Several pieces of legislation, rules and sector-specific regulations govern India’s legal, regulatory and institutional framework for cybersecurity, promoting maintenance of security standards, defining cybercrimes and requiring incident reporting.
The Information Technology (IT) Act, 2000, is the primary legislation dealing with cybersecurity, data protection and cybercrime.
Its key features are:
- Granting statutory recognition and protection to electronic transactions and communications;
- Aiming to safeguard electronic data, information and records;
Aiming to prevent unauthorised or unlawful use of computer systems; and
- Identifying activities such as hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft as punishable offences.
Rules and regulations framed under the IT Act regulate different aspects of cybersecurity as follows:
- Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (2013 rules), established the Computer Emergency Response Team (CERT-In) as the administrative agency responsible for collecting, analysing and disseminating information on cybersecurity incidents, and taking emergency response measures. These rules also put in place obligations on intermediaries and service providers to report cybersecurity incidents to the CERT-In.
- Directions on information security practices, procedure, prevention, response and reporting of cyber incidents for a safe and trusted internet, issued in 2022 by the CERT-In, add to and modify existing cybersecurity incident reporting obligations under the 2013 rules.
- Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI rules) require companies that process, collect, store or transfer sensitive personal data or information to implement reasonable security practices and procedures.
- The Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code Rules, 2021) require intermediaries to implement reasonable security practices and procedures to secure their computer resources and information, maintaining safe harbour protections. Intermediaries are also mandated to report cybersecurity incidents to the CERT-In.
- Information Technology (Information Security Practices and Procedures for Protected System) Rules, 2018, oblige companies that have protected systems – as defined under the IT Act – to put in place specific information security measures.
Other laws that contain cybersecurity-related provisions include the Indian Penal Code 1860, which punishes offences committed in cyberspace (such as defamation, cheating, criminal intimidation and obscenity), and the Companies (Management and Administration) Rules 2014 which require companies to ensure that electronic records and systems are secure from unauthorised access and tampering. There are also sector-specific rules issued by regulators and agencies, including the Reserve Bank of India, the Insurance Regulatory and Development Authority of India, the Department of Telecommunications, the Securities Exchange Board of India, the National Health Authority of India, among others, which mandate cybersecurity standards to be maintained by their regulated entities
Cybersecurity of critical information infrastructure (CII) – defined as any computer resource that can have a debilitating impact on national security, the economy, public health or safety if incapacitated or destroyed – is regulated by guidelines issued by the National Critical Information Infrastructure Protection Centre (NCIIPC).
Under the IT Act, the government may notify any computer resource that affects the facility of CII to be a protected system, prescribing cybersecurity obligations for companies handling protected systems. Designated CII sectors include transport, telecoms, banking and finance, power, energy and e-governance. Within these sectors, the appropriate authority can notify certain computer systems as protected systems. Sectoral regulators and agencies, including the Central Electricity Authority, have also formulated rules and guidelines on cybersecurity and CII.
Since cybersecurity is a cross-cutting issue, India has a complex inter-ministerial and inter-departmental institutional framework for cybersecurity, with several ministries, departments and agencies performing key functions. For instance, the Ministry for Electronics and Information Technology (MeitY) deals with policy relating to IT, electronics and the internet, including cyber laws. It set up the CERT-In as a nodal agency for co-ordination and handling of cyber incident response activities.
The Ministry of Home Affairs looks at internal security, including cybersecurity. For this purpose, it has set up the cyber and information security division, comprising a cybercrime wing, cybersecurity wing and monitoring unit. To combat cybercrime, it also established the Indian Cyber Crime Co-ordination Centre in 2018. The NCIIPC, the nodal agency for CII, is set up under the National Security Adviser. The National Cyber Security Co-ordinator is the nodal officer for cybersecurity, functioning under the Prime Minister’s Office and co-ordinating with various agencies at federal level.
At the federal level, the IT Act places security obligations on organisations handling sensitive personal data. These are laid out in SPDI rules requiring companies to institute managerial, technical, operational and physical security control measures. The rules are also subject to ISO/IEC 27001 international standards on information security management, with body corporates subject to audit checks by an independent government-approved auditor at least once a year, or as and when they significantly upgrade processes and computer resources.
Sectoral regulators and nodal agencies also prescribe security measures. The Reserve Bank of India prescribes standards for banks, including setting a mechanism for dealing with and reporting incidents, cyber crisis management, and arrangements for continuous surveillance of systems and the protection of customer information. It also mandates banks to follow the ISO/IEC 27001 and ISO/IEC 27002 standards.
A similar framework is applicable to non-banking finance companies. The Securities Exchange Board of India requires stock exchanges, depositories and clearing corporations to follow standards such as ISO/IEC 27001, ISO/IEC 27002 and COBIT 5.
CYBER INCIDENT REPORTING
The 2013 rules require organisations to report incidents to the CERT-In within a reasonable time. Incidents include denial of service attacks, phishing and ransomware incidents, website defacements, and targeted scanning of networks or websites.
In April 2022, the CERT-In issued a new directive modifying obligations under the 2013 rules, including requirements to report cybersecurity incidents within six hours, syncing system clocks to the time provided by government servers, maintaining security logs in India, and storing additional customer information. The IT Rules 2021 also require intermediaries to notify the CERT-In of security breaches as part of their due diligence obligations.
Various sector-specific reporting obligations also apply. For instance, in the financial services sector, every bank is required to report incidents within two to six hours of detection. Similarly, insurance companies must report cybersecurity incidents to the Insurance Regulatory and Development Authority within 48 hours of detection. Telecom licensees are required to establish a facility for monitoring intrusions, attacks and frauds on their technical facilities, and to provide reports of such incidents to the Department of Telecommunication.
Traditional criminal actions such as theft, fraud, forgery, defamation and mischief – all of which are covered under the Indian Penal Code, 1860 – might be included in cybercrimes. The IT Act addresses modern offences such as tampering, hacking, publishing obscene information, unauthorised access to protected systems, breach of confidentiality and privacy, and publishing false digital signature certificates. Sending threatening messages by email, defamatory messages by email, forgery of electronic records, cyber fraud, email spoofing, web-jacking and email abuse are also punishable offences.
The federal government, through the National Cyber Security Co-ordinator, is formulating a new national cybersecurity strategy. This aims to address certain gaps in India’s cybersecurity framework and enhance the country’s overall cybersecurity posture.
The government is also considering revamping the IT Act to align with advances in the global and domestic digital and technology environment. This may change the existing cybercrime, incident reporting, and security measures and standards framework.
New Delhi | Bengaluru