India’s ever-expanding digital infrastructure in the wake of the pandemic has escalated the demand for new, updated, and improved regulatory mandates for strengthening cybersecurity and preventing cybercrime. Rampant, almost weekly cybersecurity attacks have caused alarm bells across businesses, organizations, and individuals. Be it cyber-attacks on Air India, Dominos and others, the effect is that data leaks and data theft where personal data is compromised appears to have become a regular phenomenon with staggering costs. In fact, according to the Security Data Breach of IBM, in financial year ending March 2022 the costs of a data breach in India was INR 175 million, which is over USD 2 million. And let us not forget the latest and most recent “Mother of All Breaches,” one of the largest data breaches to date which could compromise billions of accounts worldwide, prompting concerns of widespread cybercrime. This massive leak reveals 26 billion records, including sites like LinkedIn, Snapchat, Venmo, Adobe and X, as well as government organizations around the world, including those in the US where the compromised data includes more than just credentials, in fact most of it is “sensitive.” This could make it valuable for malicious players. Over just a relatively short period of time, cybersecurity has become a top concern of companies, financial institutions, law enforcement agencies and many regulators. Additionally, boardrooms are cognizant about this systemic threat and awareness is growing. But the question remains – are directors equipped with information and possess the tools to effectively oversee and plan for today’s hacking dangers?
This newsletter examines the interplay between the board’s role in good corporate governance and oversight and management of cybersecurity risks to mitigate cybercrime.
2. Recent Legal Regime Changes
In response to the rapid digital transformation, the Indian government began to reevaluate how it regulates cybersecurity and cybercrime. While there is no exclusive cybersecurity law, the Information Technology Act of 2000 along with other sector-specific regulations remains the law to promote cybersecurity standards. It also provides a legal framework for critical information infrastructure. In 2004, the Indian Computer Emergency Response Team (“CERT-IN”) became the nodal agency for collecting, analyzing, forecasting, and disseminating non-critical cybersecurity incidents. In addition to cybersecurity incident reporting, CERT-IN helps with issuing guidelines and offering security practices for managing incidents. On April 28, 2022, it issued directions relating to infosec practices, prevention, response and reporting of cyber incidents. The directions are made under section 70B of the Information Technology Act and set up the regulatory framework for retention, flow and accessibility to information on cyber security incidents. All Indian companies, service providers, intermediaries, data centers, and businesses are mandated to report identified cybersecurity incidents and data breaches within 6-hours. Apart from imposition of hefty fines, non-compliance can even lead to imprisonment for individuals. This short timeframe seems insufficient to respond to incidents with a detailed report.
While different laws and rules have been enacted since 2000 it is not possible to delve into them all, but it is essential to touch upon the latest and the most important one. On August 11, 2023, the Indian Central Government passed the Digital Personal Data Protection Act (“DPDP Act”). Amongst other things, the DPDP Act will establish a regulator – Data Protection Board of India – and spelt a new class of data fiduciaries – significant data fiduciaries – as organizations determined to pose increased risk based on a government assessment. Such organizations must comply with additional requirements. Under this act, the broad definition of personal data is based on EU’s General Data Protection Regulation. It aims to protect data principals and restrict activities of data fiduciaries. The DPDP Act obligates data fiduciaries to (a) bind third-party data processors who are obligated to follow DPDP procedures contractually, (b) ensure personal data is complete and accurate before using it to make a decision that affects the data principal or before even participation in its transfer, (c) implement necessary organizational measures and technical protocols to ensure ongoing compliance, (d) implement reasonable security safeguards and audits to protect personal data and prevent personal data breaches, (e) notify all affected data principals and the Data Protection Board (when formed) of known data breaches, (f) destroy all personal data when a data principal withdraw consent, unless retention is required by law. Therefore, there is a need for heightened attention to obligations under the evolving laws and regulations and, of course, on those who run those corporations.
3. Corporate Governance & Board Role in Cybersecurity
Companies are managed under the direction of their board of directors. When considering the board’s role in addressing cybersecurity issues, it is useful to know its broad duties towards the corporation and its role in corporate governance and overseeing risk management. So, those who manage must answer the owners i.e., the shareholders. And the shareholders are increasingly cognizant of dangers of data breaches for companies and expect to hold boards and senior management responsible for managing cyber risks effectively, including dealing with inevitable intrusions. Consequently, directors need to know the situations they must plan for, and this means asking the right questions and being transparent about data breaches. It is common to be reticent to disclose the breaches and contact authorities since often companies themselves would, most likely, be held responsible. Given the known risks of cyber-attacks, one would expect boards and senior management to take proactive steps to address such risks. The Companies Act, 2013 mandates preparation of an annual report which should contain details of a risk management policy. Given the relevance of a cohesive approach to risks, such policies should also include cyber risks which will enable companies to proactively manage uncertainty and changes to limit negative impacts. It is fair to state that now principles of corporate governance require companies to analyze whether their organizational structures can deal with cybersecurity issues. Here are some considerations to be mindful of.
3.1 Cyber risk committee: Since cyber risk spans the enterprise, all board members must actively participate in the discussion. Organizations should establish a cyber-risk committee with a charter that mandates cyber education for its board. This means companies must ensure the board comprises of members with an understanding of technology issues that pose risks to the company. If boards understand and are properly educated about cybercrime, a proactive strategy will be a natural outcome.
3.2 Risk assessment: this is fundamental. The board should monitor and ensure the company identifies key assets to protect. This could include customers’ personal information, sensitive financial data, intellectual property etc. In doing so, it is imperative to understand what aspects of the network must be relatively open and what must be tightly closed. Question and evaluate who should have access and who has administrator privileges. It is not a matter of trust, but a fundamental matter of minimizing risk and containing possible breaches that may be introduced by third parties. Should IDs have single or multi-factor authentication? What should be the frequency of monitoring the network. Clearly, no single size fits all but it is safe to say some of these basics of risk assessment apply across to every such assessment.
3.3 Response team and plan: To respond effectively to an incident, it is critical to have a different team (apart from the cyber risk committee, but maybe with some overlap) in place ahead of an incident. This team should consist of various senior officials representing different aspects, like IT, operations, compliance, communication and legal. Bigger companies also have lobbying teams that tap government resources to contain the breaches. The response team must develop a plan for what to do when an attack occurs. Amongst other things, such a plan should address how to minimize risks of further compromise and operational downtime. It should also address details of people to mobilize, legal obligations, mandatory and advisable disclosures, timing of communications; both internal and external (for example, customers, regulators, law enforcement, agencies, investors, press).
In other words, boards now have no choice but to plan for allocation of time and sufficient corporate resources to address cybersecurity and if they are already deeply engaged, re-evaluate the need to ramp up the efforts. They must discuss and devise strategies for (a) periodically informing stakeholders about measures adopted to protect their personal data, (b) review of annual budgets for privacy and IT security programs, (c) assigning roles and responsibilities for privacy and security, and (d) creating a system for regular reports on breaches and IT risks.
3.4 Periodic Contract reviews: It is also essential to conduct reviews of existing contracts with vendors, subcontractors and other relevant third parties. When companies provide access to customer and client data to its vendors, they relinquish some degree of control and, therefore, they should be fully on top of how vendors operate. While negotiating contracts, the provisions should aim to transfer the risk which a company is unable to mitigate on its own. Usually, such contracts provide types of incidents covered, financial implications for violations, seek information on details of insurance policies and even ask to be added to such policies as a beneficiary. It is quite common to limit liability and cap monetary damages while excluding certain types of damages. Hence, evaluate:
- limitation of liability clauses to see if it allocates the liability between the parties,
- if the vendor is required to share details on how it is managing the company’s data and which party should be responsible for fines or costs emerging from the situations where the vendor violates its obligations to keep data secure,
- mechanisms to respond to security incidents including notification obligations if the vendor materially alters any of its security practices. This is necessary to evaluate if new practices maintain security levels agreed at the time of contract execution,
- the extent to which a company can monitor ongoing compliance of its vendors,
- how the risk of data security can grow and, if yes, how to ensure obligations are imposed on others in the chain, like subcontractors. Any weak security link, even just one, makes all parties vulnerable to breach possibilities.
In the US, the Securities and Exchange Commission charged a chief information security officer with fraud for misleading statements in filings related to their company’s known cybersecurity risks. This is potentially a precursor of times to come across the globe where such positions are likely to face greater scrutiny. Going forward, the board too will need to ensure senior people in similar roles have strong systems and processes which allow them to promptly escalate known security issues, document internal discussions and decisions in the event of an incident.
Through effective corporate governance, the board ensures that management serves the company and its shareholders. Corporate governance, if performed properly, results in the protection of shareholder assets. Boards need to be active, engaged, informed, focused on shareholder interests and recognize when and how to adapt to new situations. So, to that end, board oversight of cyber-risk management is critical. Given the heightened awareness of these rapidly evolving risks, directors should take their obligations seriously to make sure that companies are appropriately addressing them else the consequences may be fatal. Nobody wants business disruptions, unplanned spend on significant costs, negative publicity, or reputational damage. Add to that the potential litigation, and liability for failure to implement adequate steps to protect the company. Of course, the board cannot do everything. In order to handle cybersecurity issues and mitigate effects of cyber-attacks, directors should work closely with the company’s senior management responsible for implementing adequate practices. They can do so, provided they are ready themselves. Therefore, a Board’s readiness is not a luxury, but a compelling necessity. And the Time is Now.