This Practice Guide provides an insight into the applicable legal and regulatory framework governing cybersecurity laws in India, relevant best practices including information sharing and insurance, enforcement measures, relevant regulatory authorities, penalties, recent updates and trends, etc.
Summarise the main statutes and regulations that promote cybersecurity. Does India have dedicated cybersecurity laws?
While India does not have a dedicated cybersecurity law, there are several legislations and sector-specific regulations which, inter alia, promote the maintenance of cybersecurity standards. One of the primary legislations dealing with cybersecurity, data protection and cybercrimes is the Information Technology Act 2000 (the IT Act), read with the rules and regulations framed thereunder. The IT Act not only provides legal recognition and protection for transactions carried out through electronic data interchange and other means of electronic communication, but also contains provisions that are aimed at safeguarding electronic data, information or records, and preventing unauthorised or unlawful use of a computer system. Some of the cybercrimes that are specifically envisaged and punishable under the IT Act are hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft.
In accordance with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013, the Computer Emergency Response Team (CERT-In) has been established as the nodal agency responsible for the collection, analysis and dissemination of information on cyber incidents and taking emergency measures to contain such incidents.
Other relevant rules framed under the IT Act in the context of cybersecurity include:
• the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the SPDI Rules), which prescribe reasonable security practices and procedures to be implemented for collection and the processing of personal or sensitive personal data;
• the Information Technology (Information Security Practices and Procedures for Protected System) Rules 2018, which require specific information security measures to be implemented by organisations that have protected systems, as defined under the IT Act; and
• the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (the Intermediaries Guidelines) which supersede the erstwhile Information Technology (Intermediaries Guidelines) Rules, 2011, require intermediaries to implement reasonable security practices and procedures for securing their computer resources and information contained therein. The intermediaries are also required to report cybersecurity incidents (including information relating to such incidents) to CERT-In.
Other laws that contain cybersecurity-related provisions include the Indian Penal Code 1860, which punishes offences, including those committed in cyberspace (such as defamation, cheating, criminal intimidation and obscenity), and the Companies (Management and Administration) Rules 2014 (the CAM Rules) framed under the Companies Act 2013, which require companies to ensure that electronic records and security systems are secure from unauthorised access and tampering.
In addition to the above, there are sector-specific regulations issued by regulators such as the Reserve Bank of India (RBI), the Insurance Regulatory and Development Authority of India, the Department of Telecommunication (DOT) and the Securities Exchange Board of India (SEBI), which mandate cybersecurity standards to be maintained by their regulated entities, such as banks, insurance companies, telecoms service providers and listed entities.
Which sectors of the economy are most affected by cybersecurity laws and regulations in India?
Regulated entities operating in sensitive sectors, such as financial services, banking, insurance and telecommunications, have exhibited higher standards of cybersecurity preparedness and awareness, partly because of regulatory intervention but also because of voluntary compliance with advanced international standards.
Sectors such as e-commerce, IT and IT-enabled services that have seen an infusion of foreign direct investment have also proactively deployed robust cybersecurity frameworks and policies to counter the evolving nature of cyber fraud as they have borrowed advanced cybersecurity practices and procedures from their parent entities in the United States, the European Union and other mature jurisdictions.
With the rise of digital payments, cybercrimes involving payment transactions in the online space have significantly increased and become complex. While the RBI has been active in requiring companies operating payment systems to build secure authentication and transaction security mechanisms (such as two-factor authentication, EMV chips, PCI
DSS compliance and tokenisation), given that these payment companies often offer real-time frictionless payment experiences to their consumers, it leaves less time for banks and other entities operating in the payment ecosystem to identify and respond to cyberthreats. In light of the above, there is an increased need for entities to identify and develop cybersecurity standards commensurate with the nature of the information assets handled by them and evaluate the possible harm in the event of any cybersecurity attack, to ensure that these emerging risks are mitigated.
Moreover, the covid-19 pandemic has led to increased dependencies on digital infrastructure for many organisations, as employees are being given the option of working remotely on a long-term or permanent basis.
This has led to enormous cybersecurity-related vulnerabilities and challenges for large and small organisations alike and made them rethink cybersecurity preparedness, policies and budgets. We have already witnessed large-scale cyberattacks and disruption in sensitive sectors in India. The demand for remote work, new technologies and vulnerabilities resulting therefrom will continue to be relevant, and we expect cybersecurity standards to be given critical importance in the immediate future.
Has India adopted any international standards related to cybersecurity?
Yes, the SPDI Rules require body corporates that handle sensitive personal data or information to implement ‘reasonable security practices and procedures’ by maintaining a comprehensively documented information security programme. This programme should include managerial, technical, operational and physical security control measures that are commensurate with the nature of the information being protected. In this context, the SPDI Rules recognise the International Standard ISO/IEC 27001 on Information technology – Security techniques – Information security management systems – Requirements as one such approved security standard that can be implemented by a body corporate for protection of personal information. All body corporates that comply with this standard are subject to audit checks by an independent government-approved auditor at least once a year or as and when they undertake a significant upgrade of their processes and computer resources.
Sector-specific regulators have also prescribed security standards specifically applicable to regulated entities. For instance, the RBI guidelines mandate banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards for ensuring adequate protection of critical functions and processes. The Guidelines on Regulation of Payment Aggregators and
Payment Gateways issued by the RBI require payment aggregators to implement data security standards and best practices such as PCI-DSS and PA-DSS. Similarly, SEBI requires stock exchanges, depositories, clearing corporations, etc., to follow standards such as ISO/IEC 27001, ISO/IEC 27002 and COBIT 5.
What are the obligations of responsible personnel and directors to keep informed about the adequacy of the organisation’s protection of networks and data, and how may they be held responsible for inadequate cybersecurity?
While there is no specific statutory provision that requires information security personnel to keep directors informed of an organisation’s network preparedness, in the event of a cybersecurity breach, the persons in charge of an organisation are required to demonstrate before regulators that they have implemented security control measures as per their documented information security programmes and information security policies.
Therefore, it would be necessary for these persons to be aware of and updated about the information security preparedness of their organisation to effectively discharge their responsibilities.
Section 85 of the IT Act also specifically states that in case of any contravention of the provisions stipulated thereunder, any person who is in charge of supervising the affairs of a company will be liable and proceeded against, unless he or she is able to prove that the contravention took place without his or her knowledge, or that he or she exercised all due diligence to prevent such contravention. Therefore, personnel can protect themselves from liability by being aware of and deploying adequate cybersecurity measures.
Separately, as per the CAM Rules, the managing director, company secretary, or any other director or officer of the company (as may be decided by the board) is responsible for the maintenance and security of electronic records. This person is required, inter alia, to provide adequate protection against unauthorised access, alteration or tampering of records; ensure that computer systems, software and hardware are secured and validated to ensure their accuracy, reliability and accessibility; and take all necessary steps to ensure the security, integrity and confidentiality of records.
Any failure by such personnel in this regard may be construed to be a breach of their duties towards the organisation and is punishable with a monetary penalty.
How does India define cybersecurity and cybercrime?
Under the IT Act, ‘cybersecurity’ means protecting information, equipment, devices, computers, computer resources, communication devices and information stored therein from unauthorised access, use, disclosure, disruption, modification or destruction.
‘Cybercrime’, on the other hand, has not been defined under any central statute or regulations; however, the National Cyber Crime Reporting Portal (a body set up by the government to facilitate reporting of cybercrime complaints) has defined ‘cybercrime’ to mean ‘any unlawful act where a computer or communication device or computer network is used to commit or facilitate the commission of crime’.
The courts in India have also dealt with various instances of cybercrime over the years. The Gujarat High Court, in the case of Jaydeep Vrujlal Depani v State of Gujarat (R/SCR.A/5708/2018 Order), recognised a publicly available definition of ‘cybercrime’ to mean ‘the offences that are committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet (networks including but not limited to Chat rooms, emails, notice boards and groups) and mobile phones (Bluetooth/SMS/MMS)’.
While the IT Act does not make any distinction between cybersecurity and data privacy, in our view, these issues are distinct but also deeply interconnected, as ensuring the privacy of any data (whether of an individual or a corporate) requires adequate cybersecurity processes to be implemented by organisations.
Further, cybersecurity and information security frameworks are developed by organisations at a broader level to build resilience against various forms of cyberthreat, including cybercrimes that entail more extensive engagement with regulatory authorities depending on the extent of the harm caused, the nature of the information handled by the body corporate, sector sensitivities, etc.
What are the minimum protective measures that organisations must implement to protect data and information technology systems from cyberthreats?
As per the SPDI Rules, any body corporate that possesses, deals with or handles any sensitive personal data or information in a computer resource is required to implement prescribed security standards (ISO/IEC 27001 on Information technology – Security techniques – Information security management systems – Requirements).
Sector-specific cybersecurity measures have been made mandatory by regulators for some regulated businesses.
For instance, in the banking sector, the RBI requires banks to undertake certain security measures, including, inter alia, logical access controls to data, systems, application software, utilities, telecommunication lines, libraries and system software; using the proxy server type of firewall; using secured socket layer (SSL) for server authentication; and encrypting sensitive data, such as passwords, in transit within the enterprise itself. The RBI specifically mandates that connectivity between the gateway of the bank and the computer system of the member bank should be achieved using a leased line network (and not through the internet) with an appropriate data encryption standard and that 128-bit SSL encryption must be used as a minimum level of security.
The RBI also requires payment aggregators to implement data security standards and best practices like PCI-DSS, PA-DSS, latest encryption standards, transport channel security, etc. as per the Guidelines on Regulation of Payment Aggregators and Payment Gateways.
Additionally, in the telecommunications sector, the licence conditions imposed by the DOT require every licensee to implement the following measures:
• ensure protection of privacy of communication so that unauthorised interception of messages does not take place;
• have an organisational policy on security and security management of its network, including network forensics,
network hardening, network penetration tests and risk assessment; and
• induct only those network elements into its telecom network that have been tested as per relevant contemporary Indian or international security standards (eg, the IT and ITES elements) against the ISO/IEC 15408 standards (eg. the ISO 27000 series standards for information security management systems and the 3GPP and 3GPP2 security standards for telecoms and telecoms-related elements).
Further, critical information infrastructure (CII) is separately regulated by the National Critical Information Infrastructure Protection Centre (NCIIPC) and the ‘Guidelines for the Protection of National Critical Information Infrastructure’ (CII Guidelines). CII has been defined under the IT Act to mean any computer resource, the incapacitation or destruction of which can have a debilitating impact on national security, the economy, public health or safety. Under the CII Guidelines, certain best practices and controls are provided as minimum recommendations to be implemented by the CIIs at different stages of CII functioning, to maintain safe and secure operations. In addition to the CII Guidelines, the NCIIPC in April 2020 also issued covid-19 guidelines titled ‘Building Resilience against Cyber Attacks during COVID-19 Crisis’, which intend to provide guidance to CIIs on various issues, including managing email phishing risks, protection of organisational assets and enabling employees to work remotely.
Scope and Jurisdiction
Does India have any laws or regulations that specifically address cyberthreats to intellectual property?
The IT Act and related laws are equally applicable to cyberthreats involving intellectual property and grant similar protection.
Does India have any laws or regulations that specifically address cyberthreats to critical infrastructure or specific sectors?
As per section 70 of the IT Act, the government may notify any computer resource that directly or indirectly affects the facility of CII to be a ‘protected system’. CII means any computer resource of which the incapacitation or destruction
can have a debilitating impact on national security, economy, public health or safety. Under the Protected System Rules, specific cybersecurity practices are applicable in the context of a protected system, such as setting up an information security steering committee (Committee) to approve all information security policies relating to the protected systems, designating a chief information security officer (CISO) and carrying out vulnerability, threat or risk analysis on an annual basis. Significant changes in network configuration would need to be approved by the Committee, and organisations would need to ensure timely communication of cyber incidents to the Committee.
Under the provisions of the IT Act, a nodal body – the NCIIPC – has been set up to work in the interest of CII protection.
The NCIIPC is authorised to reduce vulnerabilities of CII against cyberterrorism, cyber warfare and other threats.
Certain identified CIIs are in sectors such as transport, telecoms, banking, insurance, finance, power, energy and governance.
The Central Electricity Regulatory Commission (Indian Electricity Grid Code) Regulations 2010 mandate utilities such as entities engaged in the distribution and transmission of electricity to implement a cybersecurity framework to identify critical cyber assets and protect such assets for reliable operation of the grid. New regulations, namely the Central Electricity Regulatory Commission (Indian Electricity Grid Code) Regulations 2020 have been proposed, which require all entities to have an information security policy in place to prevent unauthorised access, use, disclosure, modification, destruction, etc. of information, have necessary protection mechanisms such as firewalls for all systems interfacing with the network, and take necessary backup and protection measures for classified and sensitive data.
Sector-specific cybersecurity regulations are also available for sectors such as banking, telecommunications, finance and insurance.
Does India have any cybersecurity laws or regulations that specifically restrict sharing
of cyberthreat information?
In the judgment of Justice K S Puttaswamy (Retd) and Anr. v Union of India and Ors (Writ Petition (Civil) No. 494 of 2012), the Supreme Court of India held the right to privacy to be a fundamental right that is an intrinsic component of the right to life and personal liberty under article 21 of the Constitution of India and therefore a basic right of all individuals. Although there are precedents where the courts have held private communications between individuals to be covered within the purview of ‘right to privacy’, there are also precedents where Indian courts have admitted recordings obtained without consent as valid evidence. Given that this issue is unsettled, the permissibility of recordings will need to be determined on a case-by-case basis.
In any case, the SPDI Rules require a body corporate to disclose personal data or sensitive personal information subject to prior consent of the data subject. However, this condition can be waived if the disclosure is to government agencies mandated under the IT Act for the purpose of verification of identity, or for the prevention or investigation of any offences, including cybercrimes. The SPDI Rules also permit disclosure without consent in cases where the disclosure is made pursuant to an enforceable order under applicable law.
Certain laws, such as the Indian Telegraph Act 1885 (the Telegraph Act) and the IT Act, permit governmental and regulatory authorities to access private communications and personally identifiable data in specific circumstances.
The Telegraph Act empowers the government to intercept messages in the interest of public safety, national security or the prevention of crime, subject to certain prescribed safeguards. In that scenario, the telecoms licensee that has been
granted a licence by the DOT is mandated to provide necessary facilities to the designated authorities of the central government or the relevant state government for interception of the messages passing through its network.
The IT Act also grants similar authority to the government and its authorised agencies. Any person or officer authorised by the government (central or state) can, inter alia, direct any of its agencies to intercept, monitor or decrypt, or cause to be intercepted, monitored or decrypted, any information that is generated, transmitted, received or stored in any computer resource, in the event that it is satisfied that it is necessary or expedient to do so in the interest of sovereignty and the integrity of India, the defence of India, the security of the state, friendly relations with foreign states, public order or preventing incitement to the commission of any cognisable offence relating to the above, or for the investigation of any offence. In our view, the instances described in the IT Act can be relied on by the government agencies to intercept data for cybersecurity incidents if they relate to contravention or investigation of any crime.
What are the principal cyberactivities that are criminalised by the law of India?
Cybercrime activities are specifically dealt with under the IT Act. It prescribes penalties ranging from fines to imprisonment for various types of cyber activities, including hacking, tampering of computer source code, denial-of service attacks, phishing, malware attacks, identity fraud, electronic theft, cyberterrorism, privacy violations and the introduction of any computer contaminant or virus.
How has India addressed information security challenges associated with cloud computing?
There is no separate set of laws or regulations that regulate the provision of cloud computing services in India.
However, given that cloud computing services are rendered and received over the internet or through the digital medium, certain provisions of the IT Act, the SPDI Rules and the Intermediaries Guidelines may be relevant to these services.
For instance, the SPDI Rules allow a body corporate to transfer data to any other body corporate or a person in India or in any other country that ensures the same level of data protection that is adhered to by the body corporate. However, the transfer may be allowed only if it is necessary for the performance of a lawful contract between the body corporate and the data subject or where the person has consented to the data transfer.
Accordingly, in our view, any entity engaged in the cloud computing business will need to ensure that it maintains the same level of information security standards as that of the data controller (ie, the person collecting the information from the data subject).
Also, depending on the business model, a cloud services provider may fall within the definition of an intermediary under the IT Act (defined as any person who on behalf of another person receives, stores or transmits that record or provides any service with respect to that record and includes telecoms service providers, network service providers, internet service providers, web-hosting service providers, search engines, online payment sites, online-auction sites, online market places and cybercafes). As an intermediary, the cloud service provider will need to observe due diligence measures to claim safe harbour protection from liability arising from the content stored by it. These due diligence measures include taking all reasonable steps to secure its computer resource and the information contained therein by adopting the security practices prescribed under the SPDI Rules.
The RBI also issued ‘Guidelines on Regulation of Payment Aggregators and Payment Gateways’ on 17 March 2020, where it mandates all payment aggregators to adhere to the data storage requirements applicable for payments data to ensure that all data is stored only in India for the RBI’s unfettered supervisory access.
How do India’s cybersecurity laws affect foreign organisations doing business in India? Are the regulatory obligations the same for foreign organisations?
The IT Act also applies to any offence committed outside India if the act that constitutes the offence involves a computer, computer network or computer resource in India. Hence, the applicability of this law is agnostic to the presence of foreign organisations in India so long as users in India can access the services provided by the organisations and the operation of the services amounts to the contravention of any provision described thereunder.
Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?
In addition to minimum statutory cybersecurity standards, various regulatory bodies have advised businesses to adopt more robust measures in areas of cybersecurity. For example, the Ministry of Communication and Information Technology released the National Cyber Security Policy in 2013, which recommended creating a secure cyber
ecosystem, strengthening laws and creating mechanisms for the early warning of security threats, vulnerability management and the response to security threats. The policy intended to encourage all organisations to develop information security policies integrated with their business plans and implement the policies in accordance with international best practices.
Under the Digital India initiative, the Ministry of Electronics and Information Technology (MeitY) has set up the Cyber Swachhta Kendra (Botnet Cleaning and Malware Analysis Centre), operated by the Computer Emergency Response Team (CERT-In), to work with internet service providers and product or antivirus companies to provide information and tools to users on botnet and malware threats. Similar proactive measures are deployed by sector-specific regulators from time to time.
How does the government incentivise organisations to improve their cybersecurity?
In recent years, the government has rolled out some beneficial measures to incentivise both public and private sector organisations to improve cybersecurity standards. One example is the Public Procurement (Preference to Make in India) Order 2018 for Cyber Security Products notified by MeitY on 2 July 2018, wherein cybersecurity was named as a strategic sector, and it was further mentioned that government procurement agencies will give preference to domestically manufactured or produced cybersecurity products.
Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?
In addition to the Information Technology Act 2000 and the applicable rules framed thereunder, industry-specific standards have been prescribed by specific regulators. Some examples are given below.
• Financial sector: the Reserve Bank of India has issued various guidelines for ensuring cybersecurity and the handling of cyber fraud within the banking sector. They can be accessed at:
– Cyber Security Framework in Banks, prescribing standards to be followed by banks for securing themselves against cybercrimes;
– Basic Cyber Security Framework for Primary (Urban) Cooperative Banks, prescribing certain basic cybersecurity controls for primary urban cooperative banks;
– Sharing of Information Technology Resources by Banks – Guidelines, ensuring that privacy, confidentiality, security and business continuity are fully met;
– Information Technology Framework for the NBFC Sector, 2017, focusing on IT policy, IT governance information and cybersecurity; and
– Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds, prescribing IT policy and outsourcing guidelines and recommendations.
• Insurance sector: the insurance sector is subject to the ‘Guidelines on Information and Cyber Security for Insurers’ (Insurance Cyber Guidelines), issued by the Insurance Regulatory and Development Authority of India. Under these guidelines, the insurers are responsible for putting in place adequate measures to ensure that cybersecurity issues are addressed. Insurers are also mandated to appoint a chief information security officer (CISO), formulate a cyber crisis management plan and conduct audits.
• Telecommunications sector: the licence conditions for a unified licence granted by the Department of Telecommunication (DOT) prescribe various cybersecurity obligations on the licensee entity. For instance, the licensee is obligated to ensure the protection of privacy of communication and that unauthorised interception of messages does not take place; the licensee is to be completely responsible for security of their networks and must have an organisational policy on the security and security management of their networks, etc. Due to the large surge in cybersecurity incidents fuelled by large-scale remote work adoption during the covid-19 pandemic, the DOT has been issuing, inter alia, various security-related circulars to update stakeholders, such as Best Practices – Cyber Security, which provides protocols to be followed by organisations; and Unsafe Practices to be Avoided at Workplace for Cyber Security, which describes unsafe workplace practices that may be avoided, such as using common passwords, leaving devices unlocked, ignoring operating systems and software updates and downloading files without scanning.
Are there generally recommended best practices and procedures for responding to breaches?
Depending on the nature and the extent of the cybersecurity incident and the sensitivity of the sector, cyber incident response strategies may differ from one business to another. Some common measures that are recommended include:
• deploying a detailed information security policy to be approved by the board;
• conducting regular transaction monitoring;
• conducting information security risk assessments;
• setting up risk mitigation and transition plans;
• updating relevant stakeholders within the organisation on their role in advance; and
• allocating appropriate personnel to engage with regulatory authorities and to deal with clients, service providers, etc.
Many companies also prefer to conduct regular assessments of the vulnerabilities in their systems, including by inviting focused hacking. Depending on the sector, organisations can also reach out to CERT-In and seek advice on incident recovery, containing the damage and restoring their systems to operation. From time to time, CERT-In also issues advisories on actions recommended for parties that have been affected by cybersecurity incidents.
Describe practices and procedures for voluntary sharing of information about cyberthreats in India. Are there any legal or policy incentives?
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 require individuals and corporate entities affected by certain types of cybersecurity incidents to mandatorily report the incidents to CERT-In. In addition, it is also possible for individuals and organisations to voluntarily report any other cybersecurity incidents and vulnerabilities to CERT-In and seek requisite support and technical assistance to recover from them. Whether timely and voluntary reporting will help mitigate the imposition of a penalty for failing to implement reasonable security practices will be a fact-specific assessment.
In addition, the Securities Exchange Board of India (SEBI), in its ‘Cyber Security & Cyber Resilience Framework’ for Stock Brokers/ Depository Participants, has mandated stockbrokers and depository participants to submit quarterly reports to stock exchanges and depositories with information on cyberattacks and threats experienced by such entities and the corresponding measures that were taken to mitigate the vulnerabilities, threats and attacks.
How do the government and private sector co-operate to develop cybersecurity standards and procedures?
The government issues consultation papers to invite feedback and suggestions from the private sector, which aids the formulation of policies and laws in respect of cybersecurity. For instance, presently, the government is working with the private sector to develop its 2020 cybersecurity strategy.
In addition, the National Cyber Security Coordinator and the Data Security Council of India have in 2019 launched an online repository on cyber tech called ‘Techsagar’ to facilitate exchange and collaboration on matters of innovation and cybersecurity between businesses and academia. It is intended to provide an overview of India’s cybersecurity preparedness and relevant stakeholders.
In a first of its kind public-private partnership, MeitY in 2018 launched ‘Cyber Surakshit Bharat’ to strengthen the cybersecurity ecosystem in India, by spreading awareness about cybercrime and undertaking capacity-building for CISOs and IT staff across all government departments. The founding partners of the consortium are IT companies
Microsoft, Intel, WIPRO, Redhat and Dimension Data. Additionally, knowledge partners include CERT-In, NIC, NASSCOM and the FIDO Alliance and consultancy firms Deloitte and EY.
Is insurance for cybersecurity breaches available in India and is such insurance common?
Cybersecurity insurance has gained momentum in India. It is aimed at shielding online users against the damage and loss that may arise as a result of unauthorised disclosure of or access to personal and financial data. Cyber insurance is prevalent in the banking, IT and ITES, retail and manufacturing sectors.
Furthermore, the much-awaited National Cyber Security Strategy 2020 is also expected to promote and provide a framework for cyber insurance in India, given the appreciated risk due to large-scale remote work adoption, including for protected and critical systems.
Which regulatory authorities are primarily responsible for enforcing cybersecurity rules?
The Computer Emergency Response Team (CERT-In) is the nodal agency recognised under the Information Technology Act 2000 (IT Act) for the coordination of cyber incident response activities and the handling of cybersecurity incidents.
Further, the government has also established certain authorities and agencies for according protection specifically to the critical infrastructure of India, such as the National Critical Information Infrastructure Protection Centre, which was created to assess and prevent threats to vital installations and critical infrastructure in India. As and when a cybersecurity incident is determined, individuals and organisations can seek remedy from the adjudicating authorities appointed under the IT Act.
Sector-specific regulators have also attempted to enforce compliance with their respective information security standards. For example, the Reserve Bank of India (RBI) imposed a monetary penalty of 1 million rupees on the Union Bank of India for non-compliance with the directions of the Cyber Security Framework in Banks.
In January 2020, the Union Minister for Home Affairs inaugurated the Indian Cyber Crime Coordination Centre (I4C) to deal with all types of cybercrime in a comprehensive and coordinated manner. One of the components of I4C is the National Cyber Crime Reporting Portal , which is a citizen-centric initiative that enables citizens to report all kinds of cybercrime online, with a specific focus on crimes against women and children – particularly child pornography, child sexual abuse material and online content pertaining to rapes, gang rapes and similar crimes. The complaints reported on this portal are dealt with by law enforcement agencies and police, based on the information made available in the complaints.
Describe the authorities’ powers to monitor compliance, conduct investigations and prosecute infringements.
Given that CERT-In is the national agency responsible for cybersecurity, it has the authority to call for information and give directions to service providers, intermediaries, data centres, body corporates and any other person to perform their functions under the IT Act and the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013. Failure to respond to CERT-In’s information requests may lead to the imposition of monetary penalties.
Further, the adjudicating authorities appointed under the IT Act have the powers of a civil court to call for evidence and documents, and summon witnesses in connection with an inquiry into any contravention under the IT Act.
As per the provisions of the IT Act, for national security and for investigation of any offence (including cybersecurity offences), authorised government officers can issue orders to intercept, monitor or decrypt any computer resource, ask intermediaries to provide access to any information or to block access to any information stored, received or generated in any computer resource. Additionally, law enforcement agencies can be authorised to monitor and collect traffic data or information generated, received or transmitted in any computer resource, and can confiscate any computer resource in respect of which any contravention of the IT Act has been carried out.
Indian law also provides law enforcement authorities with various other mechanisms to pursue, investigate and prosecute cyber criminals. For instance, the Indian Penal Code 1860 (IPC) is a comprehensive code intended to cover most substantive aspects of criminal law. Criminal activities punishable under the IPC do extend to the online cyberspace infrastructure and will be dealt with in the same manner.
What are the most common enforcement issues and how have regulators and the private sector addressed them?
Regulators in India have relied on the provisions of the IT Act and the IPC to prosecute entities found to be non-compliant with mandatory information security requirements. However, from a practical perspective, enforcement agencies often face challenges in prosecuting offshore entities that do not have a business presence in India, as well as affixing liability in multi-layered business outsourcing structures. The absence of a comprehensive data protection law that allocates cybersecurity responsibilities between all relevant stakeholders is also a concern. Over time, the private sector and the government have felt the need to develop more cybercrime and prosecution expertise among the police personnel responsible for prosecuting offences under the IT Act, and specific local cyber cells have been set up to address this gap.
What regulatory notification obligations do businesses have following a cybersecurity breach? Must data subjects be notified?
There is no specific requirement under the IT Act to inform the data subject of a cybersecurity incident. However, under the Intermediaries Guidelines, the intermediary is required to inform CERT-In of cybersecurity breaches as soon as possible. Further, specific types of cybersecurity incidents (target-scanning or probing of critical networks or systems, unauthorised access of an IT system and data, malicious code attacks, identity theft, spoofing, phishing, etc.) have to be mandatorily reported to CERT-In by service providers, intermediaries, data centres and body corporates within a reasonable time of the occurrence or noticing the incident to aid timely action.
In addition, sector-specific regulators have their own reporting requirements. For instance, the RBI requires banks to comply with the Cyber Security Framework in Banks, which, inter alia, requires banks to report cybersecurity incidents to the RBI within two to six hours. The Guidelines on Regulation of Payment Aggregators and Payment Gateways issued by the RBI require payment aggregators to put in place a mechanism for the monitoring, handling and follow-up of cybersecurity incidents and breaches. Such incidents and breaches are to be reported immediately to the Department of Payment and Settlement Systems, RBI, Central Office, Mumbai, and reported to CERT-In.
What penalties may be imposed for failure to comply with regulations aimed at preventing cybersecurity breaches?
The IT Act provides for penalties for varied instances of cybersecurity breaches, some of which are described here.
Section 43 of the IT Act provides that any person accessing a computer or a computer system or network without permission of the owner, downloading copies and extracting any data or causing disruption of any system will be liable to pay damages to the person affected. Section 66 of the IT Act also provides for punishment of imprisonment for a term up to three years or with a fine of upto 500,000 rupees if the person dishonestly or fraudulently commits the offence.
Section 66C of the IT Act provides that a person who, fraudulently or dishonestly, makes use of the electronic signature, password or any other unique identification feature of any other person will be punished with imprisonment of up to three years and will also be liable for payment of a fine of up to 100,000 rupees.
Additionally, the IT Act provides for imprisonment of up to one year or a fine of up to 100,000 rupees, or both, for any failure by an entity (service provider, intermediary, data centre, body corporate, etc.) to provide requisite information requested by CERT-In. Furthermore, sector-specific authorities (such as the RBI) may also levy penalties for noncompliance with their respective cybersecurity standards.
What penalties may be imposed for failure to comply with the rules on reporting threats and breaches?
Any failure by intermediaries to report cybersecurity incidents to CERT-In is punishable under the IT Act by a monetary penalty not exceeding 25,000 rupees. Any failure of a body corporate to report specific cyber breaches mandated under the IT Act is punishable by the same amount. Further, if CERT-In specifically requests any information from an entity (including the service provider, intermediary or body corporate), then a failure to submit the information is punishable by imprisonment of up to one year or a fine that may extend to 100,000 rupees, or both.
In addition, sector-specific regulators have their own reporting requirements. For instance, failure to report within the timelines prescribed for banks under the Cyber Security Framework in Banks may result in the imposition of penalties by the RBI. For the telecommunications sector, the unified licence conditions stipulate that any failure by the licensee to comply with the obligations provided therein, including reporting of any intrusions, attacks and frauds on the technical
facilities, may render the concerned licensee liable to a monetary penalty of up to 500 million rupees per breach.
How can parties seek private redress for unauthorised cyberactivity or failure to adequately protect systems and data?
There is no specific private remedy available; however, the IT Act makes statutory remedies available to persons affected. Section 43A of the IT Act expressly provides that whenever a body corporate possesses or deals with any sensitive personal data or information, and is negligent in maintaining reasonable security practices and procedures that in turn cause wrongful loss or wrongful gain to any person, the body corporate shall be liable to pay damages to the person affected. Therefore, the affected party may initiate a civil action against the negligent body corporate, making it liable to pay damages.
Further, a civil action may also be brought against any person who, without permission of the owner of a computer or a computer system or network, does any of the acts mentioned under section 43 of the IT Act, including but not limited to
accessing or securing access to the computer or computer system or network, downloading or extracting any data from it, contaminating it with a virus or other malware, or causing any damage to it.
In addition, the Securities Exchange Board of India’s Guidelines (‘Cyber Security & Cyber Resilience Framework’ for Stock Brokers/ Depository Participants) have mandated stockbrokers and depository participants to draft their cybersecurity and cyber resilience policy document and ensure provisioning of alternate services or systems to customers in the event of any security incident.
Policies and Procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
There are no general cybersecurity policies and procedures applicable to all organisations. Some specific requirements are mentioned below:
• Information Technology Act 2000 and Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules 2011 (the SPDI Rules): as per the SPDI Rules, all organisations handling sensitive personal information of natural persons (financial and health information, passwords, biometric data, etc.) should, inter alia:
– have information security systems in place that are commensurate to the information assets sought to be protected;
– appoint a grievance officer to address any discrepancies and grievances of the provider of such information;
– in addition, organisations are required to audit the reasonable security practices and procedures that have been implemented at least once a year, or as and when the body corporate or a person on their behalf undertakes significant upgrading of their process and computer resources.
• Companies (Management and Administration) Rules 2014: companies, when dealing with electronic records, are required to ensure the security of any such records, including:
– protection against unauthorised access;
– protection against alteration;
– protection against tampering;
– maintaining the security of computer systems, software and hardware;
– protecting signatures; and
– taking periodic backups; etc.
• The RBI has issued a notification on ‘Cyber Security Framework for Banks’, which prescribes standards to be followed by banks for securing themselves against cybercrimes, including, for example, a mechanism for dealing with and reporting incidents, a cyber crisis management plan, and arrangements for continuous surveillance of systems and protection of customer information. A similar framework is applicable to non-banking finance companies. The Guidelines on Regulation of Payment Aggregators and Payment Gateways require payment aggregators to put in place a Board-approved information security policy for the safety and security of payment systems operated by them and to implement security
measures in accordance with this policy to mitigate identified risks.
• The Insurance Regulatory and Development Authority of India (IRDA) has issued ‘Insurance Cyber Guidelines’, which mandate insurers to appoint a chief information security officer, formulate a cyber crisis management plan and conduct audits.
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
Generally, no specific record-keeping requirements have been prescribed for cyber threats or attacks; however, maintaining records may become necessary to adhere to security standards. For instance, the Computer Emergency Response Team (CERT-In) issued the CERT-In Security Guidelines CISG-2009-01, which describe a ‘log’ as a record of actions and events that take place on a computer system. The guidelines recommend that organisations have appropriate auditing policies in place that efficiently collect the information logs relating to events, including critical events occurring in the network and systems. No specific timeline for record-keeping has been prescribed.
Sector-specific regulators have prescribed storage requirements for regulated entities. For instance, the IRDA issued the ‘Insurance Cyber Guidelines’, which require all registered insurance companies to retain security logs of different systems and devices to be maintained for a minimum period of six months. The guidelines also mandate the implementation of an incident management system that should include security incident reporting and recording.
Lastly, in accordance with the Securities Exchange Board of India Guidelines (‘Cyber Security & Cyber Resilience Framework’ for Stock Brokers/Depository Participants), stockbrokers and depository participants are required to ensure that records of user access to critical systems are identified and logged for audit and review purposes, and the logs should be maintained and stored in a secure location for a period not less than two years.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
Reporting under the IT Act
The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 permit cybersecurity incidents to be reported by any person to CERT-In. However, specified types of cybersecurity incidents (target-scanning or probing of critical networks or systems, unauthorised access of an IT system and data, malicious code attacks, identity theft, spoofing, phishing, etc.) need to be mandatorily reported to CERT-In by service providers, intermediaries, data centres and bodies corporate within a reasonable time of the incident
occurring or being noticed to aid timely action.
The Intermediaries Guidelines require the intermediaries, as part of their due diligence obligations, to notify CERT-In of security breaches. CERT-In publishes the formats for reporting cybersecurity incidents on its website from time to time, which requires mentioning the time of occurrence of the incident, the type of incident, information regarding the affected systems or network, the symptoms observed, the relevant technical systems deployed, and the actions taken, among others.
Reporting in other sectors
In addition to the reporting requirements under the IT Act, separate reporting requirements are applicable for cybersecurity incidents occurring in regulated sectors. For instance, the Cyber Security Framework in Banks requires
banks to inform the RBI of any cybersecurity incident within two to six hours of the breach and include details of it in a standard reporting template. Such report must include all unusual cybersecurity incidents (whether they were successful or were attempts that did not succeed). Similarly, as per the Insurance Cyber Guidelines issued by the IRDA, insurers are required to report cybersecurity incidents that critically affect business operations and a large number of customers within 48 hours of having knowledge of the cybersecurity incident.
In the telecommunications sector, every telecommunication licensee is required to establish a creative facility (within 12 months of grant of authorisation) for monitoring intrusions, attacks and frauds on its technical facilities, and to provide reports of such intrusions, attacks and frauds to the Department of Telecommunication.
What is the timeline for reporting to the authorities?
The Intermediaries Guidelines require intermediaries to inform CERT-In of cybersecurity breaches as soon as possible.
Further, specific types of cybersecurity incidents, such as target-scanning or probing of critical networks or systems, unauthorised access of an IT system and data, malicious code attacks, identity theft, spoofing, phishing, etc. have to be mandatorily reported to CERT-In by service providers, intermediaries, data centres and body corporates within a reasonable time of the occurrence or of noticing the incident, to aid timely action.
Separate reporting requirements are applicable for cybersecurity incidents occurring in regulated sectors. For instance, the RBI requires banks to report cybersecurity incidents within two to six hours. The IRDA requires insurers to report cybersecurity incidents that critically affect business operations and a large number of customers within 48 hours of
having knowledge of the incident.
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
There is no obligation to report cybersecurity threats or breaches to the general public or affected parties.
Key developments of the Past Year
What are the principal challenges to developing cybersecurity regulations? How can companies help shape a favourable regulatory environment? How do you anticipate cybersecurity laws and policies will change over the next year in India?
Various factors have contributed to the delayed formulation of cybersecurity regulations in India, including the rapid advancement of technology, which continues to outpace regulatory response; intermittent and ineffective reporting of incidents; the private sector’s inability to accurately assess the criticality of available information and the likely harm that may be caused in the event of an incident; lack of cross-functional expertise on the nature of cybersecurity incidents that may be experienced by varied sectors; and government and private sector hesitation to mandate minimum standards for all categories of businesses, in view of the time and expense involved.
In the last year, however, there has been a renewed focus on the adoption of robust cybersecurity practices in India, from both, the government and the private sector. Due to the covid-19 pandemic and the large-scale remote work and new technology adoption resulting from it, the private sector has been quite vigilant in adapting its processing, updating its budgets and responding to cyber threats in a timely and nuanced manner. Several organisations, such as the Data Security Council of India, have proactively issued advisories and assisted other private sector organisations to seamlessly transition to safer digital processes. We expect these initiatives to guide the government in terms of the level of cybersecurity preparedness expected from organisations, how the private sector has responded to cybersecurity threats, a renewed focus on the revision of policies and the diversified skill-set of response stakeholders, and testing the efficacy of protective technologies and strategies. Timely and descriptive cybersecurity reporting by the private sector will bring in more collaboration and clarity on better practices. The varied experiences of regulated businesses regarding cyber incidents will help guide policy, as it is likely that sensitive sectors such as healthcare and
social security will require a higher standard of compliance in view of the nature of their operations and risk assessment.
We expect some regulatory developments proposed by the government to further energise compliance. The National Cyber Security Strategy 2020 is a long-awaited policy initiative of the government, and it is hoped that better security standards and priority allocation will be the norm after it is notified. The Guidelines on Regulation of Payment Aggregators and Payment Gateways require payment aggregators to implement security standards and best practices that will benefit the financial technology sector in India.
The proposed personal data protection legislation will also play a critical role in shaping the regulatory environment in relation to the protection of personal data, as it seeks to prescribe the security safeguards to be implemented by data fiduciaries (data controllers that determine the purpose and means of processing of personal data), which includes the use of methods such as de-identification and encryption, steps necessary to protect the integrity of personal data, and steps necessary to prevent the misuse, modification, disclosure or destruction of, or unauthorised access to, personal