Bolstering cyber security in Indian digital economy

The new wave of digitisation has transformed the global business landscape. Corporates across the world are increasingly embracing tech-driven operations. The World Economic Forum estimates that 70% of value generated in the global economy in the coming decade will be based on digitally enabled business models. India, too, has been at the forefront of establishing itself as a formidable digital economy. With the world’s second-highest internet user base of 75 crore people, it recorded more than 5,500 crore digital transactions worth $300 billion in 2021. By decade end, India’s digital economy is expected to cross the $1-trillion mark — higher than the GDP of as many as 170 countries.

Amidst this digital revolution, data has emerged as the focal point for modern business operations. As per IBM, 90% of the data in the world today was generated in the last two years alone. The data created over the next five years will be more than twice the data created since the inception of digital storage. With mountains of digital information being generated on a regular basis, data has become the single point of cyber attacks for organisations. In 2021 alone, more than 11 lakh incidents of cyberattacks were reported to Indian Computer Emergency Response Team (CERT-In). Estimates suggest that 76% of organisations in the country suffered at least 1 cyberattack in the past 12 months. Loss resulting from cyber crimes has been upwards of Rs 63 crore.

Apart from causing huge financial losses, data leakages can result in the breach of sensitive user information. In such cases, consumers are exposed to the risk of misappropriation of their personal and confidential information. A single data loss incident can have wide-ranging effects on the public reputation and growth potential of businesses as well. But despite these serious ramifications, 40% of companies do not have a comprehensive strategy in place to respond to cyberattacks. Against this backdrop, the new directions issued by the Ministry of Electronics and Information Technology under the Information Technology Act, 2000 are opportune.

At the outset, the directions set a time limit of 6 hours for all service providers, intermediaries, data centres, corporates and government entities to report cybersecurity incidents to the CERT-In. In effect, these directions would cover the entire breadth of our digital landscape, ranging from app-based urban mobility services and food aggregators to e-commerce companies to fin-tech entities. The whole gamut of digital transactions facing an Indian consumer today would be included under the scope of these directions.

The directions also prescribe a comprehensive list of 20 categories of cybersecurity incidents that must be mandatorily reported. These include compromise of critical systems, unauthorised access to IT systems, identity theft and phishing attacks, data breach and data leaks, among others. An organisation can also be ordered to take necessary action or provide assistance to CERT-In towards “cyber security mitigation actions and enhanced cyber security situational awareness”. In addition, the directions impose other requirements such as designating a Point of Contact to interface with CERT-In for cybersecurity incidents and maintaining logs of ICT systems for 180 days within the Indian jurisdiction.

With the new directions set to come into force in less than a month, most organisations are scrambling to ramp up their digital security infrastructure and cyber safety expertise. Any contravention of the directions can attract a heavy penalty — a jail term of up to 1 year and a fine of up to Rs 1 lakh. Hence, the new and lesser-known area of cyber security must assume top priority across all levels and departments of an organisation.

Recently, the Securities and Exchange Commission (SEC) in the USA proposed rules requiring public companies to disclose the cybersecurity expertise (such as educational degree, certification, prior work experience or relevant background in cybersecurity) of its Board members. These rules are expected to be a catalyst for boardroom cyber competency and facilitate a culture of cyber awareness from the top-down. With the new norms on the horizon, the time is ripe for Indian boardrooms to usher in a similar forward looking approach toward cybersecurity.

The world is ever changing but technology is here to stay for the long haul. The penetration of digital services and tech processes has increased exponentially over the years while the understanding of cyber-related issues has remained limited. This has created deep vulnerabilities for both businesses and consumers. In this context, the new cybersecurity norms are a step in the right direction. They will provide impetus to robust digital infrastructure for ensuring cybersecurity awareness and preparedness. At the same time, they will protect the edifice of 21st-century businesses from collapsing at the mercy of malicious cyberattacks. Undoubtedly, these directions are the way forward in building a resilient digital economy for India.

END OF ARTICLE

Comments are closed.