Cybersecurity Compliances and Regulations in India

Technological advancement and its widespread usage have exposed people to critical security vulnerabilities. There is a need to develop a fierce resilience to withstand security breaches which pushes forward the demand for stern cyber laws in India.

Online security threats are grabbing headlines that alarm both business leaders and consumers.

The Indian cybersecurity market is expanding to ensure India's stature as one of the leading investment hubs globally. This escalates the demand for stringent regulatory mandates to maintain cybersecurity in India.

With the number of cybercrimes multiplying, leaving the nation astonished and petrified, the Government is regularly coming up with refined regulations to safeguard citizens and corporate from the dynamicity of web-mishaps. Further, impregnable cyber laws have been enforced to reduce the vulnerability of "sensitive personal data" in the hands of the service providers and intermediaries.

 

Cybersecurity Compliance Regulation in India

The operations of all service providers, data centers, intermediaries fall under the Jurisdiction of Information Technology Rules, 2013. This directive mandates the real-time reporting of all cybersecurity incidents to the Indian Computer Emergency Response Team.

The ITA was tagged as the first landmark in the history of cyber laws in India, but soon as the nation started absorbing digital transformation to the core - the existing rules failed to suffice. The loopholes in the legal system left several cracks for cybercriminals to escape post committing dire crimes.

Territorial Jurisdiction is one such significant missed-out concern with a deplorable legal implication. The law mentions the Jurisdiction briefly under Section 46, 48, 57, and 61 in reference to the adjudication procedure and the appellate process drafted in Section 80, empowering the police to search any public place for a cybercrime, etc.

But with cyber crimes being geography-agnostic, territory-free, and borderless, jurisdiction remains a grave challenge for sure. Following this, the preservation of evidence turns into a severe bone of contention across territories.

Nevertheless, most cybercrimes in India were sufficiently covered under the relevant sections of the Indian Penal Code granting comfort and assurance to the investigating bodies.

Since India misses out on staunch cybersecurity laws, several sector-specific regulations were passed by the towering Government bodies. The Department of Telecommunication (DOT), Reserve Bank of India (RBI), and the Securities Exchange Board of India (SEBI), all have their individual well-defined cybersecurity mandates regulating colossal entities, such as insurance companies, banks, telecoms service providers, among others.

 

Measures that ensure Cybersecurity Compliance Regulation in India

Measures that ensure Cybersecurity Compliance Regulation in India

 

To ensure the effectiveness of the Indian cybersecurity compliances, the Government has taken several other measures to establish complete cohesion:

CERT-In

CERT-In, the national nodal agency responsible for prompt responses to the cybersecurity incidents, started official operations back in January 2004.

In the latest reforms of the Information Technology Amendment Act, the Indian Computer Emergency Response Team was officially designated as the national agency for cybersecurity preservation. The body acted as the primary task force responsible for:

  • Alerts and forecasts preventing cybersecurity incidents
  • Defining emergency measures to tackle and mitigate the effects of cyber risks
  • Collection, analysis, and responsible dissemination of data on cyber threats
  • Constant coordination of cyber response activities
  • Issuing best practices, guidelines, and precautions in the public interest for better reporting and management of cyber incidents

 

CRAT

Cyber Regulations Appellate Tribunal (CRAT) covered under the IT Act, 2000, is the chief governing body established by the Central Government based on the provisions of Section 48(1). The Central Government notifies all the relevant cybersecurity breaches to them, which fall under the jurisdiction of the Tribunal.

The power of the Tribunal matches that of the Civil Court covered under the Code of Civil Procedure, 1908:

  • Enforcing and summoning the attendance of people to be examined under oath
  • Ensuring that all related electronic records and documents are available
  • Demanding evidence on affidavits
  • Issuing commissions for regular examination of documents and witnesses
  • Reviewing the decisions based on the nitty-gritty of the incident
  • Dismissing the defaulter's applications or declaring it ex-parte

 

PCI DSS

The prevalence of digital transactions has escalated the cyber risks nation-wide, creating havoc.

PCI-DSS regulations apply to all the entities dealing with online transactions. The banking stalwarts, including American Express, Visa, Discover, and MasterCard - joined hands to combat the cyber identity thefts related to credit card frauds. PCI-DSS does not force down any fines or government mandates, but it does standardize all security goals for online transactions.

This regulation thrives under positive reinforcement to demonstrate complete adherence to customer data security expectations. However, all companies involved in processing, storing, or transmitting credit card data are recommended to ensure its compliance - to win over customer confidence.

 

Reserve Bank of India Act 2018

RBI issued elaborate cybersecurity guidelines that restricted and tested the operations of all urban co-operative banks (UCBs), carefully assessing the evolving IT risk factors. The level of technology adoption and digitization varies across banks and sectors - the RBI Act aims to standardize the security frameworks for all of them.

All UCBs need to explicitly jot down their cybersecurity policy, post the approval of their Board or Administrator. Following these guidelines is essential to establish reliable cyber-risk free banking institutions to fight the growing business complexities.

While assessing the inherent cyber risks, UCBs should carefully test the adopted technologies, digital products offered, delivery channels, and other external and internal threats.

With the nature of risks getting diversified and intensified, the traditional Business Continuity or Disaster Recovery arrangements may not suffice. UCBs need to promptly detect all cyber-intrusions so as to recover/respond/contain the impact of the cyber-attacks.

 

IRDA

In the wake of the escalating cyberattacks on the financial institutes, the Insurance Regulatory Authority of India rolled out a comprehensive cybersecurity framework upholding the security of the insurers.

The directives passed by IRDA focuses on the mitigation of external as well as internal threats, preventing cyber frauds, establishing robust business continuity, and risk assessment plan to bolster the backbone of shaping a secured Fintech industry.

The key focus areas for the insurance industry remains:

  • Online transaction and messaging frauds
  • Data leakage
  • IPR violations risk
  • Ransomware attack

 

DOT

The Department of Telecommunication has also tightened its claws on cybercrime, data privacy, and consumer security.

The designated officials of TRAI (Telecom Regulatory Authority of India) and DOT have amended the cyber laws, underlying their responsibility towards consumer data – as the most critical online transactions are conducted via mobile phones.

TRAI, the telecom industry watchdog, is renamed as the Digital Communications Regulatory Authority of India – with modified and intensified powers.

The DOT remains to function as an inter-ministerial body, with the telecom secretary as the highest decision-making authority of the nation. The DOT, in collaboration with the IT ministry, prefers a layered consent architecture focusing on secure personal data processing. The companies have limited rights to collect only the required consumer details after stating the purpose of collection. Further, the data can be stored only for as long as it is necessary.

DOT has confirmed that the internet users will be the final decision-makers on the usage of personal data, topped with their right to withdraw their consent anytime.

 

SEBI

In 2018 and 2019, SEBI declared meticulous guidelines for organizations falling within its purview, including Depository Participants, Stock Brokers, Asset Management Companies (AMCs), Stock Exchanges, Mutual Funds, Clearing Corporations and Depositories.

  • Dec 03, 2018: SEBI launched Guidelines for Depository Participants and Stock Brokers.
  • Jan 10, 2019, SEBI launched Guidelines for Asset Management Companies and Mutual Funds.
  • Dec 07, 2018, SEBI Guidelines for Clearing Corporations, Stock Exchanges, and Depositories.

All these guidelines strictly focused on ensuring customer data security and reliability – limiting the rights of all these organizations.

 

HIPAA

When it comes to cybersecurity concerns, the healthcare industry has always been comparatively slow to adjust.

Health Insurance Portability and Accountability Act outlines all prerequisites to prioritize the personal medical history of patients and clients. Medical data of a person is probably the most private one, and HIPAA safeguards it from the vicious hackers and spammers.

Fortunately, the steps to create a sturdy cybersecurity framework for healthcare organizations are not outlandish. In fact, healthcare organizations can follow simple steps like access limitations, virus control, and firewalls, to stay secure.

 

SANS 20

With the flash of cyber frauds and web theft reports stressing out the organizations today, the pressure to maintain user data security is beyond imagination.

As a response to this, the SANS Institute, working with the Center for Internet Security (CIS), created a comprehensive well-researched security framework—the Critical Security Controls (CSC) for Effective Cyber Defense (referred to as the SANS Top 20). SANS 20 helps companies to prioritize and focus on activities that are usable, scalable, implementable, and match the required security standards.

These recommended measures form the skeleton for many other regulations & compliance frameworks, including PCI DSS 3.1, NIST 800-53, ISO 27002, CSA, and HIPAA.

 

OWASP Top 10

OWASP Top 10 is globally recognized as the bible for web developers to assure secure coding. This standard awareness document serves as the primary step towards securing all web applications against evolving cyber threats.

Relying on the OWASP Top 10 is claimed to be the most efficacious step towards transforming the software development culture within the organization to produce more secure codes.

 

KYC

With over an average of one million new users every day since 2018 January, India is expected to enjoy annual digital growth of 9.1%.

Payment frauds have already swollen up to a billion-dollar entity, and it's rapidly expanding further. Juniper's research confirmed that the online sellers would face the immense loss of $130 billion to online transaction frauds between 2018 and 2023.

To resolve this struggle, businesses started implementing a wide range of Know Your Customer (KYC) tactics to track and secure their entire customer journey.

KYC provides complete peace-of-mind to customers as they are confident about the compliance management and anti-fraud technology. The KYC services are designed and implemented in a future-proofed, fail-safe manner -locally, globally, today, and in the future.

 

Final Thoughts

In the era of inevitable treacherous cyber breaches – the only key to survive is effective incident response.

Incident management, evidence capturing, digital forensics, and breach reporting compiled as a united force will be able to lessen the effect of the dark web era.

India has witnessed a three-fold increase in cyberattack trends, confirmed CERT-in, fueling the need for stronger cybersecurity laws and measures, and a critical need for more investment in cybersecurity.

More organizations are collaborating their efforts to invest heavily in fraud detection to proactively gauge probable identity breaches. Incident response capabilities are expected to evolve from mere root cause analysis to a holistic business response plan - including prevention, precaution, cyber-awareness, employee training, and self-healing.

 

Published on Sep 15, 2020
Harshit Agarwal
Written by Harshit Agarwal
Harshit Agarwal is a serial entrepreneur, passionate about end-to-end mobile app security. As a Microsoft Venture Accelerator alumni and CEO of Appknox, he works with enterprises globally ranging from some of the top Fintech companies to Fortune 100 businesses in setting up continuous mobile application security processes.

Questions?

Chat With Us

Using Other Product?

Switch to Appknox

2 Weeks Free Trial!

Get Started Now