The Ministry of Electronics and Information Technology is likely to come out with new cyber security regulations, as indicated by Minister of State Rajeev Chandrasekhar at a recent cyber security event. The essence of this regulation will be to put the onus on organisations to report any cyber crime that may have happened against them, including data leaks. Clause 25 in the Data Protection Bill 2021 says that data fiduciaries should report any personal and non-personal data breach incident within 72 hours of becoming aware of a breach. Even the golden standard for data protection, namely the European Union General Data Protection Regulation (EU GDPR), has a clause for reporting data breach incidents within a stringent timeline.
While this, in principle, is likely to improve cyber security and reduce attacks and breaches, why are there continuing breach incidents every minute? According to Cybercrime Magazine, if it were measured as a country, then cyber crime — which is predicted to inflict damages totalling $6 trillion globally in 2021 — would be the world’s third-largest economy after the U.S. and China.
Apart from private firms, government services, especially critical utilities, are prone to cyber attacks and breach incidents. The ransomware attack against the nationwide gas pipeline in 2021 in the U.S. virtually brought down the transportation of about 45% of all petrol and diesel consumed on the east coast. Hence it is important that even cyber attacks on government and state-owned enterprises be reported so that corrective actions can be taken on the security of critical infrastructure of the nation.
What is the logic behind incidence reporting? If incidences are reported, the Indian Computer Emergency Response Team and others can alert organisations about the associated security vulnerabilities. Firms not yet affected can also take precautionary measures such as deploying security patches and improving their cyber security infrastructure.
But firms are reluctant to notify the breach incidents to the regulators. This is because any security or privacy breach has a negative impact on the reputation of the associated firms. An empirical study by Comparitech indicates that the share prices for firms generally fall around 3.5% on average over three months following the breach. In the long term, breached companies underperformed in the market. After one year, share price of breached firms fell 8.6% on average, resulting in a poor performance in the stock market. So, firms weigh the penalties they face for not disclosing the incidents versus the potential reputational harm due to disclosure, and decide accordingly.
The other important aspect is enforcement of the regulation and associated rules. How will the regulator come to know when a firm does not disclose a security breach? It can be done only through periodic cyber security audits. These audits should be comprehensive enough to identify such incidents that might not have been reported by the firm. Unfortunately, the regulators in most countries including India do not have such capacity to conduct security audits frequently and completely. If either the probability of such audits is low or the probability of finding breach incidents during such audits is low, there is incentive for the firms not to disclose security attacks.
Given the above complex nature of disclosure, what could be the possible solutions apart from enacting rules? The first is that the government empanel third party cyber security auditors for the conduct of periodical cyber security impact assessments, primarily amongst all the government departments, both at the national and State level, so that security threats and incidents can be detected proactively and incidents averted. The government can also mandate that periodic security audit reports be published by private firms and arrange to conduct surprise security audits towards enforcements.
The Ministry, as part of cyber security assurance initiatives of the Government of India, to evaluate and certify IT security products and protection profiles, has set up Common Criteria Testing Laboratories and certification bodies across the country. These schemes can be extended towards cyber security audits and assessments as well. Much like IBM, which set up a large cyber security command centre in Bengaluru, other large firms can also be encouraged to set up such centres for protection of their firms’ assets. Such measures will also pass the muster of the EU GDPR, thereby moving India closer to the set of countries that have the same level of cyber security and data protection as that of EU, for seamless cross-border data flow.
V. Sridhar is Professor, IIIT Bangalore