

The Information Technology (IT) Act, 2000

The IT Act, 2000 of India provides a legal framework for electronic transactions and addresses various aspects of cybersecurity, including data protection, privacy, and cybercrime. It is a crucial piece of legislation in ensuring the security of India’s cyberspace. Amended in 2008 to align it with international best practices and to address emerging cyber threats. The amendments introduced new offenses such as cyber terrorism, introduced new provisions for data protection, and established a new agency called the Indian Computer Emergency Response Team (CERT-In) to handle cybersecurity incidents.

The Information Technology (IT) Act, 2000 is the primary legislation governing cybersecurity in India. It was enacted to provide legal recognition to electronic transactions, facilitate e-governance, and address various aspects of cybersecurity, including data protection, privacy, and cybercrime.

Here are some key provisions of the IT Act, 2000:

Legal recognition of electronic records: The IT Act, 2000 provides legal recognition to electronic records and digital signatures. It establishes the legal framework for electronic transactions and allows electronic documents to be used as evidence in court.

Cybercrime: The IT Act, 2000 contains provisions for the punishment of cybercrime. It includes offenses such as hacking, phishing, cyberstalking, identity theft, and dissemination of obscene material. The Act also contains provisions for the establishment of a Cyber Appellate Tribunal to adjudicate cybercrime cases.

Data protection: The IT Act, 2000 contains provisions for the protection of sensitive personal data. It requires organizations to obtain consent before collecting, using, and disclosing personal data. It also mandates the implementation of reasonable security practices and procedures to protect personal data from unauthorized access, use, or disclosure.

Network service providers: The IT Act, 2000 defines the responsibilities of network service providers (NSPs). It mandates NSPs to take reasonable steps to prevent the transmission of offensive or harmful material through their networks. It also requires NSPs to comply with government orders for interception, monitoring, and decryption of electronic communication.

Cyber regulations appellate tribunal: The IT Act, 2000 established a Cyber Regulations Appellate Tribunal (CRAT) to hear appeals against orders issued by the Controller of Certifying Authorities, Adjudicating Officers, and the Cyber Appellate Tribunal.

The Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 (PDP Bill) is a proposed law in India that seeks to regulate the processing of personal data of individuals by data fiduciaries (organizations that collect and use personal data) and ensure the protection of individuals’ privacy rights. The Bill was introduced in the Lok Sabha (lower house of the Indian Parliament) on December 11, 2019, and is currently being reviewed by a parliamentary committee.

Here are some of the key features of the PDP Bill:

• Definition of Personal Data: The Bill defines personal data as any data that relates to a natural person and can be used to identify that person, either directly or indirectly. It includes sensitive personal data such as financial information, health data, caste or religious information, etc.
• Consent: The Bill requires data fiduciaries to obtain the explicit consent of individuals before collecting, processing, or transferring their personal data. The consent should be informed, specific, and given voluntarily. Individuals have the right to withdraw their consent at any time.
• Data Protection Authority: The Bill establishes a Data Protection Authority (DPA) as an independent regulatory body to oversee and enforce the provisions of the Bill. The DPA will have the power to investigate violations, issue orders, and impose penalties for non-compliance.
• Cross-border Data Transfers: The Bill imposes restrictions on cross-border transfers of personal data. Data fiduciaries must ensure that the recipient of the data provides a similar level of data protection as required under the PDP Bill.
• Data Localization: The Bill requires certain categories of personal data to be stored only in India. These categories may be specified by the Central Government in consultation with the DPA.
• Right to Access and Correction: Individuals have the right to access their personal data held by data fiduciaries and to request corrections if the data is inaccurate or incomplete.
• Data Breach Notification: Data fiduciaries must notify individuals and the DPA of any data breach that is likely to cause harm to the individual.
• Penalties: The Bill imposes significant penalties for non-compliance with its provisions, including fines up to 4% of the global turnover of the data fiduciary or imprisonment for up to 3 years.

The National Cyber Security Policy, 2013

The National Cyber Security Policy, 2013 is a policy document released by the Indian government to safeguard the country’s cyberspace and secure India’s cyber infrastructure. The policy aims to create a secure cyber ecosystem in India and strengthen the country’s ability to prevent and respond to cyber threats.

Here are some of the key features of the National Cyber Security Policy, 2013:

1. Vision: The policy aims to build a secure and resilient cyberspace for citizens, businesses, and government. It seeks to create a framework for the protection of information and critical infrastructure, as well as establish a mechanism for the coordination of all stakeholders in the cyber ecosystem.
2. Strategic objectives: The policy outlines five strategic objectives to achieve its vision. These are:

• To create a secure cyber ecosystem for citizens, businesses, and government
• To develop a comprehensive security architecture and framework for India’s cyberspace
• To strengthen the regulatory framework for ensuring secure cyberspace in India
• To promote R&D activities and develop indigenous security technologies
• To create a skilled workforce for cybersecurity in India

3. Key initiatives: The policy outlines several initiatives to achieve its strategic objectives. These include:

• Establishing a National Critical Information Infrastructure Protection Centre (NCIIPC) to protect critical infrastructure in India
• Creating a National Cyber Coordination Centre (NCCC) to coordinate cybersecurity-related activities between various government agencies
• Developing a National Cyber Security R&D Plan to promote cybersecurity research and development in India
• Creating a framework for security audits and certifications for information security products and services
• Developing a national-level crisis management plan for responding to cyber incidents
• Promoting awareness about cybersecurity among citizens and businesses

4. Cybersecurity architecture and framework: The policy emphasizes the need for a comprehensive security architecture and framework to ensure the security of India’s cyberspace. It outlines the various components of the security framework, including risk assessment, threat intelligence, incident response, and awareness and training programs.

5. Regulatory framework: The policy stresses the need for a robust regulatory framework to ensure a secure cyberspace in India. It recommends the establishment of a Cyber Security Directorate within the National Security Council Secretariat to coordinate and oversee cybersecurity-related regulations.

6. Capacity building: The policy acknowledges the need for a skilled workforce for cybersecurity in India. It outlines initiatives to promote cybersecurity education and training and to create a pool of cybersecurity professionals in the country.

What is the average data breach costs in India?

The average data breach cost in India varies depending on several factors such as the size and type of organization, the nature and extent of the breach, the type of data compromised, and the cost of remediation and recovery. According to the IBM 2021 Cost of Data Breach Report, the average total cost of a data breach in India was INR 16.5 crore (approximately USD 2.2 million), which was higher than the global average of USD 4.24 million.

The report also highlighted some key factors that influenced the cost of data breaches in India, including the increased use of hybrid cloud environments, the growing prevalence of remote work, and the rising importance of data privacy regulations. For instance, organizations that experienced a data breach involving remote work had a higher cost per breached record than those without remote work involvement. Similarly, organizations that had fully deployed security automation technologies had a lower cost per breached record than those without security automation.

Furthermore, the report found that the average time to identify and contain a data breach in India was 307 days, which was higher than the global average of 287 days. This indicates that organizations in India may need to improve their incident response capabilities and invest in cybersecurity measures to detect and respond to breaches more effectively.

Which are the top cybersecurity regulating bodies in India?

There are several Indian cybersecurity regulating bodies responsible for developing, implementing, and enforcing cybersecurity regulations in India. The 7 key cybersecurity regulating bodies in India are:

1. Computer Emergency Response Team (CERT-In)
2. National Critical Information Infrastructure Protection Center (NCIIPC)
3. Cyber Regulations Appellate Tribunal (CRAT)
4. Securities and Exchange Board (SEBI) of India
5. Insurance Regulatory and Development Authority (IRDAI)
6. Telecom Regulatory Authority of India (TRAI)
7. Department of Telecommunications (DoT)