Sei sulla pagina 1di 6

1

Relooking at the Cyber Security Policy in Corporate Governance

*Dippyaman Bhattacharya, Student, Alliance School of Law.


**Kolli Srilekya, Student, Alliance School of Law.
2

Introduction

“I dream of a Digital India where cyber security becomes an integral part of our National
Security.”

- Narendra Modi

In the present decade, cyber attack has become a hurdle for good corporate governance,
especially, in the area of financial sector. Privacy and data management are the core issues of
corporate governance. Cyber-risk resonates as not only an Information Technology (IT) issue but
culminates into several repercussions for corporate governance. Cyber security though has been
rooted under the National Cyber Security Policy, 2013 lacks proper implementation. To
transform India digitally by infusing technology into corporate governance, it is expected from
every director to possess a sound understanding of the fundamentals of cyber security. This
article mainly focuses on the development of enterprise cyber risk management measures in
order to prevent existence of the latter in our country’s corporate governance.

The National Cyber Security Policy 2013

The National Cyber Security Policy, 2013 came into existence on July 2, 2013 aiming to protect
information and creating a secure cyberspace ecosystem to strengthen the regulatory framework
of corporations. The main goal of the policy is to provide a safe and secure cyberspace for
government, businesses and denizens of the country. The policy suggests Public Private
Partnership and collaborative engagements through technical and operational cooperation. It
further encourages organizations (both public and private) to designate a person to serve as Chief
Information Security Officer (CISO). Organizations should develop information security policies
into their business plans and implement them.1

1
Sanjiv Tomar- ‘National Cyber Security Policy 2013: An Assessment.’ (August 26, 2013)
https://idsa.in/idsacomments/NationalCyberSecurityPolicy2013_stomar_260813

*Dippyaman Bhattacharya, Student, Alliance School of Law.


**Kolli Srilekya, Student, Alliance School of Law.
3

Though the release of this policy marks a paradigm shift towards secured cyber space, there are
some areas which require further deliberation for its absolute implementation. There is a need to
take care of risks arising out of extant and new technologies, for example, Cloud Computing by
incorporating cyber-crime tracking, analyzing information between public and private sectors,
creating a workforce of trained workforce.2

Major drawbacks in the policy of our country

The following are certain pitfalls in the cyber security policy of India for which it has faced
severe criticism:

 Though India is making great progress in ‘Digital India’ initiative, there still does not
exists proper cyber security framework. 3
 Despite having a National Cyber Security Policy 2013, India remains defenseless to
cyber-crimes and intrusions in digital arena..
 Organizations & Industries of all types are potential victims of cyber-attacks due to lack
of implementation of the National Cyber Security Policy which is not adopted by all of
them.
 Lack of critical infrastructure is a major drawback making it easy for the attackers to
obtain vital information from the vulnerable systems.
 There exists no cooperation between different organizations even after appointing a
National Cyber Security Coordinator as specified under the Policy.
 India could also be subjected to offensive cyber operations due to China’s powerful
emphasis on the Cloud Computing Techniques.4
 Though the basic framework of cyber security in India has been realized, there is lack of
initiatives to evolve it into a risk proof mechanism.5

2
Ibid.
3
Deloitte – “India must have a cyber security framework” (August 17, 2017)
http://www.governancenow.com/news/regular-story/india-must-have-a-cyber-security-framework-deloitte
4
The Hans India – “Cyber security and challenges” (June 14, 2017, 22:16)
http://www.thehansindia.com/posts/index/Young-Hans/2017-06-14/Cyber-security-and-challenges/306445
5
Subimal Bhattacharjee – “Managing India’s cyber security problems” (October 16, 2012, 21:15)
http://www.livemint.com/Opinion/XIvim27KMgpKffESs11HFL/Managing-Indias-cyber-security-problems.html

*Dippyaman Bhattacharya, Student, Alliance School of Law.


**Kolli Srilekya, Student, Alliance School of Law.
4

Initiatives that can be accommodated for improving the cyber risk


management under Corporate Governance

As stated previously, our country’s cyber security policy is plagued with certain drawbacks
which make it susceptible to various scrutiny and criticisms.

The concept of cyber security in corporate governance has been an accelerating trend worldwide
representing key business issues. The threat of cyber risk makes it imperative for our country to
focus on creation and promotion of various cyber security measures. Ergo to improve our cyber
security practices, it is of utmost importance to learn policies and good practices from around the
world.

After taking into account various drawbacks in the measures taken by different countries, the
European Confederation of Institutes of Internal Auditing (ECIIA) and the Federation o
European Risk Management Associations (FERMA), in the year 2017, has set up a joint working
body comprising of risk managers and internal auditors that would govern cyber risk in the
corporate sphere. Though the report presented by them focuses mainly on European
Organizations (both public & private), these measures are appreciable enough to be considered
by our legislature in preventing cyber risk.6

The report aims at initiating an effective Enterprise Risk Management framework in order to
manage cyber risks. Unlike our Cyber Security Policy Bill 2013, where it guides both private and
public companies to appoint a senior member as a Chief Information Security Officer (CISO)
who would be solely responsible for cyber security efforts and initiatives.7 The report segregates
risk assessment of cyber security in three parts which are-8

Operational Risk Assessment: Firstly, it specifies technical and typical risk operations under
the authority of the CISO that would focus on areas like typical cyber attacks, constant
monitoring of IT networks, dissemination of good practice etc.

6
FERMA & ECIIA - “Cyber Security & Corporate Governance” Report, 2017 (March 16, 2018, 12:10)
http://www.eciia.eu/wp-content/uploads/2017/06/OFFSET-PRINT-Brochure-FERMA-2017v3-1.pdf
7
The National Cyber Security Policy, 2013, Part IV – Strategy.
8
Ibid.

*Dippyaman Bhattacharya, Student, Alliance School of Law.


**Kolli Srilekya, Student, Alliance School of Law.
5

Compliance Risk Assessment: Secondly, the assessment focuses on applicable legal regulations
for constituting a Data Protection Officer (DPO) whose function will be to determine cyber
security measures that should be taken as a consequence of legal requirements.9

Enterprise Risk Management: Thirdly, it delineates the existence of a robust enterprise cyber
risk management system that would prevent cyber risk in organization’s operations. For
example, it guides digital service providers, data controllers & processors of essential services to
include a cyber risk assessment within their enterprise risk management system in areas such as
financial, reputational, infrastructural risks etc.10

Apart from these, the report (in compliance with OECD principle11) also focuses on various
other areas of an organizational structure and provides measures which aim to promote cyber
security. The security measures provided by this report are remarkable and much worthy to be
discussed upon.

In terms of security, the report provides a comprehensive structured model on ‘The Three Lines
of Defence’ specifying the role of different authorities in governance and risk management,
forming a “chain of trust” across all lines. .

The First Line of Defence: This line is responsible for management of risk and implements
policies and standards for monitoring network and infrastructure. The most identified functions
are in the domain of Information Technology, Human Resource, Chief Data Officer (CDO),
etc.12

The Second Line of Defence: This line is helmed by CISO who defines the policies and
technical configuration/standards that are to be implemented by the first line. It ensures that the
units under first line are working appropriately as part of its work programme. It is responsible
for ensuring that there exists balance between organization’s risk appetite and cyber security.
This governing body (mainly by the Risk Manager) identifies different short-term as well as
long-term mitigation plans including investment and insurance; indicating benchmarks

9
Supra 6.
10
Ibid.
11
OECD Recommendation (2015) - “Digital Security Risk Management for Economic and Social Prosperity”
(March 16, 2018, 16:10). http://www.oecd.org/sti/ieconomy/digital-security-risk-management.pdf
12
Supra 6.

*Dippyaman Bhattacharya, Student, Alliance School of Law.


**Kolli Srilekya, Student, Alliance School of Law.
6

appropriate to prevent risk to the organization. Apart from the authorities mentioned, there also
exists Data Protection Officer (DPO) for data protection and privacy regulations and Financial
Officers for financial support in investment, management of internal risk and in validating
budget. A better second line of defence not only prevents risk but also attracts external
stakeholders to the organization.13

The Third Line of Defence: This line focuses on the creation of an independent ‘Internal Audit’
that would be responsible in keeping check on the functioning of both first and second lines of
defence; providing an annual statement to the Board of Directors. It plays an important role in
the development and assessment of cyber risk management plans in coordination with the second
line. Some of the key activities this line provides are evaluation of preventive and detection
measures, tracking diligence of remediation etc.14

Thus, it is a more comprehensive approach to curb cyber risk in corporate governance in


comparison to what is provided for by the Indian cyber policy. Moreover, the report takes into
account the latest development which makes it more pertinent to the present age where cyber
threats are ever increasing.

Conclusion

Cyber attacks are increasing in frequency and its cost has been estimated to be $575 billion per
year.15 If it is not well managed, it would lead to severe repercussions for a lot of corporate
entities in our country. Hence, the importance of creating proactive alliance between anticipative
risk management and farseeing internal audit inside the corporate structure of every company is
the need of hour.

13
Ibid.
14
Supra 6.
15
Supra 3.

*Dippyaman Bhattacharya, Student, Alliance School of Law.


**Kolli Srilekya, Student, Alliance School of Law.

Potrebbero piacerti anche