Top cybersecurity regulations in India

India’s ever-expanding digital infrastructure in the wake of the pandemic has escalated the demand for new, updated, and improved regulatory mandates for strengthening cybersecurity. Rampant cybersecurity incidents have been occurring weekly, alarming businesses, organizations, and individuals across India.

The IBM Security Data Breach Report of 2022 states that, for the fiscal year of 2022, the average data breach costs in India have reached a record high of ₹17.5 crores (₹175 million) rupees, or around $2.2 million, which is an increase of 6.6% from 2021, and a staggering 25% from the average cost of ₹14 crores in 2020.

In 2021, cybersecurity incidents involved incidents revolving around unauthorized access and compromised personal data. For example, in the case of Air India, data files from more than 4.5 million customers were leaked in a cyber attack. In a separate incident, personal data leaks of around 180 million users were stolen straight from the database of Domino’s India.

In response to the rapidly shifting digital transformation, archaic cybersecurity laws, and the lack of clear, comprehensive data privacy laws, the Indian government has begun to reevaluate how it regulates cybersecurity and cybercrime.

This comprehensive guide will follow India’s most pertinent cybersecurity regulations and legislation relevant to cybercrime. Additionally, this article will examine India’s current cybersecurity laws, how they’re enforced, how they safeguard businesses and organizations, and which developments and improvements are planned for the future.

The Critical Issues of India’s Cybersecurity Laws and Regulations
One of the main problems with India’s regulations in the cybersecurity landscape is that the government still prosecutes under unclarified or outdated statutes, which can hinder progress and the implementation of adequate cyber laws and regulations. Organizations have difficulty deriving the proper guidelines and advisories from ambiguous laws and fragmented legislative approaches in data privacy and cybersecurity.

To maintain widely accepted cybersecurity standards, India must pass more comprehensive and informative cybersecurity laws and clarified regulations and reforms to develop a better cybersecurity framework and data protection legislation.

Otherwise, the Indian government, its law enforcement agencies, and designated regulators remain bound to old laws, which may result in improperly addressed and unresolved cybersecurity issues.

In a special petition filed in 2021, the Supreme Court of India ruled that cyber attacks and data thefts are a crime under the Information Technology Act (IT Act) of 200 and the Indian Penal Code (IPC). Since the IPC criminal statute is over 150 years old, a more modern and renewed IT Act of 2000 is the main regulation against cybercrime as of today.

However, more work and amendments are necessary to revise errors and provide further clarification in response to new, emerging threats of the modern-day.

Top Cybersecurity Regulations in India 2022
Here are the current legislations regarding cybersecurity used in India today:

1. The Information Technology Act, 2000
India’s first-ever landmark cybersecurity law was the Information Technology Act of 2000.

The IT Act of 2000 was enacted by the Parliament of India and administered by the Indian Computer Emergency Response Team (CERT-In) to guide Indian cybersecurity legislation, institute data protection policies, and govern cybercrime. It also protects e-governance, e-banking, e-commerce, and the private sector, among many others.

While India does not have an exclusive, unitary cybersecurity law, it uses the IT Act and multiple other sector-specific regulations to promote cybersecurity standards. It also provides a legal framework for critical information infrastructure in India.

For example, in Section 43A of the IT Act, Indian businesses and organizations must have “reasonable security practices and procedures” to protect sensitive information from being compromised, damaged, exposed, or misused.

Under Section 72A of the IT Act, any intermediaries or persons that disclose personal data without the owner’s consent (with ill intention and causing damages) are punishable by imprisonment of up to three years, a fine of up to Rs500,000, or both.

2. Information Technology (Amendment) Act 2008
The Information Technology Amendment Act 2008 (IT Act 2008) was passed in October 2008 and came into effect the following year as a substantial addition to the IT Act of 2000. These amendments helped improve the original bill, which originally failed to pave the way for further IT-related development. It was hailed as an innovative and long-awaited step towards an improved cybersecurity framework in India.

IT Act 2008 added updated and redefined terms for current use, expanding the definition of cybercrime and the validation of electronic signatures. It also strongly encourages companies to implement better data security practices and makes them liable for data breaches.

The IT Act of 2008 applies to any individual, company, or organization (intermediaries) that uses computer resources, computer networks, or other information technology in India. It also includes service providers of web hosting, internet, network, and telecom. It also includes foreign organizations that have a presence in India and businesses outside of the country that has operations in India.

Covering important information security practices for cybercrime and data protection with over nine chapters and 117 sections, the new Information Technology Amendment Act of 2008 includes the following responsibilities:

• Improving cybersecurity measures and forensics
• Requiring intermediaries and body corporates to report cybersecurity incidents to CERT-In
• Preventing unauthorized/unlawful use of a computer system
• Protecting private data and information from cyber terrorism, DDoS attacks, phishing, malware, and identity theft
• Legal recognition for cybersecurity of organizations
• Safeguarding e-payments and electronic transactions and monitoring and decryption of electronic records
• Establishing a legal framework for digital signatures
• Recognizing and regulating intermediaries

It’s important to note that the biggest problem with the IT Act 2008 is in Subsection 69, which authorizes the Indian government to expeditiously intercept, monitor, decrypt, block, and remove data and content at its discretion, which can pose serious privacy concerns.

Violation of the IT Act may incur penalties ranging from $1,250 to 3-year imprisonment, while penalties for more serious offenses and cybercrimes may reach imprisonment of up to 10 years.

3. Information Technology Rules, 2011
Under the IT Act, another important segment of the cybersecurity legislation is the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (Privacy Rules).

The most significant amendments include provisions for the regulation of intermediaries, updated penalties and violation fees for cybercrime, cheating, slander, and nonconsensual publishing of private images, as well as censoring/restriction of certain speech.

Both the Information Technology Act (ITA) and the IT Rules are important for governing how Indian entities and organizations process sensitive info, data protection, data retention, and collection of personal data and other sensitive information.

Other Indian sectors, like banking, insurance, telecom, and healthcare, also include data privacy provisions as part of their separate statutes.

4. Indian SPDI Rules, 2011 for Reasonable Security Practices
The IS/ISO/IEC 27001 regulations are identified by the Indian SPDI Rules, 2011, as international standards. As such, Indian companies aren’t obligated — but are highly advised — to implement these standards, which can help meet the “reasonable security practices” under Indian jurisdiction.

The rules can also give individuals the right to correct their information and impose restrictions on disclosure, data transfer, and security measures. They only apply to corporate entities, but they aren’t responsible for the authenticity of sensitive personal data (SPD) like sexual orientation, medical records and history, biometric information, and passwords.

5. National Cyber Security Policy, 2013
In 2013, the Department of Electronics and Information Technology (DeitY) released the National Cyber Security Policy 2013 as a security framework for public and private organizations to better protect themselves from cyber attacks.

The goal behind the National Cyber Security Policy is to create and develop more dynamic policies to improve the protection of India’s cyber ecosystem. The policy aims to create a workforce of over 500,000 expert IT professionals over the following five years through skill development and training.

The NSCP’s other goals include:

• Creating a resilient and safe cyberspace for individuals, organizations, and the government
• Monitoring, safeguarding cyber infrastructure and information, reducing vulnerabilities, and strengthening defenses against cyber attacks
• Creating frameworks, capabilities, and vulnerability management strategies for minimizing, faster prevention, or responding to cyber incidents and cyber threats
• Encourages organizations to develop cybersecurity policies that align with strategic goals, business workflows, and general best practices
• Simultaneously create institutional structures, people, processes, technology, and cooperation to minimize the damage caused by cybercrime

6. IT Rules, 2021
On February 25, 2021, the Ministry of Electronics and Information Technology introduced the Information Technology (Guidelines for Intermediaries and Digital Media Ethics Code) Rules, 2021 as a replacement for IT Rules, 2011. A little over a year later, on June 6, 2022, the newly updated draft amendments were published by the Indian MeitY (Ministry of Electronics and IT) to improve the IT Act to keep up with the challenges of the ever-changing digital landscape.

The new amendments aim to allow ordinary users of digital platforms to seek compensation for their grievances and demand accountability when their rights are infringed upon, as well as institute additional due diligence on organizations.

IT Rules, 2021 also distinguishes between smaller and more significant social media intermediaries based on user numbers and places a much heavier burden on larger social media intermediaries concerning personal data protection.

Additionally, there are changes to the privacy and transparency requirements of intermediaries, such as:

• Requiring intermediaries to inform users about rules and regulations, privacy policy, and terms and conditions for usage of its services
• Requiring intermediaries to designate a grievance officer that can address and resolve user complaints about violations of IT Rules, 2021

7. National Cyber Security Strategy 2020
The National Cyber Security Strategy of 2020 was the long-awaited follow-up plan by the Indian government to further improve cybersecurity efforts. While the plan is still under development and pending review by the National Security Council Secretariat, the plan’s main goal is to serve as the official guidance for stakeholders, policymakers, and corporate leaders to prevent cyber incidents, cyber terrorism, and espionage in cyberspace.

The strategy aims to improve cybersecurity audit quality so organizations can conduct better reviews of their cybersecurity architecture and knowledge. The hope is that, once the policy is implemented, cyber auditors will improve their security standards, ultimately encouraging organizations to step up their security programs.

8. KYC (Know Your Customer)
KYC (Know Your Customer) processes are standards and practices used worldwide and mandated by the RBI (Reserve Bank of India). KYC is the tracking and monitoring of customer data security for improved safeguarding against fraud and payment credential theft. It requires banks, insurance companies, and any other digital payment companies that carry out financial transactions to verify and identify all of their customers.

For proper KYC compliance and to meet financial regulatory requirements, businesses need to include the following cybersecurity steps:

• Having a knowledge-based questionnaire test for verifying customer identities
• Implementing pre-screening KYC verification methods like email verification, phone verification, Device ID intelligence, and reputational data, among others
• Using AI-based technology and machine learning for verifying documents and government-issued IDs
• Using biometrics like fingerprinting and facial recognition to verify a user’s identity
• Maintaining a database of customers for verification purposes

Businesses with KYC policies assure customers they have the relevant compliance management and anti-fraud solutions to protect their digital identities and payment transaction data. With KYC Compliance, Indian merchants can have peace of mind with safe and secure payment processing, complying with regulations from SEBI, as well as establishing trust with customers.

Failing to adhere to the KYC directions, banks, businesses, and corporations may face a monetary penalty of ₹2 lakh (₹200,000).

9. Reserve Bank of India Act 2018
The Reserve Bank of India introduced the RBI Act in 2018, which details cybersecurity guidelines and frameworks for UCBs (urban co-operative banks) and payment operators.

The RBI Act of 2018 aims to:

• Create standards that equalize security frameworks of banks and payment operators according to how they adapt to new technologies and digitalization
• Mandate banks to create and present their cyber crisis management plans
• Mandate banks to implement corporate-approved (board-approved) information security policies which will successfully outline cybersecurity preparedness
• Require banks to implement mandatory breach notifications, in which UCBs must promptly detect and report cybersecurity incidents to RBI within 2-6 hours of discovery to better respond to the attacks
• Encourage banks to regularly schedule threat assessment audits
• Help banks implement their own email domains with anti-phishing and anti-malware technology, as well as enforce DMARC security controls

All Indian banks must follow these guidelines to standardize frameworks for payment processing cybersecurity and combat the ever-increasing business complications in a digital environment.

The RBI Act of 2018 imposes fines on banks and the financial sector in cases of non-compliance with their cybersecurity requirements. The penalties can be up to ₹10 lakh (₹1,000,000). UpGuard