PANORAMIC

CYBERSECURITY
India

LEXOLOGY
Cybersecurity
Contributing Editors
Edward R McNicholas and Fran Faircloth
Ropes & Gray LLP

Generated on: February 13, 2024

The information contained in this report is indicative only. Law Business Research is not responsible
for any actions (or lack thereof) taken as a result of relying on or in any way using information contained
in this report and in no event shall be liable for any damages resulting from reliance on or use of this
information. Copyright 2006 - 2024 Law Business Research

Explore on Lexology
Contents
Cybersecurity
LEGAL FRAMEWORK
Key legislation
Most affected economic sectors
International standards
Personnel and director obligations
Key deunitions
Mandatory minimvm protectiCe measvres
hybertFreats to intellectval property
hybertFreats to critical infrastrvctvre
Restrictions on cybertFreat information sFaring
hriminal actiCities
hlovd compvting
Voreign organisations

BEST PRACTICE
Recommended additional protections
GoCernment incentiCes
Indvstry standards and codes of practice
Responding to breacFes
-olvntary information sFaring
PvblicEpriCate cooperation
Insvrance

ENFORCEMENT
Regvlatory avtForities
x'tent of avtForitiesw pojers
Most common enforcement issves
Regvlatory and data svbkect notiucation
Penalties for nonEcompliance jitF cybersecvrity regvlations
Penalties for failvre to report tFreats and breacFes
PriCate enforcement

THREAT DETECTION AND REPORTING

Internal policies and procedvres
RecordEqeeping reTvirements
Regvlatory reporting reTvirements
Oime frames
AtFer reporting reTvirements

UPDATE AND TRENDS

Cybersecurity 2024 Explore on Lexology

Recent deCelopments and fvtvre cFanges

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Contributors
India

ZB. & Partners

Sumit Ghoshal svmit@gFosFalzaSbpartners@com

Aprajita Rana aprakita@ranazaSbpartners@com
Shagun Badhwar sFagvn@badFjarzaSbpartners@com
Suyash Tiwari svyasF@tijarizaSbpartners@com

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

LEGAL FRAMEWORK

Key legislation
Dvmmarise tFe main statvtes and regvlations tFat regvlate or promote
cybersecvrity@ ?oes yovr kvrisdiction FaCe dedicated cybersecvrity lajsW
While India does not have a dedicated cybersecurity law, there are several legislations
and sector-speciSc regulations that, among others, regulate cybersecurity, and promote
the maintenance of cybersecurity standards. One of the primary legislations dealing with
cybersecurity, data protection and cybercrimes is the Information Technology Act 2000
(the IT Act), read with the rules and regulations framed thereunder. The IT Act not only
provides legal recognition and protection for transactions carried out through electronic data
interchange and other means of electronic communication, but also contains provisions
that are aimed at safeguarding electronic data, information or records, and preventing
unauthorised or unlawful use of a computer system. Fome of the cybercrimes that are
speciScally envisaged and punishable under the IT Act are hacking, denial-of-service attacks,
phishing, malware attacks, identity fraud and electronic theft.

In accordance with the Information Technology (The Indian Computer Emergency Response
Team and Manner of Performing Dunctions and 1uties) Rules 2038, the Computer
Emergency Response Team (CERT-In) has been established as the nodal agency, which deals
with cybersecurity incidents and responding to these incidents. It is tasked with performing
certain functions including collection, analysis and dissemination of information on cyber
incidents, issuing guidelines, advisories, vulnerability notes and white papers relating to
information security practices, procedures, response and reporting of cyber incidents. To
perform these functions, CERT-In is empowered to call for information and issue directions
to service providers, intermediaries, data centres, body corporates and any other person.
Exercising such powers, CERT-In had issued the directions dated 2q April 2022 (CERT-In
1irections) for strengthening cyber security in India. ClariScations to the 1irections were
issued by CERT-In by way of freQuently asked Questions on 3q May 2022 (DA:s).

In addition to the above, other relevant rules framed under the IT Act in the context of
cybersecurity include•

H the Information Technology (Reasonable security practices and procedures and

sensitive personal data or information) Rules 2033 (the FP1I Rules), which prescribe
reasonable security practices and procedures to be implemented for collection and
the processing of personal or sensitive personal data. Once the 1igital Personal
1ata Protection Act 2028 (1P1P Act), which has been notiSed but is yet to be
made effective, comes into force the FP1I Rules will stand replaced. The 1P1P Act
stipulates that a data Sduciary is reQuired to protect the digital personal data of an
individual in its possession or under its control (including in respect of processing
undertaken by it or on its behalf) by taking reasonable security safeguards to prevent
personal data breach. ;owever, unlike the FP1I Rules, the 1P1P Act does not
recognise any speciSc standards to be followed. ;aving said that, more clarity on
speciSc security standards and safeguards to be implemented under the 1P1P Act
may emerge once the rules under the Act are framed and notiSed thereunderj
H the Information Technology (Information Fecurity Practices and Procedures for
Protected Fystem) Rules 203q, which reQuire speciSc information security measures

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

to be implemented by organisations that have protected systems, as deSned under

the IT Actj and
H the Information Technology (Intermediary Guidelines and 1igital Media Ethics Code)
Rules 2023 (the Intermediaries Guidelines) reQuire intermediaries to implement
reasonable security practices and procedures for securing their computer resources
and information contained therein. The intermediaries are also reQuired to report
cybersecurity incidents (including information relating to such incidents) to CERT-In.

Other laws that contain cybersecurity-related provisions include the Indian Penal Code 3q60,
which punishes offences, including those committed in cyberspace (such as defamation,
cheating, criminal intimidation and obscenity), and the Companies (Management and
Administration) Rules 2034 (the CAM Rules) framed under the Companies Act 2038, which
reQuire companies to ensure that electronic records and security systems are secure from
unauthorised access and tampering.

In addition to the above, there are sector-speciSc regulations issued by regulators such as the
Reserve Bank of India (RBI), the Insurance Regulatory and 1evelopment Authority of India,
the 1epartment of Telecommunication (1OT) and the Fecurities Exchange Board of India
(FEBI), which mandate cybersecurity standards to be maintained by their regulated entities,
such as banks, insurance companies, telecom service providers, and listed entities.

The proposed 1igital India Act 2028 (1IA) that will replace the IT Act can be expected to bring
a robust and dedicated law dealing with cybersecurity.

Law stated - 9 December 2023

Most affected economic sectors

HFicF sectors of tFe economy are most affected by cybersecvrity lajs
and regvlations in yovr kvrisdictionW
Regulated entities operating in sensitive sectors, such as Snancial services, banking,
insurance, and telecommunications, have exhibited higher standards of cybersecurity
preparedness and awareness, partly because of regulatory intervention but also because of
voluntary compliance with advanced international standards. Fectors such as e-commerce,
IT and IT-enabled services that have seen an infusion of foreign direct investment have
also proactively deployed robust cybersecurity frameworks and policies to counter the
evolving nature of cyber fraud as they have borrowed advanced cybersecurity practices and
procedures from their overseas parent entities in the United Ftates, the European Union and
other Vurisdictions.

With the rise of digital payments, cybercrimes involving payment transactions in the online
space have signiScantly increased and become complex. While the RBI has been active
in reQuiring companies operating payment systems to build secure authentication and
transaction security mechanisms (such as two-factor authentication, EM9 chips, PCI 1FF
compliance and tokenisation), given that these payment companies often offer real-time
frictionless payment experiences to their consumers, it leaves less time for banks and other
entities operating in the payment ecosystem to identify and respond to cyberthreats. In light
of the above, there is an increased need for such entities to identify and develop cybersecurity

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

standards commensurate with the nature of the information assets handled by them and
evaluate the possible harm in the event of any cybersecurity attack, to ensure that these
emerging risks are mitigated.

Moreover, the covid-3' pandemic has led to increased dependencies on digital infrastructure
for many organisations, as employees are being given the option of working remotely.
This has led to enormous cybersecurity-related vulnerabilities and challenges for large and
small organisations alike and made them rethink cybersecurity preparedness, policies and
budgets.

We have already witnessed large-scale cyberattacks (such as ransomware attacks) and

disruption in sensitive sectors in India. Dor instance, in November 2022 a well-known public
hospital in India was subVect to a ransomware attack that crippled the services of the
hospital, as access to the hospital management tool, which manages appointments, stores
medical records, etc, being disrupted. Other, similar incidents have also been reported in the
medical sector. The demand for remote work, new technologies and vulnerabilities resulting
therefrom will continue to exist, and accordingly we expect cybersecurity standards to be
given critical importance.

Law stated - 9 December 2023

International standards
’as yovr kvrisdiction adopted any international standards related to
cybersecvrityW
Yes, the FP1I Rules reQuire body corporates that handle sensitive personal data or
information to implement /reasonable security practices and procedures/ by maintaining
a comprehensively documented information security programme. This programme should
include managerial, technical, operational and physical security control measures that are
commensurate with the nature of the information being protected. In this context, the FP1I
Rules recognise the International Ftandard IFO7IEC 2–003 on Information technology 5
Fecurity techniQues 5 Information security management systems 5 ReQuirements, as one
such approved security standard that can be implemented by a body corporate for protection
of personal information. All body corporates that comply with this standard are subVect to
audit checks by an independent government-approved auditor at least once a year or as and
when they undertake a signiScant upgrade of their processes and computer resources.

The newly enacted, albeit yet to be notiSed, 1P1P Act also puts an obligation on data
Sduciaries to adopt reasonable security safeguards to prevent personal data breach.
Unlike the FP1I Rules, the 1P1P Act does not recognise any speciSc standards to be
followed. ;aving said that, more clarity on speciSc security standards and safeguards to
be implemented under the 1P1P Act may emerge once the rules are framed and notiSed
thereunder.

Fector-speciSc regulators have also prescribed security standards speciScally applicable to

regulated entities. Dor instance, the RBI guidelines mandate banks to follow the IFO7IEC
2–003 and IFO7IEC 2–002 standards for ensuring adeQuate protection of critical functions
and processes. The Guidelines on Regulation of Payment Aggregators and Payment
Gateways issued by the RBI reQuire payment aggregators to implement data security
standards and best practices such as PCI-1FF and PA-1FF and implement checks to ensure

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

that the merchants onboarded by them are compliant with such data security standards and
best practices. Fimilarly, FEBI reQuires stock exchanges, depositories, clearing corporations,
etc, to follow best practices of standards such as IFO7IEC 2–003, IFO7IEC 2–002 and COBIT
‘, or their subseQuent revisions, if any, from time to time.

Law stated - 9 December 2023

Personnel and director obligations

HFat are tFe obligations of responsible personnel and directors to
qeep informed abovt tFe adeTvacy of tFe organisation,s protection of
netjorqs and data( and Foj may tFey be Feld responsible for inadeTvate
cybersecvrityW
While there is no speciSc statutory provision that reQuires information security personnel
to keep directors informed of an organisation/s network preparedness, in the event of
a cybersecurity breach, the persons in charge of an organisation will be reQuired to
demonstrate before regulators that they have implemented security control measures as
per their documented information security programmes and information security policies.
Therefore, it would be necessary for these persons to be aware of and updated about
the information security preparedness of their organisation to effectively discharge their
responsibilities.

Fection q‘ of the IT Act also speciScally states that in case of any contravention of the
provisions stipulated thereunder, any person who, at the time of contravention, was in charge
of supervising the affairs of a company will be liable and proceeded against, unless he or
she is able to prove that the contravention took place without his or her knowledge, or that
he or she exercised all due diligence to prevent the contravention. Therefore, personnel can
protect themselves from liability by being aware of and deploying adeQuate cybersecurity
measures.

Feparately, as per the CAM Rules, the managing director, company secretary, or any other
director or o’cer of the company (as may be decided by the board) is responsible for the
maintenance and security of electronic records. This person is reQuired, inter alia, to provide
adeQuate protection against unauthorised access, alteration or tampering of recordsj ensure
that computer systems, software and hardware are secured and validated to ensure their
accuracy, reliability, and accessibilityj and take all necessary steps to ensure the security,
integrity, and conSdentiality of records. Any failure by such personnel in this regard may be
construed to be a breach of their duties towards the organisation and is punishable with
a Sne. The CAM Rules also reQuire an electronic voting system for companies with eQuity
shares listed on a recognised stock exchange, and every company having not less than one
thousand members to have adeQuate cyber security in place.

It is also important to note that the CERT-In 1irections now reQuire service providers,
intermediaries, data centres, body corporate and government organisations to designate
a Point of Contact to interface with CERT-In. All communications from CERT-In seeking
information and providing directions for compliance are to be sent to the said Point of
Contact. The information relating to a Point of Contact is reQuired to be sent to CERT-In as
well as kept updated from time to time. Accordingly, to demonstrate bonaSde compliance

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

with the CERT-In 1irections, the management and persons in charge are to ensure such a
Point of Contact is appointed and such details are communicated to CERT-In.

Law stated - 9 December 2023

Key devnitions
’oj does yovr kvrisdiction deune wcybersecvrityw and wcybercrimewW
Under the IT Act, KcybersecurityJ means protecting information, eQuipment, devices,
computers, computer resources, communication devices and information stored therein
from unauthorised access, use, disclosure, disruption, modiScation or destruction.
KCybercrimeJ, on the other hand, has not been expressly deSned under any central statute
or regulationsj however, the National Cyber Crime Reporting Portal (a body set up by the
government to facilitate reporting of cybercrime complaints) has deSned /cybercrimeJ to
mean /any unlawful act where a computer or communication device or computer network is
used to commit or facilitate the commission of crimeJ. Durther, the Information Technology
(The Indian Computer Emergency Response Team and Manner of Performing Dunctions
and 1uties) Rules 2038 deSne /cyber security incident/ as any real or suspected adverse
event in relation to cyber security that violates an explicitly or implicitly applicable security
policy resulting in unauthorised access, denial of service or disruption, unauthorised use of a
computer resource for processing or storage of information or changes in data, information
without authorisation.

Under the CAM Rules, Kcyber securityJ is deSned as protecting information, eQuipment,
devices, computers, computer resources, communication devices and information stored
therein from unauthorised access, use, disclosures, disruption, modiScation or destruction.

In November 2028, the RBI issued the Master 1irections on Information Technology
Governance, Risk, Controls and Assurance Practices (Master 1irections), applicable to
regulated entities such as banks and non-banking Snancial companies (NBDCs), which
deSne Kcyber securityJ as preservation of conSdentiality, integrity and availability of
information and7or information systems through the cyber medium. As per the deSnition,
other properties, such as authenticity, accountability, non-repudiation and reliability can also
be involved in cyber security. Durther, the Master 1irections deSne a Kcyber incidentJ as a cyber
event that adversely affects the cyber security of an information asset, whether resulting
from malicious activity or not. Also, the Master 1irections deSne Kcyber-attackJ as a malicious
attempt (or more than one attempt) to exploit vulnerabilities through the cyber medium to
damage, disrupt or gain unauthorised access to assets. The Master 1irections will come into
effect from 3 April 2024.

The courts in India have also dealt with various instances of cybercrime over the
years. The GuVarat ;igh Court, in the case of Jaydeep Vrujlal Depani v State of Gujarat
(R7FCR.A7‘–0q7203q Order), recognised a publicly available deSnition of KcybercrimeJ to
mean Kthe offences that are committed against individuals or groups of individuals with a
criminal motive to intentionally harm the reputation of the victim or cause physical or mental
harm, or loss, to the victim directly or indirectly, using modern telecommunication networks
such as Internet (networks including but not limited to Chat rooms, emails, notice boards
and groups) and mobile phones (Bluetooth7FMF7MMF)J.

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

While the IT Act does not make any distinction between cybersecurity and data privacy, in
our view, these issues are distinct but also deeply interconnected, as ensuring the privacy
of any data (whether of an individual or a corporate) reQuires adeQuate cybersecurity
processes to be implemented by organisations. Durther, cybersecurity and information
security frameworks are developed by organisations at a broader level to build resilience
against various forms of cyberthreat, including cybercrimes that entail more extensive
engagement with regulatory authorities depending on the extent of the harm caused, the
nature of the information handled by the body corporate, sector sensitivities, etc.

Law stated - 9 December 2023

Mandatory minimum protectiVe measures

HFat are tFe minimvm protectiCe measvres tFat organisations mvst
implement to protect data and information tecFnology systems from
cybertFreatsW
As per the FP1I Rules, any body corporate that possesses, deals with or handles any
sensitive personal data or information in a computer resource is reQuired to implement
prescribed security standards (IFO7IEC 2–003 on Information technology 5 Fecurity
techniQues 5 Information security management systems 5 ReQuirements). The newly
enacted, albeit yet to be notiSed, 1P1P Act also puts an obligation on data Sduciaries to
adopt reasonable security safeguards to prevent personal data breach. While no speciSc
standards are prescribed under the 1P1P Act, more clarity may emerge once the rules are
framed and notiSed thereunder.

Fector-speciSc cybersecurity measures have been made mandatory by regulators for

some regulated businesses. Dor instance, in the banking sector, the RBI reQuires banks
to undertake certain security measures, including, inter alia, logical access controls to
data, systems, application software, utilities, telecommunication lines, libraries and system
softwarej using the proxy server type of Srewallj using secured socket layer (FFL) for server
authenticationj and encrypting sensitive data, such as passwords, in transit within the
enterprise itself. The RBI speciScally mandates that connectivity between the gateway of the
bank and the computer system of the member bank should be achieved using a leased line
network (and not through the internet) with an appropriate data encryption standard and that
32q-bit FFL encryption must be used as a minimum level of security. The RBI also reQuires
payment aggregators to implement data security standards and best practices like PCI-1FF,
PA-1FF, latest encryption standards, transport channel security, etc. as per the Guidelines
on Regulation of Payment Aggregators and Payment Gateways.

Additionally, in the telecommunications sector, the licence conditions imposed by the 1OT
reQuire every licensee to implement the following measures•

H ensure protection of privacy of communication so that unauthorised interception of

messages does not take placej
H have an organisational policy on security and security management of its network,
including network forensics, network hardening, network penetration tests and risk
assessmentj and
H

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

induct only those network elements into its telecom network that have been tested as
per relevant contemporary Indian or international security standards (eg, the IT and
ITEF elements against the IFO7IEC 3‘40q standards, the IFO 2–000 series standards
for information security management systems and the 8GPP and 8GPP2 security
standards for telecom and telecom-related elements).

Durther, critical information infrastructure (CII) is separately regulated by the National Critical
Information Infrastructure Protection Centre (NCIIPC) and the /Guidelines for the Protection
of National Critical Information Infrastructure/ (CII Guidelines). CII has been deSned under the
IT Act to mean any computer resource, the incapacitation or destruction of which can have
a debilitating impact on national security, the economy, public health or safety. Under the CII
Guidelines, certain best practices and controls are provided as minimum recommendations
to be implemented by the CIIs at different stages of CII functioning, to maintain safe
and secure operations. In addition to the CII Guidelines, the NCIIPC in April 2020 also
issued covid-3' guidelines titled /Building Resilience against Cyber Attacks during CO9I1-3'
Crisis/, which intend to provide guidance to CIIs on various issues, including managing
email phishing risks, protection of organisational assets and enabling employees to work
remotely. Durther, the National Fecurity Council Fecretariat has released, /Cyber Fecurity
Audit 5 Baseline ReQuirements/ (CFA-BR) for Cyber information infrastructure prescribing
minimum, common, and harmonised baseline criterion for cyber security audits, which is to
be mandatorily followed by all CII.

Law stated - 9 December 2023

Cyberthreats to intellectual property

?oes yovr kvrisdiction FaCe any lajs or regvlations tFat speciucally
address cybertFreats to intellectval propertyW
The IT Act and related laws are eQually applicable to cyberthreats involving intellectual
property and grant similar protection.

Law stated - 9 December 2023

Cyberthreats to critical infrastructure

?oes yovr kvrisdiction FaCe any lajs or regvlations tFat speciucally
address cybertFreats to critical infrastrvctvre or speciuc sectorsW
As per section –0 of the IT Act, the government may notify any computer resource that
directly or indirectly affects the facility of CII to be a Kprotected systemJ. CII means any
computer resource of which the incapacitation or destruction can have a debilitating impact
on national security, economy, public health or safety. Under the Information Technology
(Information Fecurity Practices and Procedures for Protected Fystem) Rules 203q, speciSc
cybersecurity practices are applicable in the context of a protected system, such as setting
up an information security steering committee (Committee) to approve all information
security policies relating to the protected systems, designating a chief information security
o’cer (CIFO) and carrying out vulnerability, threat or risk analysis on an annual basis and

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

on a signiScant change or upgrade in the system, under intimation to the Committee.

FigniScant changes in network conSguration would need to be approved by the Committee,
and organisations would need to ensure timely communication of cyber incidents to the
Committee.

Under the provisions of the IT Act, a nodal body 5 the NCIIPC 5 has been set up to work in
the interest of CII protection. The NCIIPC is authorised to reduce vulnerabilities of CII against
cyberterrorism, cyber warfare and other threats. Certain identiSed CIIs are in sectors such
as transport, telecoms, banking, insurance, Snance, power, energy and governance.

The recently notiSed Central Electricity Regulatory Commission (Indian Electricity Grid Code)
Regulations 2028 prescribe measures to be taken by, among others, captive generating
plants and energy storage systems to safeguard the national grid from spyware, malware,
cyber attacks and network hacking, and also include reQuirements for a procedure for a
security audit from time to time and a cybersecurity framework, among others.

Fector-speciSc cybersecurity regulations are also available for sectors such as banking,
telecommunications, Snance and insurance.

Law stated - 9 December 2023

Restrictions on cyberthreat information sharing

?oes yovr kvrisdiction FaCe any cybersecvrity lajs or regvlations tFat
speciucally restrict sFaring of cybertFreat informationW
India does not have a dedicated cybersecurity law or regulation that restricts sharing
of cyberthreat information. ;owever, personal information and the right of privacy of an
individual are protected under Indian law. In the Vudgment of Justice KS Puttaswamy (Retd)
and Anr v Union of India and Ors (Writ Petition (Civil) No. 4'4 of 2032), the Fupreme Court of
India held the right to privacy to be a fundamental right that is an intrinsic component of the
right to life and personal liberty under article 23 of the Constitution of India and therefore a
basic right of all individuals. Although there are precedents where the courts have held private
communications between individuals to be covered within the purview of /right to privacy/,
there are also precedents where Indian courts have admitted recordings obtained without
consent as valid evidence. Given that this issue is unsettled, the permissibility of recordings
will need to be determined on a case-by-case basis.

In any case, the FP1I Rules reQuire a body corporate to disclose personal data or sensitive
personal information subVect to prior consent of the data subVect. ;owever, this condition
can be waived if the disclosure is to government agencies mandated under the IT Act for
the purpose of veriScation of identity, or for the prevention or investigation of any offences,
including cybercrimes. The FP1I Rules also permit disclosure without consent in cases
where the disclosure is made pursuant to an enforceable order under applicable law.

The FP1I Rules also allow a body corporate to transfer data to any other body corporate or a
person in India or in any other country that ensures the same level of data protection that is
adhered to by the body corporate. ;owever, the transfer may be allowed only if it is necessary
for the performance of a lawful contract between the body corporate and the data subVect
or where the person has consented to the data transfer.

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Under the 1P1P Act, any processing (including disclosure) of personal data will reQuire
consent accompanied or preceded by a notice by the data Sduciary to the data principal
(except in certain cases identiSed under the 1P1P Act as legitimate use). ;owever,
disclosure of information may be done to the state or any of its instrumentalities, for fulSlling
any obligation under any law for the time being in force in India. Durther, disclosure may also
be done for the purpose of ascertaining the Snancial information and assets and liabilities of
any person who has defaulted in payment due on account of a loan or advance taken from a
Snancial institution. Fuch disclosure will be subVect to processing being in accordance with
the provisions regarding disclosure of information or data in any other law for the time being
in force.

Certain laws, such as the Indian Telegraph Act 3qq‘ (the Telegraph Act) and the IT Act, permit
governmental and regulatory authorities to access private communications and personally
identiSable data in speciSc circumstances. The Telegraph Act empowers the government
to intercept messages in the interest of public safety, national security or the prevention
of crime, subVect to certain prescribed safeguards. In that scenario, the telecom licensee
that has been granted a licence by the 1OT is mandated to provide necessary facilities to
the designated authorities of the central government or the relevant state government for
interception of the messages passing through its network.

The IT Act also grants similar authority to the government and its authorised agencies. Any
person or o’cer authorised by the government (central or state) can, inter alia, direct any
of its agencies to intercept, monitor or decrypt, or cause to be intercepted, monitored or
decrypted, any information that is generated, transmitted, received or stored in any computer
resource, in the event that it is satisSed that it is necessary or expedient to do so in the interest
of sovereignty and the integrity of India, the defence of India, the security of the state, friendly
relations with foreign states, public order or preventing incitement to the commission of any
cognisable offence relating to the above, or for the investigation of any offence. In our view,
the instances described in the IT Act can be relied on by the government agencies to intercept
data for cybersecurity incidents if they relate to contravention or investigation of any crime.

Law stated - 9 December 2023

Criminal actiVities
HFat are tFe principal cyberactiCities )svcF as Facqing tFat are
criminalised by tFe laj of yovr kvrisdictionW
Cybercrime activities are speciScally dealt with under the IT Act. It prescribes penalties
ranging from Snes to imprisonment for various types of cyber activities, including hackingj
tampering with computer source codej denial-of-service attacksj phishingj malware attacksj
identity fraudj electronic theftj cyberterrorismj privacy violationsj and the introduction of
any computer contaminant or virus. Durther, the CERT-In directions also set out speciSc
cyber security incidents, including targeted scanning7probing of critical networks7systemsj
attacks on internet of things (IoT) devices and associated systems, networks, software and
serversj attacks on servers, such as database, mail and 1NF, and network devices, such as
routers.

Law stated - 9 December 2023

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Cloud computing
’oj Fas yovr kvrisdiction addressed information secvrity cFallenges
associated jitF clovd compvtingW
CERT-In 1irections are applicable to cloud service providers as well. The CERT-In 1irections
have imposed certain obligations on cloud service providers, vis-a-vis data retention, and
reporting. Dor instance, as per the 1irections, any attack or malicious7suspicious activities
affecting systems7servers7software7applications related to cloud computing have to be
mandatorily reported to CERT-In, within six hours of noticing such incident or being brought
to notice about such incident. Durther, cloud service providers are reQuired to register and
retain certain mandatory data for their subscribers.

Durther, given that cloud computing services are rendered and received over the internet or
through the digital medium, certain other provisions of the IT Act, the FP1I Rules and the
Intermediaries Guidelines may be relevant to these services.

Dor instance, the FP1I Rules allow a body corporate to transfer data to any other body
corporate or a person in India or in any other country that ensures the same level of data
protection that is adhered to by the body corporate. ;owever, the transfer may be allowed
only if it is necessary for the performance of a lawful contract between the body corporate
and the data subVect or where the person has consented to the data transfer. Accordingly,
in our view, any entity engaged in the cloud computing business will need to ensure that it
maintains the same level of information security standards as that of the data controller (ie,
the person collecting the information from the data subVect).

Also, depending on the business model, a cloud services provider may fall within the
deSnition of an intermediary under the IT Act (deSned as any person who on behalf of
another person receives, stores or transmits that record or provides any service with respect
to that record and includes telecom service providers, network service providers, internet
service providers, web-hosting service providers, search engines, online payment sites,
online-auction sites, online-market places and cybercafes). As an intermediary, the cloud
service provider will need to observe due diligence measures to claim safe harbour protection
from liability arising from the content stored by it. These due diligence measures include
taking all reasonable steps to secure its computer resource and the information contained
therein by adopting the security practices prescribed under the FP1I Rules.

The RBI also issued KGuidelines on Regulation of Payment Aggregators and Payment
GatewaysJ on 3– March 2020, and KRegulation of Payment Aggregator 5 Cross Border (PA 5
Cross Border)J on 83 October 2028, where it is mandated for all payment aggregators, and
payment aggregators 5 cross border, to adhere to the data-storage reQuirements applicable
for payments data to ensure that all data is stored only in India for the RBI/s unfettered
supervisory access.

Law stated - 9 December 2023

Foreign organisations

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

’oj do yovr kvrisdiction,s cybersecvrity lajs affect foreign organisations

doing bvsiness in yovr kvrisdictionW Zre tFe regvlatory obligations tFe
same for foreign organisationsW
As per section –‘ of the IT Act also applies to any offence committed outside India if the act
that constitutes the offence involves a computer, computer network or computer system in
India. ;ence, the applicability of this law is agnostic to the presence of foreign organisations
in India so long as users in India can access the services provided by the organisations
and the operation of the services amounts to the contravention of any provision described
thereunder.

Durther, in the context of applicability of the CERT-In 1irections to overseas entities, the
clariScations issued by CERT-In by way of DA:s, suggest that the CERT-In 1irections will
apply to all entities in the matter of cyber incidents and cyber security incidents as along as
the service is catering to users in India. This seems to indicate that CERT-In is of the view that
CERT-In 1irections would continue to apply as long as catering to Indian users, irrespective
of fulSlment of the reQuirements of section –‘ of the IT Act. We will have to await clarity on
the interplay between section –‘ of the IT Act and the position indicated by the DA:s issued
on the applicability of CERT-In 1irections.

Law stated - 9 December 2023

BEST PRACTICE

Recommended additional protections

?o tFe avtForities recommend additional cybersecvrity protections
beyond jFat is mandated by lajW
In addition to minimum statutory cybersecurity standards, various regulatory bodies
have advised businesses to adopt more robust measures in areas of cybersecurity. Dor
example, the Ministry of Communication and Information Technology released the National
Cyber Fecurity Policy in 2038, which recommended creating a secure cyber ecosystem,
strengthening laws and creating mechanisms for the early warning of security threats,
vulnerability management and the response to security threats. The policy intended to
encourage all organisations to develop information security policies integrated with their
business plans and implement the policies in accordance with international best practices.

Under the 1igital India initiative, the Ministry of Electronics and Information Technology
(MeitY) has set up the Cyber Fwachhta &endra (Botnet Cleaning and Malware Analysis
Centre), operated by the Computer Emergency Response Team (CERT-In), to work with
internet service providers and product or antivirus companies to provide information and
tools to users on botnet and malware threats. Fimilar proactive measures are deployed by
sector-speciSc regulators from time to time.

Law stated - 9 December 2023

GoVernment incentiVes

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

’oj does tFe goCernment incentiCise organisations to improCe tFeir

cybersecvrityW
In recent years, the government has rolled out some beneScial measures to incentivise both
public and private sector organisations to improve cybersecurity standards. One example is
the Public Procurement (Preference to Make in India) Order 203q for Cyber Fecurity Products
notiSed by MeitY on 2 zuly 203q, which was further revised by the Public Procurement
(Preference to Make in India) Order 203' for Cyber Fecurity Products notiSed by MeitY on
6 1ecember 203', wherein cybersecurity was named as a strategic sector, and government
procurement agencies will give preference to domestically manufactured or produced
cybersecurity products.

Law stated - 9 December 2023

Industry standards and codes of practice

Identify and ovtline tFe main indvstry standards and codes of practice
promoting cybersecvrity@ HFere can tFese be accessedW
In addition to the Information Technology Act 2000 and the applicable rules framed
thereunder (including the CERT-In 1irections which prescribe speciSc obligations for
maintenance of logs, ICT clock synchronisation, and data retention reQuirements),
industry-speciSc standards have been prescribed by speciSc regulators. Fome examples are
given below.

H Dinancial sector• the Reserve Bank of India has issued various guidelines for ensuring
cybersecurity and the handling of cyber fraud within the banking sector. They can be
accessed at www.rbi.org.in and include the following•

H Cyber Fecurity Dramework in Banks, prescribing standards to be followed by banks

for securing themselves against cybercrimesj
H Basic Cyber Fecurity Dramework for Primary (Urban) Cooperative Banks, prescribing
certain basic cybersecurity controls for primary urban cooperative banksj and
H Master 1irection on Information Technology Governance, Risk, Controls and
Assurance Practices 2028 that incorporates, consolidates, and updates the
guidelines, instructions and circulars on IT governance, risk, controls, assurance
practices and business continuity7disaster recovery management. The Master
1irections will come into effect from 3 April 2024.
H Insurance sector• the insurance sector is subVect to the KIR1AI Information and Cyber
Fecurity Guidelines 2028J, issued by the Insurance Regulatory and 1evelopment
Authority of India (IR1AI). These Guidelines are applicable to all insurers, including
insurance intermediaries, brokers, corporate agents etc, regulated by IR1AI. The
Guidelines apply to all data created, received or maintained by such entities in the
course of carrying out their designated duties and functions, irrespective of the
place of storage and form of such data. The Guidelines stipulate the organisational
structure to be created for the governance, implementation and monitoring of
information security.
H

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Telecommunications sector• the licence conditions for a uniSed licence granted

by the 1epartment of Telecommunication (1OT) prescribe various cybersecurity
obligations on the licensee entity. Dor instance, the licensee is obligated to ensure
the protection of privacy of communication and that unauthorised interception of
messages does not take placej the licensee is to be completely responsible for
security of their networks and must have an organisational policy on the security and
security management of their networks, etc. 1ue to the large surge in cybersecurity
incidents fuelled by large-scale remote work adoption during the covid-3' pandemic,
the 1OT has been issuing, inter alia, various security-related circulars to update
stakeholders, such as Best Practices 5 Cyber Fecurity, which provides protocols to be
followed by organisationsj and Unsafe Practices to be Avoided at Workplace for Cyber
Fecurity, which describes unsafe workplace practices that may be avoided, such as
using common passwords, leaving devices unlocked, ignoring operating systems and
software updates and downloading Sles without scanning.

Law stated - 9 December 2023

Responding to breaches
Zre tFere generally recommended best practices and procedvres for
responding to breacFesW
1epending on the nature and the extent of the cybersecurity incident and the sensitivity of
the sector, cyber incident response strategies may differ from one business to another. Fome
common measures that are recommended include•

H deploying a detailed information security policy to be approved by the boardj

H conducting regular transaction monitoringj
H conducting information security risk assessmentsj
H setting up risk mitigation and transition plansj
H updating relevant stakeholders within the organisation on their role in advancej and
allocating appropriate personnel to engage with regulatory authorities and to deal
with clients, service providers, etc. Dor instance, the CERT-In 1irections provide that
service providers, intermediaries, data centres, body corporates, and government
organisations must appoint a Point of Contact to engage with CERT-In for certain
compliance related obligations of the entities.

Many companies also prefer to conduct regular assessments of the vulnerabilities in their
systems, including by inviting focused hacking. 1epending on the sector, organisations can
also reach out to CERT-In and seek advice on incident recovery, containing the damage and
restoring their systems to operation. Drom time to time, CERT-In also issues advisories on
actions recommended for parties that have been affected by cybersecurity incidents.

Law stated - 9 December 2023

'oluntary information sharing

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

?escribe practices and procedvres for Colvntary sFaring of information

abovt cybertFreats in yovr kvrisdiction@ Zre tFere any legal or policy
incentiCesW
While there are mandatory reporting reQuirements under the CERT-In 1irections, it is also
possible for individuals and organisations to voluntarily report any other cybersecurity
incidents and vulnerabilities to CERT-In and seek reQuisite support and technical assistance
to recover from them. Whether timely and voluntary reporting will help mitigate the
imposition of a penalty for failing to implement reasonable security practices will be a
fact-speciSc assessment, given there is no formal guidance in this regard.

Moreover, Ministry of ;ome Affairs Ministry has operationalised a toll-free National ;elpline
number /3'80/ (previously /3‘‘260/) and an online reporting platform, namely, the /National
Cyber Crime Reporting Portal/ to enable persons to make immediate complaints of Snancial
loss caused to such persons due to cyber Snancial frauds including debit or credit card fraud,
e-wallet and internet banking related fraud, etc. Durther, the platform can be used to report
other types of cybercrimes.

In addition, the Fecurities Exchange Board of India (FEBI), in its /Cyber Fecurity
Cyber Resilience Dramework/ for Ftock Brokers71epository Participants, has mandated
stockbrokers and depository participants to submit Quarterly reports to stock exchanges
and depositories with information on cyberattacks and threats experienced by such entities
and the corresponding measures that were taken to mitigate the vulnerabilities, threats and
attacks.

Law stated - 9 December 2023

Public-priVate cooperation
’oj do tFe goCernment and priCate sector cooperate to deCelop
cybersecvrity standards and procedvresW
The government issues consultation papers to invite feedback and suggestions from the
private sector, which aids the formulation of policies and laws in respect of cybersecurity.
Dor instance, presently, the government is working with the private sector to develop its 2020
cybersecurity strategy. In addition, in 203' the National Cyber Fecurity Coordinator and the
1ata Fecurity Council of India launched an online repository on cyber tech called KTechsagarJ
to facilitate exchange and collaboration on matters of innovation and cybersecurity between
businesses and academia. It is intended to provide an overview of India/s cybersecurity
preparedness and relevant stakeholders.

In a Srst of its kind public-private partnership, MeitY in 203q launched /Cyber Furakshit
Bharat/ to strengthen the cybersecurity ecosystem in India, by spreading awareness about
cybercrime and undertaking capacity-building for CIFOs and IT staff across all government
departments. The founding partners of the consortium are IT companies Microsoft, Intel,
WIPRO, Redhat and 1imension 1ata. Additionally, knowledge partners include CERT-In, NIC,
NAFFCOM and the DI1O Alliance and consultancy Srms 1eloitte and EY.

Law stated - 9 December 2023

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Insurance
Is insvrance for cybersecvrity breacFes aCailable in yovr kvrisdiction and
is svcF insvrance obtainable for most organisationsW ’oj common is itW
Cybersecurity insurance has gained momentum in India. It is aimed at shielding online users
against the damage and loss that may arise as a result of unauthorised disclosure of or
access to personal and Snancial data. Cyber insurance is prevalent and common in the
banking, IT and ITEF, retail and manufacturing sectors.

Durthermore, last year a task force set up by government submitted recommendations for
formulation of a National Cyber Fecurity Ftrategy 2028, which can be expected to provide
certain guidance on cyber insurance. ;owever, the Ftrategy has not yet been released.

Law stated - 9 December 2023

ENFORCEMENT

Regulatory authorities
HFicF regvlatory avtForities are primarily responsible for enforcing
cybersecvrity rvlesW
The Computer Emergency Response Team (CERT-In) is the nodal agency recognised
under the Information Technology Act 2000 (IT Act) for the coordination of cyber incident
response activities and the handling of cybersecurity incidents. Durther, the government has
also established certain authorities and agencies for according protection speciScally to
the critical infrastructure of India, such as the National Critical Information Infrastructure
Protection Centre, which was created to assess and prevent threats to vital installations and
critical infrastructure in India. As and when a cybersecurity incident is determined, individuals
and organisations can seek remedy from the adVudicating authorities appointed under the
IT Act.

Fector-speciSc regulators have also attempted to enforce compliance with their respective
information security standards. Dor example, the Reserve Bank of India (RBI) imposed
a monetary penalty of 26.6 million rupees on the Bank of Bahrain &uwait BFC, India
Operations for non-compliance with the directions of the Cyber Fecurity Dramework in Banks.

In zanuary 2020, the Union Minister for ;ome Affairs inaugurated the Indian Cyber Crime
Coordination Centre (I4C) to deal with all types of cybercrime in a comprehensive and
coordinated manner. One of the components of I4C is the National Cyber Crime Reporting
Portal, which is a citi en-centric initiative that enables citi ens to report all kinds of
cybercrime online, with a speciSc focus on crimes against women and children 5 particularly
child pornography, child sexual abuse material and online content pertaining to rapes,
gang rapes and similar crimes. The complaints reported on this portal are dealt with by
law enforcement agencies and police, based on the information made available in the
complaints.

The 1igital Personal 1ata Protection Act 2028 (1P1P Act) mandates a data Sduciary to
have reasonable security safeguards in place to prevent breach of personal data. The 1ata

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Protection Board of India established by the central government under the 1P1P Act can
impose a monetary penalty of up to 2.‘ billion rupees for breach in observing this obligation.

Law stated - 9 December 2023

Extent of authoritiesk powers

?escribe tFe avtForities, pojers to monitor compliance( condvct
inCestigations and prosecvte infringements@
Given that CERT-In is the national nodal agency responsible for cybersecurity, it has the
authority to call for information and give directions to service providers, intermediaries, data
centres, body corporates and any other person to perform their functions under the IT Act,
the Information Technology (The Indian Computer Emergency Response Team and Manner
of Performing Dunctions and 1uties) Rules 2038, the CERT-In 1irections. Dailure to respond
to CERT-In/s information reQuests may lead to the imposition of monetary penalties as well
as imprisonment for a term that may extend to one year or both.

Durther, the adVudicating authorities appointed under the IT Act have the powers of a civil
court to call for evidence and documents, and summon witnesses in connection with an
inQuiry into any contravention under the IT Act.

As per the provisions of the IT Act, for national security and for investigation of any offence
(including cybersecurity offences), authorised government o’cers can issue orders to
intercept, monitor or decrypt any computer resource, ask intermediaries to provide access
to any information or to block access to any information stored, received or generated in any
computer resource. Additionally, law enforcement agencies can be authorised to monitor
and collect tra’c data or information generated, received or transmitted in any computer
resource, and can conSscate any computer resource in respect of which any contravention
of the IT Act has been carried out.

Indian law also provides law enforcement authorities with various other mechanisms to
pursue, investigate and prosecute cyber criminals. Dor instance, the Indian Penal Code 3q60
(IPC) is a comprehensive code intended to cover most substantive aspects of criminal law.
Criminal activities punishable under the IPC do extend to the online cyberspace infrastructure
and will be dealt with in the same manner.

Under the 1P1P Act, the 1ata Protection Board of India established by the central
government can inQuire into breach of personal data under certain circumstances and
impose penalty.

Law stated - 9 December 2023

Most common enforcement issues

HFat are tFe most common enforcement issves and Foj FaCe regvlators
and tFe priCate sector addressed tFemW
Regulators in India have relied on the provisions of the IT Act and the IPC to prosecute entities
found to be non-compliant with mandatory information security reQuirements. ;owever,
from a practical perspective, enforcement agencies often face challenges in prosecuting

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

offshore entities that do not have a business presence in India, as well as a’xing liability
in multi-layered business outsourcing structures. The absence of a comprehensive data
protection law that allocates cybersecurity responsibilities between all relevant stakeholders
is also a concern. Over time, the private sector and the government have felt the need to
develop more cybercrime and prosecution expertise among the police personnel responsible
for prosecuting offences under the IT Act, and speciSc local cyber cells have been set up to
address this gap.

Law stated - 9 December 2023

Regulatory and data subject notivcation

HFat regvlatory notiucation obligations do bvsinesses FaCe follojing a
cybersecvrity breacFW Mvst data svbkects be notiuedW HFen is notice
reTviredW
There is no speciSc reQuirement under the IT Act to inform the data subVect of a cybersecurity
incident. ;owever, as per the Information Technology (The Indian Computer Emergency
Response Team and Manner of Performing Dunctions and 1uties) Rules 2038 (Rules) and
the CERT-In 1irections speciSc types of cybersecurity incidents (target-scanning or probing
of critical networks or systems, unauthorised access of an IT system and data, malicious
code attacks, identity theft, spooSng, phishing, data breach, data leak, unauthorised access
to social media accounts, attacks or incident affecting digital payment systems, attacks
or malicious7suspicious activities affecting systems7servers7software7applications related
to cloud computing, blockchain, virtual assets, virtual asset exchanges, etc) have to be
mandatorily reported to CERT-In by service providers, intermediaries, data centres body
corporates and government organisations within six hours of noticing the incident or being
brought to notice about the incident. As per the DA:s issued for the CERT-In 1irections, while
the incidents speciSed in the aforementioned directions need to be mandatorily reported, it
has been clariSed that cybersecurity incidents not speciSed in the aforementioned directions
or Rules also need to be reported considering the nature, severity and impact of the incident.
If multiple parties are affected by a cybersecurity incident any entity that notices the
cybersecurity incident must report it to CERT-In.

In addition, sector-speciSc regulators have their own reporting reQuirements. Dor instance,
the RBI reQuires banks to comply with the Cyber Fecurity Dramework in Banks, which, among
others, reQuires banks to report cybersecurity incidents to the RBI within two to six hours. The
Guidelines on Regulation of Payment Aggregators and Payment Gateways issued by the RBI
reQuire payment aggregators to put in place a mechanism for the monitoring, handling and
follow-up of cybersecurity incidents and breaches. These incidents and breaches must be
reported immediately to the 1epartment of Payment and Fettlement Fystems, RBI, Central
O’ce, Mumbai, and reported to CERT-In.

As per the 1P1P Act, a data Sduciary is reQuired to notify the 1ata Protection Board of India
(established by the central government) and the data principal affected by such breach. The
form and manner of such notiScation will be prescribed in the rules to be formulated under
the 1P1P Act.

Law stated - 9 December 2023

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Penalties for non-compliance with cybersecurity regulations

HFat penalties may be imposed for failvre to comply jitF regvlations
aimed at preCenting cybersecvrity breacFesW
The IT Act provides for penalties for varied instances of cybersecurity breaches, some of
which are described here. Fection 48 of the IT Act provides that any person accessing a
computer or a computer system or network without permission of the owner, downloading
copies and extracting any data or causing disruption of any system will be liable to pay
damages to the person affected. Fection 66 of the IT Act also provides for punishment of
imprisonment for a term up to three years or with a Sne of up to ‘00,000 rupees if the person
dishonestly or fraudulently commits the offence.

Fection 66C of the IT Act provides that a person who, fraudulently or dishonestly, makes use
of the electronic signature, password or any other uniQue identiScation feature of any other
person will be punished with imprisonment of up to three years and will also be liable for
payment of a Sne of up to 300,000 rupees.

Additionally, the IT Act under Fection –0B provides for imprisonment of up to one year
or a Sne of up to 300,000 rupees, or both, for any failure by an entity (service provider,
intermediary, data centre, body corporate, etc) to provide reQuisite information reQuested by
CERT-In. Durthermore, sector-speciSc authorities (such as the RBI) may also levy penalties
for non-compliance with their respective cybersecurity standards.

Durther, under the 1P1P Act failure to have reasonable security safeguards in place to
prevent breach of personal data can result in imposition on the data Sduciary of a Snancial
penalty of up to 2.‘ billion rupees.

Law stated - 9 December 2023

Penalties for failure to report threats and breaches

HFat penalties may be imposed for failvre to comply jitF tFe rvles on
reporting tFreats and breacFesW
Any failure by intermediaries, service providers, data centres, body corporates and
government organi ation, to mandatorily report a cybersecurity within the stipulated
timelines, or furnish any information to CERT-In, as per the process provided under the
Information Technology (The Indian Computer Emergency Response Team and Manner of
Performing Dunctions and 1uties) Rules 2038 and the CERT-In 1irections, is punishable by
imprisonment of up to one year or a Sne that may extend to 300,000 rupees, or both.

In addition, sector-speciSc regulators have their own reporting reQuirements. Dor instance,
failure to report within the timelines prescribed for banks under the Cyber Fecurity
Dramework in Banks may result in the imposition of penalties by the RBI. Dor the
telecommunications sector, the uniSed licence conditions stipulate that any failure by the
licensee to comply with the obligations provided therein, including reporting of any intrusions,
attacks and frauds on the technical facilities, may render the concerned licensee liable to a
monetary penalty of up to ‘00 million rupees per breach.

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Under the 1P1P Act, a failure to notify the 1ata Protection Board of India or affected data
principal of a personal data breach can result in a penalty of up to 2 billion rupees.

Law stated - 9 December 2023

PriVate enforcement
’oj can parties seeq priCate redress for vnavtForised cyberactiCity or
failvre to adeTvately protect systems and dataW
The IT Act makes statutory remedies available to persons affected by a cyber security
incident. Fection 48A of the IT Act expressly provides that whenever a body corporate
possesses or deals with any sensitive personal data or information, and is negligent in
maintaining reasonable security practices and procedures that in turn cause wrongful loss or
wrongful gain to any person, the body corporate will be liable to pay damages to the person
affected. Therefore, the affected party may initiate a civil action against the negligent body
corporate, making it liable to pay damages.

Durther, a civil action may also be brought against any person who, without permission of
the owner of a computer or a computer system or network, does any of the acts mentioned
under section 48 of the IT Act, including but not limited to accessing or securing access to
the computer or computer system or network, downloading or extracting any data from it,
contaminating it with a virus or other malware, or causing any damage to it.

In addition, the Fecurities Exchange Board of India/s Guidelines (/Cyber Fecurity

Cyber Resilience Dramework/ for Ftock Brokers71epository Participants) have mandated
stockbrokers and depository participants to draft their cybersecurity and cyber resilience
policy document and ensure provisioning of alternate services or systems to customers in
the event of any security incident.

The Ministry of ;ome Affairs has operationalised a toll-free National ;elpline number /3'80/
(previously /3‘‘260/) and an online reporting platform, namely, the /National Cyber Crime
Reporting Portal/ to enable persons to immediately report Snancial loss caused to persons
due to cyber Snancial frauds including debit or credit card fraud, e-wallet and internet banking
related fraud, etc. This reporting platform can also be used by persons to report other kinds of
cybercrimes, which include unauthorised access of data or data breach, ransomware, online
and social media-related crimes, cryptocurrency related frauds, etc.

Under the newly enacted 1P1P Act, a data principal has a right to readily available means
of grievance redressal to be provided by the data Sduciary and7or consent manager. The
right available to a data principal is for an act or omission by the data Sduciary and consent
manager regarding the performance of their obligation under the 1P1P Act or exercise of the
data principalJs rights under the 1P1P Act. Dor instance, such acts or omissions can include
failure to have reasonable security safeguards in place to prevent breach of personal data
and failure to intimate the affected data principal of a personal data breach.

Law stated - 9 December 2023

THREAT DETECTION AND REPORTING

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Internal policies and procedures

HFat policies or procedvres mvst organisations FaCe in place to protect
data or information tecFnology systems from cybertFreatsW
CERT-In 1irections prescribe certain compliance reQuirements for service providers,
intermediaries, data centres, body corporate, virtual private server providers, cloud service
providers, 9PN service providers, virtual asset service providers, virtual asset exchange
providers, custodian wallet providers and government organisations (individually and
collectively, /Entities/). These compliance reQuirements include the following.

H Reporting of a cybersecurity incident• speciSed cybersecurity incidents are to be

reported to CERT-In within six hours of noticing such incidents or of being notiSed
of such incidents.
H Appointment of a POC• a point of contact (POC) is to be appointed to engage with
CERT-In in relation to the CERT-In 1irections. 1etails of the POC need to be provided
to CERT-In and should be kept updated.
H Maintenance of logs in India• logs of information and communications technology
(ICT) systems are to be maintained for a rolling period of 3q0 days.
H ICT clock synchronisation• entities must connect to a network time protocol (NTP)
server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL)
or with NTP servers traceable to these NTP servers, for synchronisation of the ICT
systems clocks of such entities.
H 1ata retention• data centres, cloud service providers, virtual private server providers
and virtual private network service providers are reQuired to maintain certain data
(such as name of subscriber, email address and IP address, address and contact
number, ownership pattern, etc) for Sve years or a longer duration as mandated by
law after any cancellation or withdrawal of registration.
H 9irtual asset service providers• virtual asset exchange providers and custodian wallet
providers must maintain all information obtained as part of &now Your Customer
(&YC) and records of Snancial transactions for Sve years.

The aforementioned compliance reQuirements, and more particularly the compliance

reQuirement related to maintenance of logs and data retention, have been challenged in 1elhi
;igh Court via a writ petition. The petition is pending before the ;igh Court, and based on
public records will come up for hearing in March 2024.

In addition to the reQuirements mentioned above, CERT-In issued KGuidelines on Information

Fecurity Practices for Government EntitiesJ on 80 zune 2028 for all the ministries,
departments, secretariats and o’ces speciSed in the Dirst Fchedule to the Government of
India (Allocation of Business) Rules 3'63, their attached and subordinate o’ces, and all
government institutions, public sector enterprises and other government agencies under
their administrative purview. The Guidelines include guidelines prepared by the National
Informatics Centre for Chief Information Fecurity O’cers (CIFOs) and employees of central
government ministries7departments for the purpose of enhancing cyber security and cyber
hygiene.

In addition to the above, some speciSc reQuirements are mentioned below.

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Information Technology Act 2000 and Information Technology (Reasonable security

practices and procedures and sensitive personal data or information) Rules 2033
(the FP1I Rules)• as per the FP1I Rules, all organisations handling sensitive
personal information of natural persons (Snancial and health information, passwords,
biometric data, etc) should, inter alia•

H have information security systems in place that are commensurate to the information
assets sought to be protectedj
H appoint a grievance o’cer to address any discrepancies and grievances of the
provider of such informationj
H have a privacy policy for providing information on how such information is used and
disclosed, etcj and
H in addition, organisations are reQuired to audit the reasonable security practices and
procedures that have been implemented at least once a year, or as and when the
body corporate or a person on their behalf undertakes signiScant upgrading of their
process and computer resourcesj
H Companies (Management and Administration) Rules 2034• companies, when dealing
with electronic records, are reQuired to ensure the security of any such records,
including•

H protection against unauthorised accessj

H protection against alterationj
H protection against tamperingj
H maintaining the security of computer systems, software and hardwarej
H protecting signaturesj and
H taking periodic backupsj etcj
H The Reserve Bank of India (RBI) has issued a notiScation on KCyber Fecurity
Dramework for BanksJ, which prescribes standards to be followed by banks for
securing themselves against cybercrimes, including, for example, a mechanism
for dealing with and reporting incidents, a cyber crisis management plan, and
arrangements for continuous surveillance of systems and protection of customer
information. A similar framework is applicable to non-banking Snance companies.
The Guidelines on Regulation of Payment Aggregators and Payment Gateways
reQuire payment aggregators to put in place a Board-approved information security
policy for the safety and security of payment systems operated by them and to
implement security measures in accordance with this policy to mitigate identiSed
risks.
H The Insurance Regulatory and 1evelopment Authority of India (IR1AI) has issued
KIR1AI Information and Cyber Fecurity Guidelines 2028J, which, among others,
mandate insurers to appoint a chief information security o’cer, formulate a cyber
crisis management plan and conduct audits.

Law stated - 9 December 2023

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Record-qeeping re uirements
?escribe any rvles reTviring organisations to qeep records of cybertFreats
or attacqs@
CERT-In 1irections prescribe that entities, such as service providers, intermediaries, data
centres, body corporate and government organisations (Entity) are reQuired to maintain logs
of Information and Communication Technology (ICT) systems for a rolling period of 3q0
days. The logs to be maintained will depend on the sector in which an Entity is operating
and may include Srewall logs, event logs of critical systems, application logs, 9PN logs, etc.
Relevant logs need to be provided to CERT-In when cyber incidents are reported or when so
ordered by CERT-In. The DA:s suggest that these logs can be stored outside India as long
as a copy is retained within India. The DA:s also provide that logs for successful as well as
unsuccessful events must be recorded.

The aforementioned directions and more particularly the reQuirement to maintain logs have
been challenged in 1elhi ;igh Court via a writ petition. The petition is pending before the
;igh Court, and based on public records will come up for hearing in March 2024.

Fector-speciSc regulators have prescribed storage reQuirements for regulated entities. Dor
instance, IR1AI issued the KIR1AI Information and Cyber Fecurity Guidelines 2028J, which
reQuire information and communications technology (ICT) to be maintained for a rolling
period of 3q0 days and within the Indian Vurisdiction.

Lastly, in accordance with the Fecurities Exchange Board of India Guidelines (/Cyber Fecurity
Cyber Resilience Dramework/ for Ftock Brokers71epository Participants), stockbrokers and
depository participants are reQuired to ensure that records of user access to critical systems
are identiSed and logged for audit and review purposes, and the logs should be maintained
and stored in a secure location for a period not less than two years.

Law stated - 9 December 2023

Regulatory reporting re uirements

?escribe any rvles reTviring organisations to report cybersecvrity
breacFes to regvlatory avtForities@

Reporting under the IT Act

The Information Technology (The Indian Computer Emergency Response Team and Manner
of Performing Dunctions and 1uties) Rules 2038 permit cybersecurity incidents to be
reported by any individual organi ation or corporate entity to CERT-In. In addition, as per
the CERT-In 1irections speciSed types of cybersecurity incidents (target-scanning or probing
of critical networks or systems, unauthorised access of an IT system and data, malicious
code attacks, identity theft, spooSng, phishing, data breach, data leak, unauthorised access
to social media accounts, attacks or incident affecting digital payment systems, attacks or
malicious7suspicious activities affecting systems7servers7software7applications related to
cloud computing, blockchain, virtual assets, virtual asset exchanges, etc) must be reported to
CERT-In by service providers, intermediaries, data centres, bodies corporate and government

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

organisations within six hours of noticing the incident or being brought to notice about the
incident. The KGuidelines on Information Fecurity Practices for Government EntitiesJ issued
by CERT-In also reQuire such entities to report a cyber incident to CERT-IN within six hours
of noticing the incident or being brought to notice about the incident.

The Intermediaries Guidelines reQuire the intermediaries, as part of their due diligence
obligations, to notify CERT-In of security breaches. CERT-In publishes the formats for
reporting cybersecurity incidents on its website from time to time, which reQuires mentioning
the time of occurrence of the incident, the type of incident, information regarding the affected
systems or network, the symptoms observed, the relevant technical systems deployed, and
the actions taken, among others.

Reporting in other sectors

In addition to the reporting reQuirements under the IT Act, separate reporting reQuirements
are applicable for cybersecurity incidents occurring in regulated sectors. Dor instance, the
Cyber Fecurity Dramework in Banks reQuires banks to inform the RBI of any cybersecurity
incident within two to six hours of the breach and include details of it in a standard reporting
template. Fuch report must include all unusual cybersecurity incidents (whether they were
successful or were attempts that did not succeed). Fimilarly, the KIR1AI Information and
Cyber Fecurity Guidelines 2028J reQuire all insurers, including foreign reinsurance branches
(DRBs) and insurance intermediaries regulated by IR1AI, to report cyber incidents to CERT-In
within six hours of noticing or being brought to notice about such incidents, with a copy to
IR1AI and other concerned regulators7authorities.

As per the Fecurities and Exchange Board of India (Listing Obligations and 1isclosure
ReQuirements) Regulations 203‘, all listed entities need to submit a Quarterly report of the
details of cyber security incidents or breaches or loss of data or documents to the recognised
stock exchange.

In the telecommunications sector, every telecommunications licensee is reQuired to create

a facility (within 32 months of grant of authorisation) for monitoring intrusions, attacks and
frauds on its technical facilities, and to provide reports of these intrusions, attacks and frauds
to the 1epartment of Telecommunications.

Law stated - 9 December 2023

Time frames
HFat is tFe timeline for reporting to tFe avtForitiesW
As per the Information Technology (The Indian Computer Emergency Response Team
and Manner of Performing Dunctions and 1uties) Rules 2038 and the CERT-In 1irections,
speciSc types of cybersecurity incidents, such as target-scanning or probing of critical
networks or systems, unauthorised access of an IT system and data, malicious code
attacks, identity theft, spooSng, phishing, data breach, data leak, unauthorised access to
social media accounts, attacks or incident affecting digital payment systems, attacks or
malicious7 suspicious activities affecting systems7servers7software7applications related to
cloud computing, blockchain, virtual assets, virtual asset exchanges, etc) must be reported to

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

CERT-In by service providers, intermediaries, data centres, body corporates and government
organisations within six hours of noticing the incident or being brought to notice about the
incident.

Feparate reporting reQuirements are applicable for cybersecurity incidents occurring in

regulated sectors. Dor instance, the RBI reQuires banks to report cybersecurity incidents
within two to six hours. Fimilarly, the KIR1AI Information and Cyber Fecurity Guidelines
2028J reQuire all insurers, including foreign reinsurance branches (DRBs) and insurance
intermediaries regulated by IR1AI, to report cyber incidents to CERT-In within six hours of
noticing or being brought to notice about such incidents, along with a copy to IR1AI and
other concerned regulators7authorities.

Law stated - 9 December 2023

Other reporting re uirements

?escribe any rvles reTviring organisations to report tFreats or breacFes
to otFers in tFe indvstry( to cvstomers or to tFe general pvblic@
Currently, there is no obligation to report cybersecurity threats or breaches to the general
public or affected parties. ;owever, under the 1igital Personal 1ata Protection Act 2028
(1P1P Act), in the event of a personal data breach, the data Sduciary is reQuired to notify
each affected data principal of such breach. The form and manner of such notiScation will
be prescribed in the rules to be issued under the 1P1P Act.

Law stated - 9 December 2023

UPDATE AND TRENDS

Recent deVelopments and future changes

HFat are tFe principal cFallenges to deCeloping cybersecvrity
regvlationsW ’oj can companies Felp sFape a faCovrable regvlatory
enCironmentW ’oj do yov anticipate cybersecvrity lajs and policies jill
cFange oCer tFe ne't year in yovr kvrisdictionW
9arious factors have contributed to the delayed formulation of cybersecurity regulations in
India, including the rapid advancement of technology, which continues to outpace regulatory
responsej intermittent and ineffective reporting of incidentsj the private sector/s inability
to accurately assess the criticality of available information and the likely harm that may
be caused in the event of an incidentj lack of cross-functional expertise on the nature of
cybersecurity incidents that may be experienced by varied sectorsj and government and
private sector hesitation to mandate minimum standards for all categories of businesses, in
view of the time and expense involved.

In the past year, however, there has been a renewed focus on the adoption of robust
cybersecurity practices in India, from both, the government and the private sector. 1ue
to the covid-3' pandemic and the large-scale remote work and new technology adoption
resulting from it, the private sector has been Quite vigilant in adapting its processing,
updating its budgets and responding to cyber threats in a timely and nuanced manner.

Cybersecurity 2024 Explore on Lexology

 RETURN TO CONTENTS

Feveral organisations, such as the 1ata Fecurity Council of India, have proactively issued
advisories and assisted other private sector organisations to seamlessly transition to safer
digital processes. We expect these initiatives to guide the government in terms of the
level of cybersecurity preparedness expected from organisations, how the private sector
has responded to cybersecurity threats, a renewed focus on the revision of policies and
the diversiSed skill-set of response stakeholders, and testing the e’cacy of protective
technologies and strategies. Timely and descriptive cybersecurity reporting by the private
sector will bring in more collaboration and clarity on better practices. The varied experiences
of regulated businesses regarding cyber incidents will help guide policy, as it is likely that
sensitive sectors such as healthcare and social security will reQuire a higher standard of
compliance in view of the nature of their operations and risk assessment.

We expect some regulatory developments proposed by the government to further energise

compliance. The National Cyber Fecurity Ftrategy 2028 is a long-awaited policy initiative
of the government, and it is hoped that better security standards and priority allocation
will be the norm after it is notiSed. In 2028, a task force set up by government submitted
recommendations for formulation of a National Cyber Fecurity Ftrategy 2028. ;owever, the
Ftrategy has not yet been released.

The proposed 1igital India Act 2028 (1IA) that will replace the Information Technology
Act 2000 (IT Act) can also be expected to bring a robust and dedicated law dealing with
cybersecurity.

The newly enacted 1igital Personal 1ata Protection Act 2028 (1P1P Act) and the rules to
be notiSed thereunder will also play a critical role in shaping the regulatory environment in
relation to the protection of personal data, as they seek to prescribe certain obligations of
data Sduciaries (persons who determine the purpose and means of processing of personal
data), which include among other things the use of reasonable security safeguards to prevent
personal data breach, deletion of data after the purpose for collection is served, having a
grievance redressal mechanism in place and processing of personal data only for lawful
purpose for which appropriate consent has been received. Durther, the data Sduciary and
data processor need to notify the 1ata Protection Board of India (proposed to be constituted
under the 1P1P Act) in case of breach of this personal data. The 1ata Protection Board may
in the event direct the data Sduciary to remedy this personal data breach or mitigate any
harm caused to data principals.

Law stated - 9 December 2023

Cybersecurity 2024 Explore on Lexology