Publicly traded companies in India are subject to numerous cybersecurity obligations under various legislation, rules, and sector-specific regulations. The primary legislation addressing cybersecurity is the Information Technology (IT) Act of 2000, which governs various aspects of cybersecurity, data protection, and cybercrime. Some notable regulations include the following.
· The Securities Exchange Board of India (SEBI) mandates that stock exchanges, depositories, and clearing corporations adhere to standards such as ISO/IEC 27001, ISO/IEC 27002, and COBIT 5. Listed entities are required to disclose details of cybersecurity incidents, breaches, and data/document losses in their quarterly compliance reports on corporate governance.
· In April 2022, the Computer Emergency Response Team-India (CERT-In) issued a new directive modifying obligations under the 2013 rules. This includes the requirements to report cybersecurity incidents within six hours, syncing system clocks to the time provided by government servers, maintaining security logs in India, and storing additional customer information. All intermediaries are required to report cybersecurity incidents to CERT-In.
· The Reserve Bank of India(RBI) has established a Cyber Security Framework to ensure adequate preparedness among banks. Every bank is required to report incidents within two to six hours of detection. Similarly, insurance companies must report cybersecurity incidents to the Insurance Regulatory and Development Authority within 48 hours of detection.
· In August 2023, India passed a data protection law - The Digital Personal Data Protection Act. This law mandates that entities collect user data to obtain express user consent before processing the data, with some exceptions. It also imposes heightened compliance measures on certain entities designated as "Significant Data Fiduciaries’ due to the nature and volume of personal data they process. The Act also prohibits the behavioural monitoring of, and targeted advertising directed at minors.
The SolarWinds case has highlighted the pivotal role of CISOs not only in maintaining the security of digital assets but also in ensuring the trust of investors and the public at large. CISOs are expected to prioritize cybersecurity, foster a security culture of open communication and accountability regarding cybersecurity risks, and ensure compliance with regulations. They are also expected to have a comprehensive incident response plan to effectively manage and mitigate the impact of cyberattacks.
In the aftermath of SEC allegations, discussions with security leaders unveiled the three key challenges they grapple with in meeting escalating regulatory obligations:
1. Data Overload from Cyber security prioritization systems: Cybersecurity leaders contend with the deluge of data generated by security prioritization systems. Navigating through this sea of information becomes a formidable task, hindering the efficient identification and mitigation of potential risks.
2. Never enough time and budget for both operational management and strategic risk reporting: The perpetual struggle to balance operational management with strategic risk reporting creates a significant hurdle for cybersecurity leaders. The scarcity of both time and budgetary resources often forces leaders into a reactive stance, leaving strategic risk decisions vulnerable to ambiguity. Resolving this challenge requires streamlined processes and innovative tools that not only optimize operational efficiency but also facilitate comprehensive and timely strategic risk reporting.
3. Fragmented tools for Cyber risk management: Security leaders ought to have the right tools to drive strategic and proactive Cyber conversations in front of the board and regulators. To fulfil this role effectively, cybersecurity leaders must be equipped with tools specifically designed to foster a proactive cyber risk management approach. These tools should provide not only a comprehensive understanding of current threats but also offer predictive insights to stay ahead of evolving risks. Empowering cybersecurity leaders with the right technological tools enables them to articulate cybersecurity strategies coherently and proactively engage with key stakeholders.
1. Leverage Automation Technology to Convert Security Controls into Cyber Risks: Leverage Cyber Risk Automation Platform that can seamlessly integrate with enterprise security tools through APIs and understand the state of controls with reduce ambiguity. Leverage MITRE ATT&CK and D3FEND frameworks to translate security controls into the likelihood of Cyber Risks. It allows companies to regularly monitor and assess their cybersecurity maturity to identify and address risks. This includes staying up-to-date with the latest cyber security threats and trends and implementing necessary changes to the security controls landscape to stay ahead of potential risks. Alfahive integrates seamlessly with enterprise security tools and leveraging frameworks such as MITRE ATT&CK and D3FEND, and champions in translating security controls into the likelihood of cyber risks.
2. Assess the Impact of Cyber Risks to Your Business: Leverage technologies like Alfahive's Automation platform, trained on extensive cyber loss events data and industry-specific risk scenarios. It effortlessly assesses the impact of Cyber risks on your business, enabling informed risk management and reporting decisions. Automation technology provides a transparent methodology for assessing the impact of cyber risks, facilitating informed risk decisions, and disclosing material cybersecurity risks and incidents transparently.
3. Simulate, Prioritise Risks and Report Strategically: Automation platform automates risks prioritization by simulating the controls against cyber threats. With built-in reporting and dashboarding capabilities, the need for manual reporting is significantly reduced, enabling strategic engagement with board members and regulators. It ensures that the Companies prioritize cybersecurity and invest in robust security measures to protect their digital assets and customer data. This includes regular security audits using platforms and maintain an audit trail of all the risk decisions.
The SolarWinds case serves as a wake-up call for organizations worldwide. This highlights the importance of robust cybersecurity practices and the need for transparency in disclosing cyber risks and incidents. This also underscores the critical role of CISOs in not only ensuring the security of digital assets but public trust as well.
As we move forward, the world is looking up to CISOs and their teams to perform their roles well. The public at large counts on them to ensure that their investments are not taken for granted. It is a responsibility that cannot be taken lightly and one that requires constant vigilance, transparency, and commitment to excellence.