Cybersecurity Compliance & Regulations In India

Cybersecurity Compliance & Regulations In India

Can you imagine leaving your home without locking your main door?

It would welcome multiple threats, like vandalism, theft, and harm to your loved ones, right?

‘Cybersecurity’ does the same by guarding your ‘digital doors’ against illegal entries. Without it, private data, passwords, IDs, financial information, and more could be hacked easily. 

In 2023, India had the fifth-highest number of breached accounts: 5.3 million. In October of the same year, ‘Resecurity’ (an American cybersecurity company) found a breach exposing 815 million Aadhaar details on the dark web. Earlier, the CoWIN portal also leaked some personal data via a Telegram bot. The data included names, passport numbers, Aadhaar cards, and more!

Such figures and incidents underscore the importance of effective cybersecurity measures in India. 

So, this comprehensive guide will primarily discuss the nation’s top cybersecurity compliance and regulations that everyone should be aware of!

Main Cybersecurity Regulating Bodies In India

India’s digital growth has brought various cyber risks. To protect its online world, the nation has established various regulatory bodies. Some of the major names are discussed below:

CERT-In (Computer Emergency Response Team-India):

CERT-In is at the forefront of protecting India from cyberattacks. It is a part of MeitY, which is the ministry that deals with electronics and information technology.

The body acts as a first line of defense against cyber attacks by giving advice, responding actively to incidents, and checking for vulnerabilities/weaknesses in the security systems.

CRAT (Cyber Regulations Appellate Tribunal):

The CRAT is a group of people who work together to make sure that disputes related to cybersecurity, cybercrime, and electronic transactions are formally settled.

While CRAT doesn’t appear to have original jurisdiction, it holds authority over:

  • Take affidavits as proof.
  • Order all digital and online evidence to be presented in court.
  • Send out orders, carry out commissions, and question people, documents, and witnesses under oath.
  • Examine court rulings to settle disputes and events.
  • Accept, reject, or declare defaulters’ applications as ex parte.

SEBI (Securities & Exchange Boards Of India):

The Securities and Exchange Board of India, or SEBI, is a non-statutory body that was founded in 1988. It safeguards investors, regulates markets, and promotes fairness.

It oversees stock exchanges, brokers, and mutual funds, ensuring transparent practices. It also regulates entities like depositories and credit rating agencies, monitors insider trading, and audits market participants. So, it plays a vital role in ensuring integrity and educating investors in India’s securities market.

IRDAI (Insurance Regulatory & Development Authority Of India):

As the name suggests, IRDAI regulates and develops the insurance sector in India. More and more people are purchasing and managing their insurance plans online, making them vulnerable to getting hacked or leaked.

IRDAI is like a watchdog, making sure that the insurance companies in India are protecting the personal information of their customers. They do this by issuing guidelines on how to keep data and information secure, teaching people about cybersecurity measures, and regularly checking on how well insurers follow the rules.

TRAI (Telecom Regulatory Authority Of India):

TRAI is the top regulator for telecom departments in India. It creates strict regulations and norms for telecom service providers.

It makes sure that these companies follow cybersecurity rules, use safe ways to talk to each other and work with cybersecurity experts to protect India’s telecom system.

It also added new responsibilities regarding digital transactions in India since the majority of Indians make payments via their mobile phones.

Top Cybersecurity Laws & Regulations In India

Here are the up-to-date regulations and laws regarding cybersecurity in India:

Information Technology Act (2000 & 2008):

India’s cybersecurity journey began with the Information Technology Act of 2000, paving the way for digital governance and data protection. It also created a legal framework for India’s essential information infrastructure.

For example, in order to protect sensitive data from breach, damage, exposure, or misuse, Indian businesses must follow “reasonable security practices and procedures” in accordance with Section 43A of the IT Act.

The 2008 Amendment Act further strengthened cybersecurity measures by establishing a set of important duties. Some of them are:

  • Enhancing forensic and cybersecurity skills.
  • Making it mandatory for enterprises and intermediaries to notify CERT-In of cyber events.
  • Protecting private information from online dangers such as identity theft, phishing, malware, DDoS attacks, and terrorism.
  • Acknowledging cybersecurity procedures in businesses legally.
  • Guarding against unauthorized usage of computer systems.
  • Monitoring and record decryption for the security of electronic payments and transactions.
  • Developing guidelines for electronic signatures.

Any violations of the rules could incur hefty penalties, underscoring the act’s important role in tackling cyber threats.

The National Cyber Security Policy, 2013:

The policy was launched by the Department of Electronics and Information Technology (DeitY). It serves as a strategic blueprint to strengthen India’s cyber defenses.

One of its primary objectives is to create a resilient ecosystem by forming a skilled workforce of over 5,00,000 IT professionals.

Here are some of the strategies that the policy aims to follow:

  • Firstly, it recommends establishing a ‘Secure Cyber Ecosystem’ by appointing a national cyber coordination agency and requiring organizations to designate ‘Chief Information Security Officers’.
  • Next, it discusses an ‘Assurance Framework’, advocating for global best practices and implementing procedures to ensure compliance.
  • It also advocates for ‘Open Standards’ to enhance the compatibility and certification of IT products.
  • For ‘Security Threat Management’, it suggests having national systems and teams for emergencies and drills.
  • It also focuses on ‘Protecting Critical Information Infrastructure’, which includes making protection plans and having a 24×7 security center.
  • Lastly, it encourages ‘Information Sharing & Collaboration’ between the public and private sectors, along with prioritizing critical areas for immediate action.

The Digital Personal Data Protection Act, 2023:

This act stands as a crucial legislative step by the Parliament of India to safeguard individual privacy amidst the complexities of the digital era. Enacted in August 2023, it extends its jurisdiction to all entities handling personal data within India.

The law ensures personal digital data protection through the following key steps:

  • Defining Duties For Data Handlers: It sets clear responsibilities for individuals, companies, and government bodies managing data. These duties cover data collection, storage, and processing, ensuring adherence to set standards.
  • Outlining Rights & Duties For Data Owners: The law specifies the rights individuals have over their data and what they must do. They are as follows:
    • Right to access their personal data.
    • Right to correct or erase data.
    • Right to seek complaint resolutions.
    • Right to choose someone to exercise these rights for them when they’re not available.
  • Imposing Penalties For Violations: It imposes fines for breaking the laws. These penalties discourage unauthorized data use or breaches, ensuring accountability and rule compliance.
  • Establishing The ‘Data Protection Board’: The law mandates creating this board to enforce data protection measures. It monitors compliance, resolves disputes, and takes action against non-compliance, safeguarding digital data integrity nationwide.
  • KYC (Know Your Customers)

In a world of global transactions and rapid e-commerce, security and compliance are very important in India. Know Your Customer (KYC), which is a process mandated by the RBI (Reserve Bank of India), is an effective shield against fraud and identity theft.

These protocols demand rigorous customer verification that ensures transparency in financial transactions. Crucial documents like proof of identity, address proof, and income proof form the cornerstone of KYC verification.

Not only this, but companies also employ biometric authentication and AI-driven document verifications to increase transparency. If businesses fail to implement proper KYC measures, it can expose them to a number of risks, including reputational damage and money loss.

With India’s diverse population and unique challenges, KYC verification methods may vary across the nation. But two of the prominent methods are Aadhaar-Based KYC (eKYC) and In-Person Verification (IPV).

‘Aadhaar-Based KYC’ in India uses ‘Aadhaar’, a government ID with biometric data, for verification. People sign up by giving their biometrics and personal information. When a company needs KYC, they ask for Aadhaar verification, usually with biometric devices or OTP. Customers provide Aadhaar details or get an OTP. The company checks this with the Aadhaar server. If it matches, KYC is done, updating records.

On the other hand, ‘In-Person Verification’ (IPV) checks a customer’s identity physically with an authorized representative. It starts with an appointment, ID submission, and a physical check at a set location. The representative compares the customer’s appearance with ID photos, fills out a verification form, and updates records after completion.

The Reserve Bank Of India Act, 2018:

The RBI bank issues important cybersecurity rules for various financial situations in India. These rules help keep financial transactions and customer information safe. Created in 2018, the RBI Act says that Urban Co-operative Banks (UCBs) and payment operators must follow strict cybersecurity plans. It’s like a rulebook for companies to make sure they’re doing things right with their technology and information.

Three of the key provisions of the act include:

  1. Procedures and frameworks for companies to make sure their strategies, risks, resources, performance, and ability to recover from disasters are all in line with what’s needed.
  1. Framework of 3 big groups (a board committee for technology strategy, another committee for steering technology decisions, and a committee for information security) that companies need to set up to make sure they’re following the rules.
  1. Recommendations on picking someone important to be in charge of information security called a ‘chief information security officer’, who reports to someone other than the head of the IT department to keep things fair. And they should practice recovering from disasters regularly to make sure they’re ready if something bad happens.

Any kind of non-compliance with the RBI guidelines can incur penalties of up to ₹10 million, emphasizing how important cybersecurity is for India.

The Bottom Line

In a world where our digital lives are as vital as our physical ones, cybersecurity stands as the guardian of our virtual existence. As we navigate the vast digital landscape, the importance of strong cybersecurity compliance and laws cannot be overstated, especially in a country like India where the digital ecosystem is mushrooming fast. 

From the inception of the Information Technology Act of 2000 to the recent Digital Personal Data Protection Act of 2023, the nation has been proactive in strengthening its cyber defenses. These laws not only outline the responsibilities of organizations in handling personal data but also impose penalties for any kind of violation. 

Additionally, regulatory bodies like CRAT, SEBI, and IRDAI play important roles in safeguarding various sectors against cyber attacks. They not only set guidelines but also monitor the organizations under them for how they are handling data and following rules. 

All such factors ensure a secure digital environment for businesses, consumers, and even the government. In essence, India seems to be ready to tackle cyber threats effectively and pave the way for a secure and resilient digital ecosystem.

Article Published by

Related Posts

What is Non-Tax Revenue
Probus Insurance

What is Non-Tax Revenue?

In India, the government collects revenue in two main categories: “Tax Revenue” and “Non-Tax Revenue.” Tax revenue is a major income source for the

Read More »
NITI Aayog
Probus Insurance

NITI Aayog

NITI Aayog, which stands for National Institution for Transforming India, was indeed created by the Indian government as a replacement for the Planning Commission.

Read More »