Defending against cyber threats

The recent cyberattack at the All India Institute of Medical Sciences is a stark reminder that no entity is safe from such threats. Cybersecurity incidents are rising and doing so at an increasing rate. In a written reply to a question in the Lok Sabha, Union Minister Ajay Kumar Mishra said based on the data with the Indian Computer Emergency Response Team (CERT-In), 1.2 million cybersecurity incidents were reported in 2020, 1.4 million in 2021, and 0.67 million up to June in 2022. Google in contrast stated that India witnessed 18 million cyberattacks and 200,000 threats a day in the first quarter of 2022 alone. The vast divergence in the numbers notwithstanding, it is apparent that such threats present an ongoing and escalating risk that organisations (and individuals) need to wrestle with.

As the digital dependency of businesses grows, cyber threats will only intensify. Today these risks have been pushed from an organisational corner to affecting the full company. In fact, the World Economic Forum, in its 2022 Global Risk Report, identified

cyber threats as among the top five global risks.

Such attacks are also expensive to deal with. IBM, in its Cost of Data Breach Report 2022, puts the global average cost at $4.35 million, with the India number at $2.32 million. For companies, adding to the financial costs and the stress of dealing with the fallout of the damage, European and US regulators now impose penalties — this is one of the rare instances where the victim is deemed to be culpable. Despite the companies being both the target and the victim, the growing incidents of cyber breaches and demand for ransomware mean that companies are running into a stricter regulatory environment.

In Europe, regulators accord primacy to personal data protection, and today General Data Protection Regulations, or GDPR, are well understood by many Indian firms. In addition, the EU expects companies to maintain the integrity of critical infrastructure, systems, and services, and is steadily upping the requirements through its Network and Information Security (NIS and NIS2) directives. Further, the EU has put in place guidelines regarding the reporting of data breaches.
 

The Securities and Exchange Commission (SEC) has proposed amendments to its Cybersecurity Rules and put out two papers for discussion. In February, it published Cybersecurity Risk Management Rules for Investment Advisors and Funds, and, in March, expanded its rules enhancing and standardising disclosures regarding cybersecurity risk management, strategy, governance, and incident reporting by public companies.
 

Highlighting Cybersecurity Governance, the SEC expects companies to disclose the extent of the board’s oversight of

cybersecurity risks, and the management’s role in assessing and managing cybersecurity-related risks, and in implementing the company’s cybersecurity policies, procedures, and strategies. The proposals’ requirement that material incidents be reported in four days increases the board’s accountability in cyber risk. Companies will now need to quickly assess the full impact of an incident and its potential financial impact, or else risk being penalised.

India too has a slew of regulations — from the recently floated personal data protection Bill and the tabled non-personal data protection Bill and mandatory requirements of disclosures of data breaches and cybersecurity incidents to the

CERT-In, which operates under the Ministry of Electronics and Information Technology.

The Kotak committee (disclosure: I was a member), appointed by the Securities and Exchange Board of India, for its part put the onus of dealing with cybersecurity on the risk management committee of the board.
 

Given the ever increasing incidents of cyber threats, there is growing pressure on companies to revisit how they deal with such risks. Companies now need to put in place the right governance structures, appropriate policies, and robust processes covering data storage, data transfer, and its use on the company network, to its final disposal. As cyber risk management is no longer just about preventing breaches (“The question organisations are facing is not if a cyberattack will happen, but when”), this means putting in place guidelines regarding the process to be followed once there is a cyberattack. This begins with the most basic of procedures, i.e. shutting access to equipment and networks. Then, the steps the company needs to take to resume normal operations. This will help minimise financial and mitigate reputational damage when a breach occurs. Finally, there needs to be clarity regarding reporting data breaches — what and to whom? In this context, it is desirable for board members to have financial acumen, familiarity, and skills to understand cyber reporting, and risks, and, at the very least, the ability to interact with third parties and internal resources to effectively oversee the organisation’s cybersecurity architecture.
 

Today, cyber threats represent a systemic risk, affecting the economy, including critical infrastructure, national security, and companies, large and small. Giving this primacy and putting in place the right governance structures are the best way to mitigate this risk.
 

The writer is with Institutional Investor Advisory Services India Ltd, a proxy advisory firm.  Twitter: @AmitTandon_in