I dream of a Digital India where cyber security becomes an integral part of
our National Security.-Narendra Modi
In the present decade, cyber attack has become a hurdle for good corporate
governance, especially, in the area of financial sector.Privacy and data
management are the core issues of corporate governance.Cyber-risk resonates as
not only an Information Technology (IT) issue but culminates into several
repercussions for corporate governance. Cyber security though has been rooted
under the National Cyber Security Policy, 2013 lacks proper implementation.
To transform India digitally by infusing technology into corporate governance,
it is expected from every director to possess a sound understanding of the
fundamentals of cyber security. This article mainly focuses on the development
of enterprise cyber risk management measures in order to prevent existence of
the latter in our country’s corporate governance.
The National Cyber Security Policy 2013
The National Cyber Security Policy, 2013 came into existence on July 2, 2013
aiming to protect information and creating a secure cyberspace ecosystem to
strengthen the regulatory framework of corporations. The main goal of the policy
is to provide a safe and secure cyberspace for government, businesses and
denizens of the country. The policy suggests Public Private Partnership and
collaborative engagements through technical and operational cooperation. It
further encourages organizations (both public and private) to designate a person
to serve as Chief Information Security Officer (CISO). Organizations should
develop information security policies into their business plans and implement
Though the release of this policy marks a paradigm shift towards secured cyber
space, there are some areas which require further deliberation for its absolute
implementation. There is a need to take care of risks arising out of extant and
new technologies, for example, Cloud Computing by incorporating cyber-crime
tracking, analyzing information between public and private sectors, creating a
workforce of trained workforce.
Major drawbacks in the policy of our countryThe following are certain pitfalls in the cyber security policy of India for
which it has faced severe criticism:
# Though India is making great progress in ‘Digital India’ initiative, there
still does not exists proper cyber security framework.
# Despite having a National Cyber Security Policy 2013, India remains
defenseless to cyber-crimes and intrusions in digital arena..
# Organizations & Industries of all types are potential victims of
cyber-attacksdue to lack of implementation of the National Cyber Security
Policy which is not adopted by all of them.
# Lack of critical infrastructure is a major drawback making it easy for the
attackers to obtain vital information from the vulnerable systems.
# There exists no cooperation between different organizations even after
appointing a National Cyber Security Coordinator as specified under the Policy.
# India could also be subjected to offensive cyber operations due to China’s
powerful emphasis on the Cloud Computing Techniques.
# Though the basic framework of cyber security in India has been realized, there
is lack of initiatives to evolve it into a risk proof mechanism.
Initiatives that can be accommodated for improving the cyber risk management
under Corporate Governance
As stated previously, our country’s cyber security policy is plagued with
certain drawbacks which make it susceptible to various scrutiny and criticisms.
The concept of cyber security in corporate governance has been an accelerating
trend worldwide representing key business issues. The threat of cyber risk makes
it imperative for our country to focus on creation and promotion of various
cyber security measures. Ergo to improve our cyber security practices, it is of
utmost importance to learn policies and good practices from around the world.
After taking into account various drawbacks in the measures taken by different
countries, the European Confederation of Institutes of Internal Auditing (ECIIA)
and the Federation o European Risk Management Associations (FERMA), in the year
2017, has set up a joint working body comprising of risk managers and internal
auditors that would govern cyber risk in the corporate sphere. Though the report
presented by them focuses mainly on European Organizations (both public &
private), these measures are appreciable enough to be considered by our
legislature in preventing cyber risk.
The report aims at initiating an effective Enterprise Risk Management framework
in order to manage cyber risks. Unlike our Cyber Security Policy Bill 2013,
where it guides both private and public companies to appoint a senior member as
a Chief Information Security Officer (CISO) who would be solely responsible for
cyber security efforts and initiatives.The report segregates risk assessment
of cyber security in three parts which are-
Operational Risk Assessment:
Firstly, it specifies technical and typical
risk operations under the authority of the CISO that would focus on areas like
typical cyber attacks, constant monitoring of IT networks, dissemination of good
Compliance Risk Assessment:
Secondly, the assessment focuses on
applicable legal regulations for constituting a Data Protection Officer (DPO)
whose function will be to determine cyber security measures that should be taken
as a consequence of legal requirements.
Enterprise Risk Management:
Thirdly, it delineates the existence of a
robust enterprise cyber risk management system that would prevent cyber risk in
organization’s operations. For example, it guides digital service providers,
data controllers & processors of essential services to include a cyber risk
assessment within their enterprise risk management system in areas such as
financial, reputational, infrastructural risks etc.
Apart from these, the report (in compliance with OECD principle) also
focuses on various other areas of an organizational structure and provides
measures which aim to promote cyber security. The security measures provided by
this report are remarkable and much worthy to be discussed upon.
In terms of security, the report provides a comprehensive structured model on
‘The Three Lines of Defence’ specifying the role of different authorities in
governance and risk management, forming a “chain of trust” across all lines.
The First Line of Defence:
This line is responsible for management of
risk and implements policies and standards for monitoring network and
infrastructure. The most identified functions are in the domain of Information
Technology, Human Resource, Chief Data Officer (CDO), etc.
The Second Line of Defence:
This line is helmed by CISO who defines the
policies and technical configuration/standards that are to be implemented by the
first line. It ensures that the units under first line are working appropriately
as part of its work programme. It is responsible for ensuring that there exists
balance between organization’s risk appetite and cyber security. This governing
body (mainly by the Risk Manager) identifies different short-term as well as
long-term mitigation plans including investment and insurance; indicating
benchmarks appropriate to prevent risk to the organization. Apart from the
authorities mentioned, there also existsData Protection Officer(DPO) for data
protection and privacy regulations and Financial Officers for financial support
in investment, management of internal risk and in validating budget. A better
second line of defence not only prevents risk but also attracts external
stakeholders to the organization.
The Third Line of Defence:
This line focuses on the creation of an
independent ‘Internal Audit’ that would be responsible in keeping check on the
functioning of both first and second lines of defence; providing an annual
statement to the Board of Directors. It plays an important role in the
development and assessment of cyber risk management plans in coordination with
the second line. Some of the key activities this line provides are evaluation of
preventive and detection measures, tracking diligence of remediation etc.
Thus, it is a more comprehensive approach to curb cyber risk in corporate
governance in comparison to what is provided for by the Indian cyber policy.
Moreover, the report takes into account the latest development which makes it
more pertinent to the present age where cyber threats are ever increasing.
Cyber attacks are increasing in frequency and its cost has been estimated to be
$575 billion per year.If it is not well managed, it would lead to severe
repercussions for a lot of corporate entities in our country. Hence, the
importance of creating proactive alliance between anticipative risk management
and farseeing internal audit inside the corporate structure of every company is
the need of hour.
 Sanjiv Tomar- ‘National Cyber Security Policy 2013: An Assessment.’ (August
26, 2013) https://idsa.in/idsacomments/NationalCyberSecurityPolicy2013_stomar_260813
 Deloitte – “India must have a cyber security framework” (August 17, 2017)
 The Hans India – “Cyber security and challenges” (June 14, 2017, 22:16)
 Subimal Bhattacharjee – “Managing India’s cyber security problems” (October
16, 2012, 21:15) http://www.livemint.com/Opinion/XIvim27KMgpKffESs11HFL/Managing-Indias-cyber-security-problems.html
 FERMA & ECIIA - “Cyber Security & Corporate Governance” Report, 2017 (March
16, 2018, 12:10)http://www.eciia.eu/wp-content/uploads/2017/06/OFFSET-PRINT-Brochure-FERMA-2017v3-1.pdf
 The National Cyber Security Policy, 2013, Part IV – Strategy.
 Supra 6.
 OECD Recommendation (2015) - “Digital Security Risk Management for Economic
and Social Prosperity” (March 16, 2018, 16:10). http://www.oecd.org/sti/ieconomy/digital-security-risk-management.pdf
 Supra 6.
 Supra 6.
 Supra 3.
This article has been jointly submitted byDippyaman Bhattacharya
LLB (2014-19) &Kolli Srilekya
, B.B.A LLB (2014-19), Alliance University,