• News
  • Columns
  • Interviews
  • BW Communities
  • BW TV
  • Subscribe to Print
BW Businessworld

Devising Cybersecurity Measures To Counter Cyber-Attacks

Cyber-attack resolution plans are as important as all other precautionary measures. These must adopt a multidisciplinary approach, with a combination of IT professionals, lawyers, and privacy experts to derive maximum impact

Photo Credit :


"90 per cent of companies worldwide recognize that they are insufficiently prepared to protect themselves against [cyber-attacks]." - The Global Risks 2015 Report, World Economic Forum.

In recent times well-known e-payment service providers, telecom operators and even online restaurant search portals have suffered significant cyber-attacks and data compromises. In an increasingly interconnected world, business houses are collecting more and more sensitive and personal data comprising of passwords, financial information (such as credit card details or other payment instrument details), sexual orientation, biometric information, etc. Moreover, the demonetization drive and the Government's push towards a cashless economy have led to a manifold increase in the use of digital wallets and electronic payment systems. All of these have also exposed the economy to increased risks of cyber-attacks and it is quite alarming to note that most businesses find themselves falling short of adequate cybersecurity architecture.

The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) provide the data protection architecture that entities processing or handling sensitive personal data are required to comply with. The SPDI Rules, amongst other things, require the publication of a privacy policy by the concerned entity (that not only obtains consent from data subjects but also specifies the use of the sensitive personal data, right to transfer such sensitive personal data to third parties, etc.) and putting in place reasonable security practices and procedures to prevent data protection breaches. A breach of these obligations can result in civil liability to compensate the affected person through payment of damages for the loss suffered. Further, Section 72-A of the IT Act imposes an obligation on a person who obtains any material containing personal information while providing services under the terms of a lawful contract from disclosing the personal information without the consent of the person concerned or in breach of contract. Critically, the parameter for criminal liability is "personal information" which is much wider than sensitive personal data. Moreover, a data breach or compromise or cyber fraud can also result in boards of directors facing claims for failing to discharge their fiduciary duties as well as high value claims for negligence.

The SPDI Rules mandate that businesses handling sensitive personal data must deploy prescribed security measures. However, while standard off-the-rack security measures may be legally sufficient, such measures may not be able to offer sufficient protection in a sinister cyber arms-race where cyber criminals are constantly deploying newer and more sophisticated technology to commit cybercrimes. Thus, it is essential to employ (and regularly update) dedicated and customized security measures commensurate for the risks faced by a particular business to protect from cyber-attacks. We look at some of the approaches to counteract the growing cybersecurity challenges:

"Role of the top management: Data security and cyber risk management must be an integral part of a business' larger enterprise risk management process and that needs to feature on the agenda of boards immediately and frequently. The top management must pro-actively familiarize itself with the cyber risks faced by the business and drive this with appropriate tone-at-the-top. Managing cybersecurity is no longer a siloed exercise relegated to the information technology officer. As cyberattacks continue to bleed companies, shareholders will demand more clarity and information on the security measures and practices being implemented.

"    Appropriateness of Security Practices and Information Security Audits:
Security practices must not only be tailored to provide adequate safeguard against cyber risks but must also be audited at regular intervals to assess the adequacy of such security measures. The information risk management regime should not only identify the relevant security risks and the policy for dealing with them but should also provide real-time information and updates to the board of directors and management to enable them to assess and mitigate risks. This will enable the management to evaluate the efficacy of the security measures deployed and have these upgraded and updated, as deemed necessary.

"    Role of Contractual Counterparties: Contractual counterparties i.e., vendors, suppliers and other contract counterparties are typically not perceived as threats, but cyber criminals often exploit counterparties with weak security measures to launch cyber-attacks along the value chain. Counterparties must be made to adhere to acceptable security measures. This could be supplemented with targeted outreach events as well as development and mentoring programs.

"    Managing Techno-legal Risks: Cyber-attack resolution plans are as important as all other precautionary measures. These must adopt a multidisciplinary approach, with a combination of IT professionals, lawyers, and privacy experts to derive maximum impact.

The Center for Strategic and International Studies estimates that cyber-crime costs the global economy upwards of $400 billion per year. Going forward, the incidences of cyber-attacks are only expected to increase as more businesses, large and small, find themselves in the cross-hairs of sophisticated cyber criminals. Businesses and their boards must realize that an intelligent and bespoke cybersecurity program is more than a mere risk management box-ticking exercise. A cybersecurity program is in itself a critical business tool that not only insulates businesses from cyber-attacks but also assists in managing the impact of a cyber breach incident thereby securing the value and image of the business.

Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house. Unless otherwise noted, the author is writing in his/her personal capacity. They are not intended and should not be thought to represent official ideas, attitudes, or policies of any agency or institution.

Tags assigned to this article:
cybersecurity cyber-attacks e-payments data security

Supratim Chakraborty

The author is a Partner on the Corporate & Commercial practice at Khaitan & Co

More From The Author >>

Soumyadri Chattopadhyaya

The author is Senior Associate in the Corporate & Commercial practice at Khaitan & Co

More From The Author >>