Cyber security: Be ready for a tighter noose
By Pankit Desai
There is enough coverage and statistics being bandied around in several media publications around the security threats that have been impacting the Indian enterprises. I don’t intend to bore the audience with one more piece around who and what of the cyber security attack pattern.
The purpose of this article is to drive home a slightly different point which centers around the shift of attack patterns and the potential impact that organizations should brace themselves with and hence the title “be ready for a tighter noose…”
It’s not for me, think twice
I am sure the audience is well-read and aware around some of the high-profile breaches already reported in the various sections of media. The extensive coverage has definitely gone a long way in raising the awareness around the potential security threats impacting the enterprises, it has also done a disservice on account of the skewed reporting of the names involved. It does make sense from a story perspective to highlight more prominent names, but the actual story is that it is the not so familiar names that have to face the brunt of the attacks. Verizon reports 43% of the breaches were in the small businesses with an average cost of the breach of around $200,000.
There isn’t a comparative study done for India, but based on our experience at Sequretek, and the companies we interact with the breach stats would not be very different. Just in the past one month, we have had to step in for attacks that impacted a matchstick manufacturer, mid-size specialty hospital, co-operative bank with four branches, an ed-tech company, and a housing products company.
Most of these are very small organizations with their names not making into any sector lists, some of them are in geographical locations, which are not that accessible, by transport but for cyber criminals that has never been deterrent. These enterprises suffered in some cases business continuity issues on account of key systems not being available, loss of sensitive information which could potentially impact their competitive edge or financial impact.
Beware the G-Men
The Indian regulatory and government machinery has woken up to these potential threats and have started wielding the stick. The action is being undertaken from two dimensions – a slew of regulators have started laying down cyber security guidelines for the sectors they influence to improve the defensive posture and government is looking to strengthen the legal framework for adequate prosecutorial muscle.
From a regulatory perspective, the focus initially remained the larger enterprises, but the last couple of years have seen the percolation of these threats down to the small and mid-size enterprises. I have tried to capture some (not exhaustive) of the major coverage regulatory initiatives
Banking Sector: Started with Reserve Bank of India issuing guidelines, for scheduled banks, Rural & District Cooperative Banks (in conjunction with NABARD) and now covers the entire cooperative bank segment.
NBFC: Again, here the initial guidelines were for larger NBFCs, later extended to cover all irrespective of the size and now includes the Housing Finance companies as well, which were under NHB earlier.
Financial Markets: SEBI, started with market infrastructure institutions like stock exchanges and depositories to now brokerage firms and mutual funds irrespective of the size
Insurance: IRDA issued for all insurance firms, and participants including brokers and intermediaries
Listed Companies: Initially, the Top 100 companies needed to have the board risk management committee cover cyber security risk function, which has now been extended to Top500. Going by the track record, it wouldn’t be surprising at some point the majority of listed companies would come under the anvil.
Third-party risk: If you are a company that services any of these entities, where there is some access to technology or processes, you are likely to get covered under third party risk which in turn will mandate you to follow a portion of their regulatory guidelines.
As if this were not enough, we are likely to see several legal measures that will continue to come down to support prosecution with civil and criminal penalties. IT Act 2000 was the first measure that explicitly laid down the legal framework that governed this domain section 43, 66, 72 and 73 in specific laid down the civil and criminal penalties related to security-related threats. In 2011 and 2018, there were amendments to it called The Information Technology Roles 2011 and 2018, respectively, which further enhanced the coverage. In the next few months, the India Data Protection Bill with a much wider and deeper coverage is likely to get passed.
Whereas the regulatory coverage will be for respective domains that regulators have an influence on, the legal framework applies to all.
So where’s the noose…
As enterprises we are likely to get caught between incessant attacks on one side resulting in business and brand impact, push be a regulator to look at increasing cyber security compliance and finally the civil and criminal penalties on account of series of old and new laws.