Cybersecurity Regulations and Compliance in India

Updated: June 2023

Technological advancement and its widespread usage have exposed people to critical security vulnerabilities and have opened the doors to online security threats, alarming both business leaders and consumers. Therefore, there is a need to develop a fierce resilience to withstand security breaches, which pushes forward the demand for stringent  cybersecurity regulations in India.

Consequently, the government regularly comes up with refined regulations to safeguard citizens and corporations from the dynamicity of web mishaps. Further, impregnable cyber laws have been enforced to reduce the vulnerability of "sensitive personal data" in the hands of service providers and intermediaries.

The Indian cybersecurity market is expanding to ensure India's stature as one of the leading investment hubs globally. This escalates the demand for stringent regulatory mandates to maintain cybersecurity in India.

Cybersecurity Compliance Regulation in India

In July of 2022, the Supreme Court held that data thefts and hacking would not only be an offence under the Information Technology Act of 2000 but also under the Indian Penal Code.

The ITA was tagged as the first landmark in the history of cyber laws in India. It mandates the real-time reporting of all cybersecurity incidents to the Indian Computer Emergency Response Team. But as the nation starts to absorb digital transformation to the core, the existing rules fail to suffice. The loopholes in the legal system leave several cracks for cybercriminals to escape after committing dire crimes. 

Territorial Jurisdiction is one such significant missed-out concern with deplorable legal implications. The law briefly mentions the jurisdiction under Sections 46, 48, 57, and 61 about the adjudication procedure and the appellate process drafted in Section 80, empowering the police to search any public place for a cybercrime, etc. 

However, jurisdiction remains a grave challenge with cybercrimes being geography-agnostic, territory-free, and borderless. Following this, the preservation of evidence turns into a severe bone of contention across territories.

Since India lacks staunch cybersecurity laws, several sector-specific regulations were passed by towering government bodies. 

The Department of Telecommunication (DOT), Reserve Bank of India (RBI), and the Securities Exchange Board of India (SEBI) all have their individual well-defined cybersecurity mandates regulating colossal entities such as insurance companies, banks, and telecom service providers, among others.

Let us first learn about these government bodies responsible for regulating security in Indian cyberspace before diving deeper to discover the laws and regulations that aim to ensure said security.

Good Read: Top 7 Cybersecurity Regulations in the Financial Industry that You Need to Know

Part I: India's Key Players in Cybersecurity Regulation

CERT-In

CERT-In, the national nodal agency responsible for prompt responses to cybersecurity incidents, started official operations in January 2004. In the latest Information Technology Amendment Act reforms, the Indian Computer Emergency Response Team was officially designated as the national agency for cybersecurity preservation. The body acts as the primary task force responsible for the following:

• Alerts and forecasts preventing cybersecurity incidents
• Defining emergency measures to tackle and mitigate the effects of cyber risks
• Collecting, analysing, and responsibly disseminating data on cyber threats
• Constant coordination of cyber response activities
• Issuing best practices, guidelines, and precautions in the public interest for better reporting and management of cyber incidents
  
  

Department of Telecommunication (DOT)  

The Department of Telecommunication has also tightened its grasp on cybercrime, data privacy, and consumer security. 

The designated officials of TRAI (Telecom Regulatory Authority of India) and DOT have amended the cyber laws, emphasising their responsibility towards consumer data, as the most critical online transactions are conducted via mobile phones. 

TRAI, the telecom industry watchdog, is renamed the Digital Communications Regulatory Authority of India with modified and intensified powers. The DOT remains a functioning inter-ministerial body, with the telecom secretary as the highest decision-making authority of the nation. In collaboration with the IT ministry, the DOT prefers a layered consent architecture focusing on secure personal data processing. The companies have limited rights to collect only the required consumer details after stating the purpose of collection. Further, the data can be stored only for as long as necessary. 

DOT has confirmed that internet users will be the final decision-makers on using personal data, topped with their right to withdraw their consent at any time.

Cyber Regulations Appellate Tribunal (CRAT)  

CRAT, covered under the IT Act 2000, is the chief governing body established by the Central Government based on the provisions of Section 48(1). The Central Government notifies all relevant cybersecurity breaches that fall under the jurisdiction of the Tribunal. The power of the Tribunal matches that of the Civil Court covered under the Code of Civil Procedure, 1908. The Tribunal is responsible for the following:

• Enforcing and summoning the attendance of people to be examined under oath
• Ensuring that all related electronic records and documents are available
• Demanding evidence on affidavits
• Issuing commissions for regular examination of documents and witnesses
• Reviewing decisions based on the nitty-gritty of the incident
• Dismissing the defaulter's applications or declaring it ex-parte
  
  

Insurance Regulatory and Development Authority (IRDA) 

In the wake of escalating cyber attacks on financial institutes, the Insurance Regulatory Authority of India rolled out a comprehensive cybersecurity framework upholding the security of insurers. The directives passed by IRDA focus on the mitigation of external as well as internal threats, preventing cyber frauds, establishing robust business continuity, and creating risk assessment plans to bolster the backbone of shaping a secured Fintech industry. The key focus areas for the insurance industry remain:

• Online transaction and messaging frauds
• Data leakage
• IPR violations risk
• Ransomware attack

Part II: Essential Regulatory Frameworks Shaping the Cybersecurity Landscape

PCI DSS 

The prevalence of digital transactions has escalated cyber risks nationwide, creating havoc. PCI-DSS regulations apply to all entities dealing with online transactions. The banking stalwarts, including American Express, Visa, Discover, and MasterCard, joined hands to combat cyber identity theft related to credit card fraud. 

PCI-DSS does not force any fines or government mandates, but it does standardise all security goals for online transactions. This regulation thrives under positive reinforcement to completely adhere to customer data security expectations. However, all companies involved in processing, storing, or transmitting credit card data are recommended to ensure compliance to win over customer confidence.

Reserve Bank of India Act 2018 

RBI issued elaborate cybersecurity guidelines that restricted and tested the operations of all Urban Cooperative Banks (UCBs), carefully assessing the evolving IT risk factors. The level of technology adoption and digitisation varies across banks and sectors. The RBI Act aims to standardise the security frameworks for all of them. 

All UCBs need to jot down their cybersecurity policy explicitly and post the approval of their Board or Administrator. Following these guidelines is essential to establish reliable cyber-risk-free banking institutions to fight the growing business complexities. 
While assessing the inherent cyber risks, UCBs should carefully test the adopted technologies, digital products offered, delivery channels, and other external and internal threats. 

With the nature of risks getting diversified and intensified, more than the traditional Business Continuity or Disaster Recovery arrangements may be required. UCBs must promptly detect all cyber intrusions to recover, respond, and contain the impact of cyber attacks.

Securities and Exchange Board of India (SEBI)  

In 2018 and 2019, SEBI declared detailed guidelines for organisations falling within its purview, including Depository Participants, Stock Brokers, Asset Management Companies (AMCs), Stock Exchanges, Mutual Funds, Clearing Corporations, and Depositories. 

• Dec 03, 2018: SEBI launched Guidelines for Depository Participants and Stock Brokers.
• Jan 10, 2019, SEBI launched Guidelines for Asset Management Companies and Mutual Funds.
• Dec 07, 2018, SEBI Guidelines for Clearing Corporations, Stock Exchanges, and Depositories.

The following guidelines strictly focused on ensuring customer data security and reliability, limiting the rights of all these organisations.

The Health Insurance Portability and Accountability Act (HIPAA) 

When it comes to cybersecurity concerns, the healthcare industry has always been comparatively slow to adjust. 

The Health Insurance Portability and Accountability Act outlines all prerequisites to prioritise the personal medical history of patients and clients. A person's medical data is the most private, and HIPAA safeguards it from vicious hackers and spammers. 

Fortunately, the steps to create a sturdy cybersecurity framework for healthcare organisations are not outlandish. In fact, healthcare organisations can follow simple steps like access limitations, virus control, and firewalls to stay secure.

SANS 20

With the flash of cyber frauds and web theft reports stressing organisations today, the pressure to maintain user data security is beyond imagination. 

As a response to this, the SANS Institute, working with the Center for Internet Security (CIS), created a comprehensive, well-researched security framework—the Critical Security Controls (CSC) for Effective Cyber Defense (referred to as the SANS Top 20). SANS 20 helps companies prioritise and focus on usable, scalable, implementable activities and match the required security standards. 

These recommended measures form the skeleton for many other regulations and compliance frameworks, including PCI DSS and HIPAA.

OWASP Top 10 

The Open Worldwide Application Security Project Top 10 is globally recognised as the Bible for web developers to ensure secure coding. This standard awareness document is the primary step towards securing all web applications against evolving cyber threats. Relying on the OWASP Top 10 is claimed to be the most productive step towards transforming the software development culture within the organisation to produce more secure codes.

The National Cyber Security Strategy, 2020

The National Cyber Security Strategy 2020 is a comprehensive framework developed by the government to address the evolving challenges and threats in cybersecurity. The strategy aims to safeguard critical national information infrastructure, protect public and private sector entities, and ensure the safety and privacy of individuals in the digital domain.

Key elements of the strategy include:

• Enhancing cybersecurity governance and coordination.
•  Promoting cybersecurity awareness and education.
• Establishing robust incident response mechanisms.
• Fostering public-private partnerships to strengthen cybersecurity resilience across sectors.
  
  

Information Technology Rules, 2021

The Information Technology Rules, 2021 replaced the previous IT Rules, 2011. These updated regulations were brought forth by the Ministry of Electronics and Information Technology to govern digital platforms and social media intermediaries. 

The rules address concerns related to online content, user privacy, and platform accountability. They mandate intermediaries to establish mechanisms for addressing grievances, designate a grievance officer, and respond promptly to takedown requests.
 
An obligation is also placed on social media intermediaries (SMIs) to "uphold the rights guaranteed to citizens under the Constitution, including in articles 14, 19, and 21." Considering the significant role that SMIs play in public discourse and the potential impact of their actions on the fundamental rights of individuals, extending the application of fundamental rights is praiseworthy.

By promoting a safer online environment, responsible digital practices, and transparency in platform operations, the IT Rules 2021 aim to enhance the overall digital ecosystem.

Know Your Customer (KYC)

With an average of over one million new users every day since January 2018, India is expected to enjoy an annual digital growth of 9.1%. 
Payment frauds have already swelled up to a billion-dollar entity, and it is rapidly expanding further. 

“Retailers are set to lose some $130 billion in digital CNP (Card-not-Present) fraud between 2018 and 2023.”

~Juniper Research

To resolve this struggle, businesses implemented a wide range of Know Your Customer (KYC) tactics to track and secure their customer journey.

 KYC provides complete peace of mind to customers as they are confident about compliance management and anti-fraud technology. KYC services are designed and implemented in a future-proofed, fail-safe manner, locally, globally, today, and in the future.

Final Thoughts

In the past 5 years, there have been 47 incidents of data leaks and 142 Data Breaches, according to the Ministry of Electronics and Information Technology (MeitY). 

“With the expansion of the Internet, more and more Indians coming online and an increase in the volume of data generated, stored and processed, instances of data breaches have also grown.”

~ Rajeev Chandrashekar,
Union MoS for Electronics and Information Technology 

Hence, incident management, evidence capturing, digital forensics, and breach reporting compiled as a united force are the key to survival.

India has witnessed a three-fold increase in cyberattack trends, and security efforts remained dormant. There is a need for more robust cybersecurity laws and measures and a critical need for more investment in cybersecurity. 

More organisations are collaborating to invest heavily in fraud detection to gauge potential identity breaches. Incident response capabilities are expected to evolve from mere root cause analysis to a holistic business response plan, including prevention, precaution, cyber awareness, employee training, and self-healing.

The legislature is also exploring the possibility of modernising the IT Act to synchronise with rapid digital and technological advancements. 

FAQs