I dream of a Digital India where cyber security becomes an integral part of our National Security.-Narendra Modi

In the present decade, cyber attack has become a hurdle for good corporate governance, especially, in the area of financial sector.Privacy and data management are the core issues of corporate governance.Cyber-risk resonates as not only an Information Technology (IT) issue but culminates into several repercussions for corporate governance. Cyber security though has been rooted under the National Cyber Security Policy, 2013 lacks proper implementation.

To transform India digitally by infusing technology into corporate governance, it is expected from every director to possess a sound understanding of the fundamentals of cyber security. This article mainly focuses on the development of enterprise cyber risk management measures in order to prevent existence of the latter in our country’s corporate governance.

The National Cyber Security Policy 2013

The National Cyber Security Policy, 2013 came into existence on July 2, 2013 aiming to protect information and creating a secure cyberspace ecosystem to strengthen the regulatory framework of corporations. The main goal of the policy is to provide a safe and secure cyberspace for government, businesses and denizens of the country. The policy suggests Public Private Partnership and collaborative engagements through technical and operational cooperation. It further encourages organizations (both public and private) to designate a person to serve as Chief Information Security Officer (CISO). Organizations should develop information security policies into their business plans and implement them.[1]

Though the release of this policy marks a paradigm shift towards secured cyber space, there are some areas which require further deliberation for its absolute implementation. There is a need to take care of risks arising out of extant and new technologies, for example, Cloud Computing by incorporating cyber-crime tracking, analyzing information between public and private sectors, creating a workforce of trained workforce.[2]

Major drawbacks in the policy of our country

The following are certain pitfalls in the cyber security policy of India for which it has faced severe criticism:
# Though India is making great progress in ‘Digital India’ initiative, there still does not exists proper cyber security framework.[3]
# Despite having a National Cyber Security Policy 2013, India remains defenseless to cyber-crimes and intrusions in digital arena..
# Organizations & Industries of all types are potential victims of cyber-attacksdue to lack of implementation of the National Cyber Security Policy which is not adopted by all of them.
# Lack of critical infrastructure is a major drawback making it easy for the attackers to obtain vital information from the vulnerable systems.
# There exists no cooperation between different organizations even after appointing a National Cyber Security Coordinator as specified under the Policy.
# India could also be subjected to offensive cyber operations due to China’s powerful emphasis on the Cloud Computing Techniques.[4]
# Though the basic framework of cyber security in India has been realized, there is lack of initiatives to evolve it into a risk proof mechanism.[5]

Initiatives that can be accommodated for improving the cyber risk management under Corporate Governance

As stated previously, our country’s cyber security policy is plagued with certain drawbacks which make it susceptible to various scrutiny and criticisms.
The concept of cyber security in corporate governance has been an accelerating trend worldwide representing key business issues. The threat of cyber risk makes it imperative for our country to focus on creation and promotion of various cyber security measures. Ergo to improve our cyber security practices, it is of utmost importance to learn policies and good practices from around the world.

After taking into account various drawbacks in the measures taken by different countries, the European Confederation of Institutes of Internal Auditing (ECIIA) and the Federation o European Risk Management Associations (FERMA), in the year 2017, has set up a joint working body comprising of risk managers and internal auditors that would govern cyber risk in the corporate sphere. Though the report presented by them focuses mainly on European Organizations (both public & private), these measures are appreciable enough to be considered by our legislature in preventing cyber risk.[6]

The report aims at initiating an effective Enterprise Risk Management framework in order to manage cyber risks. Unlike our Cyber Security Policy Bill 2013, where it guides both private and public companies to appoint a senior member as a Chief Information Security Officer (CISO) who would be solely responsible for cyber security efforts and initiatives.[7]The report segregates risk assessment of cyber security in three parts which are-[8]

Operational Risk Assessment:

Firstly, it specifies technical and typical risk operations under the authority of the CISO that would focus on areas like typical cyber attacks, constant monitoring of IT networks, dissemination of good practice etc.

Compliance Risk Assessment:

Secondly, the assessment focuses on applicable legal regulations for constituting a Data Protection Officer (DPO) whose function will be to determine cyber security measures that should be taken as a consequence of legal requirements.[9]

Enterprise Risk Management:

Thirdly, it delineates the existence of a robust enterprise cyber risk management system that would prevent cyber risk in organization’s operations. For example, it guides digital service providers, data controllers & processors of essential services to include a cyber risk assessment within their enterprise risk management system in areas such as financial, reputational, infrastructural risks etc.[10]

Apart from these, the report (in compliance with OECD principle[11]) also focuses on various other areas of an organizational structure and provides measures which aim to promote cyber security. The security measures provided by this report are remarkable and much worthy to be discussed upon.

In terms of security, the report provides a comprehensive structured model on ‘The Three Lines of Defence’ specifying the role of different authorities in governance and risk management, forming a “chain of trust” across all lines.

The First Line of Defence:

This line is responsible for management of risk and implements policies and standards for monitoring network and infrastructure. The most identified functions are in the domain of Information Technology, Human Resource, Chief Data Officer (CDO), etc.[12]

The Second Line of Defence:

This line is helmed by CISO who defines the policies and technical configuration/standards that are to be implemented by the first line. It ensures that the units under first line are working appropriately as part of its work programme. It is responsible for ensuring that there exists balance between organization’s risk appetite and cyber security. This governing body (mainly by the Risk Manager) identifies different short-term as well as long-term mitigation plans including investment and insurance; indicating benchmarks appropriate to prevent risk to the organization. Apart from the authorities mentioned, there also existsData Protection Officer(DPO) for data protection and privacy regulations and Financial Officers for financial support in investment, management of internal risk and in validating budget. A better second line of defence not only prevents risk but also attracts external stakeholders to the organization.[13]

The Third Line of Defence:

This line focuses on the creation of an independent ‘Internal Audit’ that would be responsible in keeping check on the functioning of both first and second lines of defence; providing an annual statement to the Board of Directors. It plays an important role in the development and assessment of cyber risk management plans in coordination with the second line. Some of the key activities this line provides are evaluation of preventive and detection measures, tracking diligence of remediation etc.[14]

Thus, it is a more comprehensive approach to curb cyber risk in corporate governance in comparison to what is provided for by the Indian cyber policy. Moreover, the report takes into account the latest development which makes it more pertinent to the present age where cyber threats are ever increasing.

Conclusion
Cyber attacks are increasing in frequency and its cost has been estimated to be $575 billion per year.[15]If it is not well managed, it would lead to severe repercussions for a lot of corporate entities in our country. Hence, the importance of creating proactive alliance between anticipative risk management and farseeing internal audit inside the corporate structure of every company is the need of hour.

End-Notes
[1] Sanjiv Tomar- ‘National Cyber Security Policy 2013: An Assessment.’ (August 26, 2013) https://idsa.in/idsacomments/NationalCyberSecurityPolicy2013_stomar_260813
[2] Ibid.
[3] Deloitte – “India must have a cyber security framework” (August 17, 2017) http://www.governancenow.com/news/regular-story/india-must-have-a-cyber-security-framework-deloitte
[4] The Hans India – “Cyber security and challenges” (June 14, 2017, 22:16) http://www.thehansindia.com/posts/index/Young-Hans/2017-06-14/Cyber-security-and-challenges/306445
[5] Subimal Bhattacharjee – “Managing India’s cyber security problems” (October 16, 2012, 21:15) http://www.livemint.com/Opinion/XIvim27KMgpKffESs11HFL/Managing-Indias-cyber-security-problems.html
[6] FERMA & ECIIA - “Cyber Security & Corporate Governance” Report, 2017 (March 16, 2018, 12:10)http://www.eciia.eu/wp-content/uploads/2017/06/OFFSET-PRINT-Brochure-FERMA-2017v3-1.pdf
[7] The National Cyber Security Policy, 2013, Part IV – Strategy.
[8] Ibid.
[9] Supra 6.
[10] Ibid.
[11] OECD Recommendation (2015) - “Digital Security Risk Management for Economic and Social Prosperity” (March 16, 2018, 16:10). http://www.oecd.org/sti/ieconomy/digital-security-risk-management.pdf
[12] Supra 6.
[13] Ibid.
[14] Supra 6.
[15] Supra 3.

This article has been jointly submitted byDippyaman Bhattacharya, B.A. LLB (2014-19) &Kolli Srilekya, B.B.A LLB (2014-19), Alliance University, Bangalore]