IOD Quick Links Quick Links IOD Contact US Connect us

Connect with us

Cancel

IOD Insight - Building Cyber Resilience in Boardrooms

A TIMELINE

01 JULY 6, 2015  

Provision

SEBI Circular issued - CIR/MRD/DP/13/2015:

Cyber Security and Cyber Resilience framework of Stock Exchanges, Clearing Corporations and Depositories.

Analysis

SEBI provided a Cyber Security and Cyber Resilience Framework for Market Infrastructure Institutions, to increase accountability.

02 APRIL 1, 2019  

Provision

Clause inserted to the SEBI (LODR) Regulations, 2015*

21(4) The board of directors shall define the role and responsibility of the Risk Management Committee and may delegate monitoring and reviewing of the risk management plan to the committee and such other functions as it may deem fit (such function shall specifically cover cyber security).

Analysis

SEBI mandated the Risk Management Committee of Boards to take on primary responsibility and oversight of cybersecurity.

03 MAY 5, 2021  

Provision

Clause inserted to the SEBI (LODR) Regulations, 2015.

Schedule II, Part D, (C)(1a) The role of the Risk Committee shall, inter alia, include a framework for identification of internal and external risks specifically faced by the listed entity, in particular including financial, operational, sectoral, sustainability (particularly, ESG related risks), information, cyber security risks or any other risk as may be determined by the Committee.

Analysis

SEBI mandated the Risk Committee of Boards to include a framework for identification of internal and external risks of cybersecurity.

04 MAY 10, 2021  

Provision

SEBI Circular issued - SEBI/HO/CFD/CMD2/P/CIR/2021/562:

Business Responsibility and Sustainability Reporting by listed

The SEBI-released BRSR framework includes nine principles.

Principle 9 requires listed companies to report on the following details:

(i) Number of consumer complaints with respect to Cybersecurity

(ii) Does the entity have a framework/ policy on cyber security and risks related to data privacy? (Yes/No) If available, provide a web-link of the policy

(iii) Provide details of any corrective actions taken or underway on issues relating to cyber security and data privacy of customers.

Analysis

SEBI made cybersecurity a key agenda item to be included in Business Responsibility and Sustainability Reporting (BRSR).

05 APRIL 28, 2022  

Provision

Directions issued by CERT-In (Indian Computer Emergency Response Team):

Directions under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet.

“Any service provider, intermediary, data centre, body corporate and Government organisation shall mandatorily report cyber incidents as mentioned in Annexure I to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents”

Analysis

The Ministry of Electronics and Information Technology (MeitY) issued directions applicable to all corporate organisations, to mandatorily report cyber incidents to CERT-In within 6 hours of identification of such incidents.

06 FEBRUARY 22, 2023  

Provision

SEBI Circular issued-SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/032:

Advisory for SEBI Regulated Entities (REs) regarding Cybersecurity best practices.

Analysis

SEBI issued an advisory for all regulated entities on cybersecurity best practices. This includes guidance on authentication mechanisms, cloud services, audits and ISO certification, phishing and website attacks, and the role of the Chief Information Security Officer (CISO), among other key areas.

07 JULY 15, 2023  

Provision

Clause inserted to the SEBI (LODR) Regulations, 2015.

27 (ba) The listed entity shall submit a quarterly compliance report on corporate governance in the format as specified by the Board from time to time to the recognised stock exchange(s) within twenty one days from the end of each quarter. Details of cyber security incidents or breaches or loss of data or documents shall be disclosed along with the report, as may be specified.

Analysis

SEBI mandated all listed entities to disclose cybersecurity incidents, breaches, or data loss to recognized stock exchange(s) on a quarterly basis along with the corporate governance report.

08 JUNE 27, 2024  

Provision

SEBI announced the Cybersecurity and Cyber Resilience Framework (CSCRF)

CSCRF is a new framework for Cyber Resilience and Cybersecurity for all SEBI regulated entities. It is a standard-based framework and broadly covers the five cyber resiliency goals, viz. Anticipate, Withstand, Contain, Recover, and Evolve which are adopted from CERT-In Cyber Crisis Management Plan (CCMP), for countering Cyber Attacks and Cyber Terrorism.

Analysis

SEBI announced a Consolidated Cyber Security and Resilience Framework (CSCRF) following its consultation paper dated July 4, 2023. This framework aims to provide a unified structure for all entities, for various cybersecurity approaches to mitigate cyber risks and incidents.

TYPES OF CYBER SECURITY INCIDENTS MANDATORILY TO BE REPORTED TO CERT-IN:

01 Data Breach
02 Data Leak
03 Unauthorised access of IT systems/data
04 Unauthorised access to social media accounts
05 Identity Theft, spoofing and phishing attacks
06 Compromise of critical systems/information
07 Attacks through Malicious mobile Apps
08 Fake mobile Apps
09 Attacks on Application such as E-Governance, E-Commerce etc
10 Attacks or incident affecting Digital Payment systems
11 Targeted scanning/probing of critical networks/systems
12 Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
13 Attacks on Critical infrastructure, SCADA and operational technology systems & Wireless networks
14 Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
15 Malicious code attacks such as spreading of virus/worm/Trojan/Bots/Spyware/Ransomware/Cryptominers
16 Attack on servers such as Database, Mail and DNS and network devices such as Routers
17 Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc
18 Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
19 Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
20 Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning

The incidents can be reported to CERT-In via email (incident@cert-in.org.in) and Phone (1800-11-4949). The details regarding methods and formats of reporting cybersecurity incidents is published on the CERT-in website.

Compiled by:

Board Research and Advisory Team
Institute of Directors

Author


Institute of Directors India

Institute of Directors India

Bringing a Silent Revolution through the Boardroom

Institute of Directors (IOD) is an apex national association of Corporate Directors under the India's 'Societies Registration Act XXI of 1860'​. Currently it is associated with over 30,000 senior executives from Govt, PSU and Private organizations of India and abroad.

Owned by: Institute of Directors, India

Disclaimer: The opinions expressed in the articles/ stories are the personal opinions of the author. IOD/ Editor is not responsible for the accuracy, completeness, suitability, or validity of any information in those articles. The information, facts or opinions expressed in the articles/ speeches do not reflect the views of IOD/ Editor and IOD/ Editor does not assume any responsibility or liability for the same.

About Publisher

  • IOD Blogs

    Institute of Directors India

    Bringing a Silent Revolution through the Boardroom

    Institute of Directors (IOD) is an apex national association of Corporate Directors under the India's 'Societies Registration Act XXI of 1860'​. Currently it is associated with over 30,000 senior executives from Govt, PSU and Private organizations of India and abroad.

    View All Blogs

Masterclass for Directors