Time to Bring New Legislation to deal with Cyberattacks

Contact Counsellor

Last Updated01/03/2022

The Ministry of Electronics and Information Technology is expected to issue new cyber security legislation requiring businesses to disclose any cybercrime, including data breaches, that has occurred against them.

Aside from commercial businesses, government services, particularly crucial utilities, are vulnerable to cyber-attacks and data breaches.
In the United States, a ransomware assault on a countrywide gas pipeline in 2021 effectively shut down the transit of around 45 percent of all gasoline and diesel consumed on the east coast.
If assessed as a country, Cyber crime is expected to cause $6 trillion in worldwide damages in 2021, that would be the world's third-largest economy behind the United States and China.

According to Clause 25 of the Data Protection Bill 2021 Data fiduciaries must notify any personal or non-personal data breach event within 72 hours of becoming aware of it.
Clause in EU GDPR : Even the gold standard for data protection, the European Union General Data Protection Regulation (EU GDPR), has a section requiring data breach occurrences to be reported within a specific timeframe.
In theory, this should increase cyber security and decrease assaults and breaches.

Other organisations are being notified: The Indian Computer Emergency Response Team and others can inform organisations about security vulnerabilities if incidents are reported.
Measures must be taken as a precaution: Firms that have not yet been impacted might take preventative actions such as installing security updates and upgrading their cyber security infrastructure.
Why are businesses hesitant to report a crime? Any violation of security or privacy has a detrimental impact on the reputation of the companies involved.
According to a Comparitech analysis, share prices for companies dip roughly 3.5 percent on average over the three months following a breach.
As a result, businesses assess the risks of not revealing occurrences vs the possibility for reputational damage if they do, and make decisions accordingly.

Periodic cyber security audits: How would a regulator know if a company fails to report a security breach?
It can only be done with the help of regular cyber security assessments.
Regulators in most countries, including India, do not have the resources to undertake comprehensive security audits on a regular basis.
Empanel third-party auditors: The government can appoint third-party cyber security auditors to undertake periodic cyber security impact assessments, particularly among all government agencies, both at the national and state levels, so that security risks and incidents can be discovered and avoided.
These plans can also be applied to cyber security audits and assessments.
Security command centre: Like IBM, which established a huge cyber security command centre in Bengaluru, other large corporations can be urged to establish similar centres to secure their assets.

Such measures will also pass the muster of the EU GDPR, thereby moving India closer to the set of countries that have the same level of cyber security and data protection as that of EU, for seamless cross-border data flow.