Cybersecurity Compliance & Regulations In India

Here are the up-to-date regulations and laws regarding cybersecurity in India:

Information Technology Act (2000 & 2008):

India’s cybersecurity journey began with the Information Technology Act of 2000, paving the way for digital governance and data protection. It also created a legal framework for India’s essential information infrastructure.

For example, in order to protect sensitive data from breach, damage, exposure, or misuse, Indian businesses must follow “reasonable security practices and procedures” in accordance with Section 43A of the IT Act.

The 2008 Amendment Act further strengthened cybersecurity measures by establishing a set of important duties. Some of them are:

• Enhancing forensic and cybersecurity skills.

• Making it mandatory for enterprises and intermediaries to notify CERT-In of cyber events.

• Protecting private information from online dangers such as identity theft, phishing, malware, DDoS attacks, and terrorism.

• Acknowledging cybersecurity procedures in businesses legally.

• Guarding against unauthorized usage of computer systems.

• Monitoring and record decryption for the security of electronic payments and transactions.

• Developing guidelines for electronic signatures.

Any violations of the rules could incur hefty penalties, underscoring the act’s important role in tackling cyber threats.

The National Cyber Security Policy, 2013:

The policy was launched by the Department of Electronics and Information Technology (DeitY). It serves as a strategic blueprint to strengthen India’s cyber defenses.

One of its primary objectives is to create a resilient ecosystem by forming a skilled workforce of over 5,00,000 IT professionals.

Here are some of the strategies that the policy aims to follow:

• Firstly, it recommends establishing a ‘Secure Cyber Ecosystem’ by appointing a national cyber coordination agency and requiring organizations to designate ‘Chief Information Security Officers’.

• Next, it discusses an ‘Assurance Framework’, advocating for global best practices and implementing procedures to ensure compliance.

• It also advocates for ‘Open Standards’ to enhance the compatibility and certification of IT products.

• For ‘Security Threat Management’, it suggests having national systems and teams for emergencies and drills.

• It also focuses on ‘Protecting Critical Information Infrastructure’, which includes making protection plans and having a 24×7 security center.

• Lastly, it encourages ‘Information Sharing & Collaboration’ between the public and private sectors, along with prioritizing critical areas for immediate action.

The Digital Personal Data Protection Act, 2023:

This act stands as a crucial legislative step by the Parliament of India to safeguard individual privacy amidst the complexities of the digital era. Enacted in August 2023, it extends its jurisdiction to all entities handling personal data within India.

The law ensures personal digital data protection through the following key steps:

• Defining Duties For Data Handlers: It sets clear responsibilities for individuals, companies, and government bodies managing data. These duties cover data collection, storage, and processing, ensuring adherence to set standards.

• Outlining Rights & Duties For Data Owners: The law specifies the rights individuals have over their data and what they must do. They are as follows:

• • Right to access their personal data.
  • Right to correct or erase data.
  • Right to seek complaint resolutions.
  • Right to choose someone to exercise these rights for them when they’re not available.

• Imposing Penalties For Violations: It imposes fines for breaking the laws. These penalties discourage unauthorized data use or breaches, ensuring accountability and rule compliance.

• Establishing The ‘Data Protection Board’: The law mandates creating this board to enforce data protection measures. It monitors compliance, resolves disputes, and takes action against non-compliance, safeguarding digital data integrity nationwide.

• KYC (Know Your Customers)

In a world of global transactions and rapid e-commerce, security and compliance are very important in India. Know Your Customer (KYC), which is a process mandated by the RBI (Reserve Bank of India), is an effective shield against fraud and identity theft.

These protocols demand rigorous customer verification that ensures transparency in financial transactions. Crucial documents like proof of identity, address proof, and income proof form the cornerstone of KYC verification.

Not only this, but companies also employ biometric authentication and AI-driven document verifications to increase transparency. If businesses fail to implement proper KYC measures, it can expose them to a number of risks, including reputational damage and money loss.

With India’s diverse population and unique challenges, KYC verification methods may vary across the nation. But two of the prominent methods are Aadhaar-Based KYC (eKYC) and In-Person Verification (IPV).

‘Aadhaar-Based KYC’ in India uses ‘Aadhaar’, a government ID with biometric data, for verification. People sign up by giving their biometrics and personal information. When a company needs KYC, they ask for Aadhaar verification, usually with biometric devices or OTP. Customers provide Aadhaar details or get an OTP. The company checks this with the Aadhaar server. If it matches, KYC is done, updating records.

On the other hand, ‘In-Person Verification’ (IPV) checks a customer’s identity physically with an authorized representative. It starts with an appointment, ID submission, and a physical check at a set location. The representative compares the customer’s appearance with ID photos, fills out a verification form, and updates records after completion.

The Reserve Bank Of India Act, 2018:

The RBI bank issues important cybersecurity rules for various financial situations in India. These rules help keep financial transactions and customer information safe. Created in 2018, the RBI Act says that Urban Co-operative Banks (UCBs) and payment operators must follow strict cybersecurity plans. It’s like a rulebook for companies to make sure they’re doing things right with their technology and information.

Three of the key provisions of the act include:

1. Procedures and frameworks for companies to make sure their strategies, risks, resources, performance, and ability to recover from disasters are all in line with what’s needed.

2. Framework of 3 big groups (a board committee for technology strategy, another committee for steering technology decisions, and a committee for information security) that companies need to set up to make sure they’re following the rules.

3. Recommendations on picking someone important to be in charge of information security called a ‘chief information security officer’, who reports to someone other than the head of the IT department to keep things fair. And they should practice recovering from disasters regularly to make sure they’re ready if something bad happens.

Any kind of non-compliance with the RBI guidelines can incur penalties of up to ₹10 million, emphasizing how important cybersecurity is for India.