-By Jaya Pathak
A penetration test does not reveal the cyber risk of most businesses. They learn about it by way of an invoice that was not billed, a vendor bank account which changed in a previous email job, a client calling and demanding to know why his or her personal information is spread on Telegram, or as it were, by a journalist inquiring a company mailbox at an inopportune time. Technical panic and legal improvisation are the almost universal response within the process of the first internal reaction. The organisation buys some time to find words, -We take security seriously-as it silently hopes that the incident will become an unpleasant anecdote and not a reportable case.
That hope is often misplaced. The contemporary cyber incident seldom occurs within a bounded server that has been exploited. It leaks into contracts, compliance calendar, compliance expectations of regulator, insurance negotiations, client trust and ultimately, valuation. The board thing which is yet to be understood is that cyber risk is no longer an IT risk, but a legal and governance risk. The building blocks of liability are already enshrined in the law in India. This is because the corporate imagination of many companies to act in the manner that they have is a failure and not as a result of lack in legislation.
The legal system, however, is always interested in the trouble and so once the catastrophe strikes, the law system takes a very keen interest. Take into account civil liability regime in Information Technology Act. Section 43A brings about a direct liability to the body corporate bodies that have, deal with or handle sensitive personal data or information: should the responsible body corporate be negligent in enforcing and maintaining a degree of reasonable security practices and procedures, and such negligence results in wrongful loss or wrongful gain, the responsible body corporate shall be liable to pay damages by way of compensation to the affected individual.
This is the initial strategic misinterpretation most founders commit to: they take reasonable security practices as a technical standard and thus, a problem of somebody else. Section 43A, however, is such that reasonable security practices and procedures are defined that general counsels have to pay attention to: it emits in an agreement between parties or in any law in effect, and in case of neither, is the subject to be prescribed by the Central Government in consultation with professional bodies. Stated differently, the agreement you sign with one of your clients can silently turn into the legal standard against which negligence will be determined. The older your customers are, the higher will be your yardstick. In this sense, cybersecurity is some sort of a negotiation and is simultaneously a self-imposed criterion, which becomes hard to leave later on.
The second misjudgment is the one concerning disclosure. In a huge number of organisations, the doctrine of silence remains on the hunchsome: do not talk about, do not tell, do not stir. Such instinct is explicable in a reputational crunch, and sometimes successful in a small event. However, in a number of situations, incident-reporting regime in India has ceased to be discretionary. Under Section 70B(6) of the IT Act the directions issued by CERT-In imposes a mandatory reporting requirement on the service providers, intermediaries, data centres, body corporate and government organisations in which they are supposed to report specified cyber incidents to CERT-In within six hours of the cyber incidents being noticed or being informed of the same. Explicitly, annexure I includes data breach and data leak as types of reportable incidents, identity theft, spoofing and phishing attacks, unauthorised access to IT systems/data, and attacks on digital payment systems among others.
Another detail, which is easy to ignore until it comes into effect, is the instructions to enable logs of all ICT systems and retain them securely in rolling set of 180 days, to be hosted in Indian territory and be availed to CERT-In as well as at order, to be reported or made. In the case of companies that outsource infrastructure this turns into an instant governance issue: can your vendors deliver, and can you make them deliver in a hurry on contract? The cyber incidents usually start as a security issue and soon turn into a procurement issue. The organisations that are more advantageous are those whose contracts presuppose failure and presuppose co-operation, logging, response times, and escalation paths. The remaining find half-way through–as the incident occurs–that their buyer is perusing the request.
Law of Data protection, in the meantime, has also heightened expectations. The summarised version of the Digital Personal Data Protection Bill, 2023 introduces a new compliance framework, where the entity that defines the scope and methods of personal data processing (the data fiduciary) is required to develop reasonable security measures to thwart a data breach and notify the Data Protection Board of India and the individuals affected in the case of a breach. Also in focus is storage limitation: deletion of the personal data after accomplishment of the purpose when it is not required to be retained due to legal reasons. It does not require one to be a privacy theorist to envision the business consequence: a business that holds data in case it might be used may be retaining liability in its case. It is the numerous breaches that are more devastating because the attacker tracks down more than the company actually requires.
A small yet important governance shift lies within this framework: it shifts breach management out of being an internal embarrassment and makes it a reportable compliance incident, with its communication to affected people. As a matter of fact, that communication is challenging, reputationally and operationally. It also compels leadership to address an issue that it is inclined to delay asking itself: what information do we have, where is it or is it, who can access it, and why do we have it? Instead of learning fire safety through smoke, most organisations respond to the question after it has been breached.
This is where the big question posed by executives is usually whether they are legally secured or not and in one sentence. The clear-cut response is that law is no shield, it is the system of distributing blame. In 43A, the malicium aspect is not necessary, so as long as an organisation had failed in exercising reasonable security practices it is liable regardless of whether that resulted in wrongful loss or gain. A six hour reporting requirement by CERT-In is not indifferent to embarrassment; it is more a reward of preparation and a penalty of delay. Regime of data protection, as abridged by PRS, is built on accountability of data fiduciary in regards to security protection and breach notification. A robust PR statement and one IT policy does not solve these issues.
Another element is the cultural element that Indian boards are very unwilling to mention. Most cyber-attacks are initiated by employees who are driven to reason thus acting with speed since their company encourages speed and punishes timidity. The genius of the fraudster is not a technical genius, but it is an organisational one. The attacker plays the hierarchies (CEO needs this now), incentives (do not delay the client), and fear (audit issue). A company that regards legal security, needs to construct behavioural safety: the staff members must have the option to slow down a suspicious demand and not be criticized as being a pain.
Conclusion
To the contemporary business, cybersecurity does not only consist in preventing unauthorized access to desiring parties. It is whether one can meet a client or a regulator or a board member in the eye after one has breached and say without acting in dramatizing defence, that the business acted as a fiduciary of trust. The breach-proof companies will not be the ones that are capable of doing that. They will be resilient. Market will increasingly price such a difference.
