Cybersecurity Asia - India’s digital transformation drives cybersecurity re-evaluation

India’s ongoing transformation into a digital-first economy has left the government grappling with a rise in cybercrime. Traditional businesses, striving to adopt digital strategies to stay competitive, and new technology businesses, of which India has a large number including some unicorns, are racing to comply with new legislation and have increasingly found themselves exposed to online and network security risks.

The India Computer Emergency Response Team (CERT-In), overseen by the Ministry of Electronics & Information Technology, handled more than 313,000 cybersecurity incidents in 2019, up from 208,000 such incidents in 2018 and 53,000 in 2017.

The country has embraced technology on an unprecedented scale, introducing the world’s largest biometric identity programme – Aadhaar – that covers 1.25 billion residents. Moreover, the Goods and Services Tax (GST) digital platform was rolled out to more than 10 million business in 2017.

As India moves toward a more connected future – embracing internet of things (IoT) based systems to connect its people and business – attacks involving malware, phishing and hacking will keep increasing, with the potential to impact society at a personal, municipal and national level.

Recognising the risks, the central government introduced the Personal Data Protection Bill in 2019 as a first step in safeguarding the data of its citizenry.

"Cyber risk is growing rapidly, with India now in the top three countries worldwide in terms of incidents reported."

Data is a commodity

During her presentation of the Union Budget 2020 to parliament on February 2, Indian Minister of Finance Nirmala Sitharaman said: “It is now a cliché – data is the new oil – and, indeed, analytics, artificial intelligence (AI), fintech and IoT are quickly transforming the way we deal with our lives.”

Such a transformation does not come without challenges, however. Howden Insurance Brokers India Pvt. Ltd, Director and Principal Officer Mahesh Chainani said: “Cyber risk is growing rapidly, with India now in the top three countries worldwide in terms of incidents reported. The bigger a company is the greater the risk it faces, given that it is likely not just storing employee data but also, depending on employee benefits, that of their families.”

Banking industry executive Shyam Sundar said that while banks’ highest cybersecurity priority was protecting customer data, that job was growing ever more complicated. He said: “Banks deal with customers at every level – lending on the assets side through to opening accounts on the liability side. All customer data is considered personal data, but securing that data becomes more of a challenge as it is accessed across all levels of a digital ecosystem.”

India’s largest bank, the State Bank of India (SBI), was the victim of last year’s biggest data breach, with an unsecured server leading to the exposure of data belonging to 422 million customers. The Reserve Bank of India (RBI), meanwhile, directed several major banks in October 2019 to ensure the security of customers’ debit and credit card data after ZDNet reported that Singaporean security researchers had found details of 1.3 million Indian accounts available online.

The Personal Data Protection Bill aims to tighten security standards across every industry by requiring security safeguards (such as encryption) and introducing tough penalties for those found to be in breach of its directives.

Vikram Singh, who leads the TMC regulatory practice at BTG Legal, points out that individual regulators have already begun to flex their muscles. He said: “In 2018, the RBI required all payment data to be stored only in India. Similarly, disparate sectoral laws require localisation of insurance data, companies’ records, etc. But an overarching data security law has been absent, so far.”

“The rules are positive for the industry as it requires data holders to know where the data is stored at all times and encourages an extra layer of security.”

Tighter security measures

The bill requires companies to store certain categories of data – including financial, health and biometric information – in India, while also providing greater clarity around data sharing. Moreover, the government will set up a Data Protection Authority (DPA) to oversee the bill’s implementation and regulation. Companies found to be in breach could face penalties of up to 4% of their global revenue.

Bharti Group’s General Counsel Sameer Chugh praised the new data storage requirements, saying: “The rules are positive for the industry as it requires data holders to know where the data is stored at all times and encourages an extra layer of security.”

Chugh said: “Telecom companies have the data of millions of customers, which means the quest for security is a never-ending pursuit. If you look at the majority of countries with data protection legislation, you’ll find they have implemented the same requirements around keeping data in-house.”

“India has a history of well-meaning legislation that is waylaid by bureaucracy.”

There are challenges in complying with the proposed bill, however, such as requiring international software and IT vendors to establish local data centres. Banking executive Uma Ramani said financial institutions had been left with the difficult choice of either convincing international software vendors to locate servers in India or cut ties with them altogether, lest their banking licences are withdrawn.

While agreeing that there would not be much choice for customers or vendors, Singh said a number of BTG Legal’s overseas clients were already in the process of localising their General Data Protection Regulation (GDPR) practices to fit India. Singh said: “GDPR was a sea change and it took companies two to three years to get their heads around. A lot of companies are adamant on not repeating the mistakes of May 2018.”

Finance Minister Sitharaman has said the government intends to assist the private sector in building data centres throughout India that would “empower our firms to incorporate data in every step of their value chains skillfully”.

However, Sundar warned against expecting too much, too soon from the new bill, noting that the legislation needed to be married to jurisprudence. He said: “India has a history of well-meaning legislation that is waylaid by bureaucracy.”

"This shift of authority could significantly speed up how cybercrimes are handled."

Sundar’s comments were echoed by Singh, who said: “The new personal data protection bill is a half-and-half split between government surveillance measures and data protection on GDPR lines. If the legislative intent is so split, how and in what cases will this law be enforced?”

Singh said the fact that severe punishments set out under 2000’s information technology law had not completely stopped phishing attacks underscored the limits of legislation.

Sundar said it remained to be seen how quickly the DPA was able to get up to speed in terms of administering the new bill and said there was a case to be made for the devolution of cyber powers to state governments.

He said: “This shift of authority could significantly speed up how cybercrimes are handled. Mumbai, for example, is the financial heart of India, so setting up a cyber court there would make a lot of sense.”

While the Personal Data Protection Bill is an important piece of India’s cybersecurity puzzle, it does not address the relatively rudimentary state of India’s network security legislation.

“India needs to regulate the ecosystem, using technocrats and not just bureaucrats, to build better resilience."

Network concerns

BTG Legal’s Prashant Mara said that following the approval of data protection legislation, the Indian government would likely need to undertake a national gap assessment of the current network security and regulations and begin drafting network security regulations.

“Technology is constantly evolving, changing from day to day. There is no right answer to legislating for the future and India like any country is going to struggle to keep pace.”

Mara said: “Current data security requirements leave it to private entities to incorporate ‘adequate security standards’ without providing a minimum guidance level. In the banking, telecom and critical infrastructure sectors a little more guidance is provided, but this is still in the nature of broad level guidance.”

He said this was not enough to ensure a minimum standard of security and argued that a lack of pro-active monitoring and constant refinement of the security standards was leaving networks at risk.

Mara added: “India needs to regulate the ecosystem, using technocrats and not just bureaucrats, to build better resilience. Much of that ecosystem is already being built and care should be taken that the existing infrastructure is not left vulnerable because regulations have not kept pace.”

The challenges of legislation keeping pace with rapid technological evolution is not restricted to India. Chugh said: “Technology is constantly evolving, changing from day to day. There is no right answer to legislating for the future and India like any country is going to struggle to keep pace.”

At the same time, the executive was upbeat about New Delhi’s path, saying: “The government’s strategy and efforts are clearly trying to ensure that there is something in place to deal with those changes.”

The nature of technology will always raise questions about whether governments are adapting quickly enough to new realities. However, India’s latest legislative efforts have drawn the country’s business leaders into an incredibly important conversation.

“Human nature tends to place more value on the tangible than the intangible, though this is slowly changing.”

Deeper understanding

Chainani said corporate cybersecurity was being discussed in boardrooms in a way it had not before and companies were increasingly reviewing their needs, including cyber-insurance.

Chainani said that Liability Insurance still only represented 1-2% of India's overall general insurance market, and Cyber Insurance being around 4-5% of the Liability market, adding: “Human nature tends to place more value on the tangible than the intangible, though this is slowly changing.”

Ramani added that banks were increasingly looking at cybersecurity policies as part of compressive cyber crisis management plans.

Chainani echoed this sentiment, saying the cyber-insurance market was growing at 10-15% per year and that since the products had emerged the insurance industry had become a lot more skilled in offering cover that meets clients’ needs. “When cyber-insurance was first offered, premiums were very high because it was viewed as an exotic product that wasn’t fully understood, even by those offering it. While premiums had been coming down for some time, the trend now is that the prices have begun to harden slowly due to an increase in uptick of claim notifications.

Much will depend on the final form of the Personal Data Protection Bill, which is likely to witness amendments and clarifications on its road to becoming law.

India is striving to safeguard its digital future and such clarifications are not only an essential step towards that goal, they also help set industry expectations around future legislation in the digital landscape.