Mandatory Cyber Security Reporting for Indian Companies

Devansh DubeyCyber Security, Law

Mandatory Cyber Security Reporting for Indian Companies

Cyber security is no longer a buzzword in today’s digital world but the need of the hour. Cyber threats are rising for businesses in India. According to reports, there has been an unprecedented 46% jump in cyber security incidents in 2024 alone, with 388 reported data breaches and 107 data leaks. Why does this matter to you? Trust and confidentiality are critical for an interdependent world. This article will discuss the regulations you should know about and how they will impact your business. Buckle up as we dive into new compliance in these areas where governments aim to enhance transparency and cyber security. Let’s start!

Cyber Security Reporting Mandate in India

According to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, intermediaries must report cyber security incidents and share related information with the Indian Computer Emergency Response Team (“CERT-In”). Sounds pretty simple, doesn’t it? Well, of course, it is. But let’s get deeper.

What Actually Needs to Be Reported?

Under Rule 3(1)(l) of these Guidelines, intermediaries are duty-bound to report cyber security incidents per the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013. This does not mean that an intermediary must report every single incident, but only those specified in the Annexure of these rules.

Further, the Cyber Security Directions issued by CERT-In on April 28, 2022, clarify the types of incidents to report. Listing of such a variety covers everything: data breaches and unauthorised access to malware attacks, among others.

Why is timely reporting important? 

Timely reporting facilitates CERT-In’s rapid response to the situation, averting potential loss. It is like dialling the fire service when you perceive smoke before it becomes a roaring flame.

Problems and Responsibilities

Intermediaries face the following challenges:

  • Compliance: Duties to comply with the prescribed reporting requirements prescribed in the IT Rules, 2013 and the CERT-In’s 2022 Directions.
  • Resources: Availing the appropriate resources and procedures to enable speedy detection and reporting.
  • Training: Educating their staff on current developments in the cyber security protocols and ensuring that the reporting procedures are up to date.

If an intermediary meets these requirements, it serves both the cause of the law and the value of a safer digital space. 

Continuing Compliance: CERT-In’s Disclosure Order

CERT-In issued fresh guidelines in 2022 under Section 70B of the Information Technology Act, 2000. The relevant provisions state that all entities, including service providers, intermediaries, data centres, and government departments, must report a cyber incident within six hours of its detection. This is one of the harsh requirements to ensure an effective response and mitigation against cyber threats.

First and foremost, the six-hour window is designed to minimise time lapses between incident detection and response. The primary goal is to contain and mitigate the impact of cyber attacks. Think of it like “Speedy Gonzales in cyber security—fast, effective, and always in motion. The 2022 Directions introduce a standardised reporting process to help maintain consistency in incident reports coming in from different industry sectors.

However, many may argue that the six-hour reporting window is challenging. For smaller entities, it can become even more difficult. At the same time, this underscores the need to continuously invest in cyber security infrastructure and train the available workforce to detect and report incidents within the given timeframe.

SEBI’s 2023 Amendment on Cyber Security Reporting

On June 14, 2023, SEBI introduced the SEBI (Listing Obligations and Disclosure Requirements) (Second Amendment) Regulations, 2023. These amendments require listed companies to disclose information on cyber security incidents, breaches, or data/document losses in their quarterly Corporate Governance Reports (CGRs). Effective July 14, 2023, this regulation aims to make things more transparent, boosting investor confidence.

 You might envision this equivalent to your IT department’s quarterly “tell-all” session. It is far more than just about paperwork. This is a fundamental change in direction toward transparency and accountability. Companies must open up their cyber security struggles simply because transparency is not a buzzword but a trust-building exercise. When companies disclose cyber security incidents and detail the steps they have taken to respond to security issues, it would go a long way in boosting the confidence of investors and other stakeholders.

Important Points

  • Disclosure Requirement: The listed entities must disclose cyber security incidents, data breaches or data loss in their quarterly CGRs.
  • Transparency: This regulation aims to promote transparency and risk mitigation, as information about major security incidents will reach investors and stakeholders.
  • Timeliness: Timely disclosure and reporting of such incidents will prompt swift risk analysis and mitigation.

Compliance with such reporting obligations would undoubtedly increase the compliance burden on companies. Therefore, regulators must establish more robust reporting systems with the necessary checks and balances. There is a fine line that must be drawn here. This is a debate about transparency and the dangers of revealing everything to the public. These reporting requirements could significantly impact the present corporate governance practices, which would need proper coordination across departments.

Conclusion

These regulatory developments highlight the importance of cyber security for modern-day businesses. These regulations push for a time-bound incident response with greater transparency. While these regulations may pose challenges to some companies, they are another call for companies to strengthen their cyber security measures and improve the stakeholders’ trust in their corporate governance. And, of course, in the ever-evolving cyber space, it is always better to be a paranoid android than a complacent human. Stay safe, stay informed, and keep those firewalls strong!