By GV Anand Bhushan and Tarun Krishnakumar,
Cyber(in)security: The new status quo
Cybersecurity professionals are no doubt familiar with the oft-repeated adage that there are only two kinds of companies — ‘those that have been breached’ and ‘those who do not know it yet’.
While in many settings a third category of entities — affected by breaches which remain undisclosed — exists, the increasing potency of attacks and the public spill-over of their effects mean that this category is rapidly collapsing into the former. In this respect, the year 2016 heralded a paradigm shift in the way cybersecurity concerns were perceived by the Indian private sector. What were previously assumed to be largely hypothetical and remote concerns assumed manifest proportions with sophisticated attacks causing widespread disruption to critical sectors and services.
Notably, in mid-2016, an attack targeting Indian banks led to the details of more than 3 million debit cards being breached. Around the same time, neighbouring Bangladesh saw a thwarted attack on its central bank result in the theft of US$81 million. If successful, the attack would have siphoned off close to US$1 billion — 0.5 percent of Bangladesh’s GDP at the time. A similar attack in July 2016 almost resulted in the theft of US$170 million from the accounts of the Union Bank of India. The frequency and sophistication of attacks has only increased in 2017 with ransomware waves including WannaCry and Petya disrupting commerce globally — including at India’s largest container port in Mumbai.
These and other incidents have fuelled policy intervention with sectoral regulators including the Reserve Bank of India, the Insurance Regulatory and Development Authority of India, and the Securities and Exchanges Board of India acting to issue circulars mandating implementation of cybersecurity frameworks by regulated entities. India’s Computer Emergency Response Team (CERT-In) has also publicly indicated that it intended to strictly enforce incident notification requirements contained under Indian IT law — applicable across sectors.
While many of these regulatory frameworks are comprehensive, much of the Indian private sector — not covered by sectoral frameworks — has struggled to adapt. In the face of threats from cyberspace, it has become mission critical for companies to not only take preventative measures to mitigate effects of attacks on operations but to also manage the attendant contractual, governance and regulatory risks.
Based on our observations of market practice, this note flags certain key areas of concern for companies going forward and suggests steps that can be taken to contain risk. As opposed to being an exhaustive list, it is intended to provide a starting point for companies embarking upon broader cybersecurity planning. While some observations and conclusions may be specific to the Indian scenario, most of our analysis would equally apply to other jurisdictions with nascent cybersecurity regulatory ecosystems.
Red flags for private sector
While businesses have been quick to realise the magnitude of risk posed by poor cybersecurity practices, many have been slow to implement frameworks and policies for mitigation, response and remediation of security incidents (‘security incident policies’). Where they have been implemented, most suffer from either critical or subtle deficiencies which undermine their effectiveness. Five common flaws we observed in the pre- and post-policy formulation process are as follows:
- Lack of regulatory awareness: Thus far, the Indian approach to cybersecurity regulation has been characterised by the creation of various parallel bodies and agencies — often with overlapping mandates and jurisdictions. With such a multiplicity of regulatory frameworks and authorities, combined with non-existent enforcement, it is easy (and common) for businesses to have incomplete awareness of their various compliance requirements. This is especially likely to be the case where no designated sectoral authority or binding framework exists. In a post incident scenario, where regulatory enforcement or consumer action is possible, such information asymmetries may prove fatal.
- Breach planning and preparedness: Most business (especially where no sectoral guidelines exist) do not have in place comprehensive security incident response and remediation policies or plans. The lack of such plans can open businesses — and their directors — up to liability from consumers, shareholders/investors, partners and regulators. This is to be seen in the context of the growing realisation that it is unreasonable to expect all forms of attacks to be prevented. With this in mind, not putting in place and comprehensive framework is an inexcusable failure to mitigate potential liability.
- Lack of harmonised and holistic responses: Even where businesses have implemented incident policies, they are often narrowly tailored to apply to an entity’s technical and governance functions. Many policies make fatal omissions by not including other critical stakeholders such as communications/PR and legal. In a post breach scenario, the lack of a uniform and harmonised response — both internally and externally — is a certain recipe for chaos.
- Failure to test: An incident response plan is only valuable as the amount it has been assimilated through drilling and testing. In the absence of regular security drills involving all stakeholders in the decision chain, the chances that a plan will not be successful in a critical scenario increase manifold. Many businesses fail to realise this by treating policies as one-off exercises and make the mistake of assuming that the mere presence of a plan is sufficient to mitigate liability. This is a critical mistake as, in a contentious setting, corporate leadership may be called upon to demonstrate not only that there was a plan in place but that awareness of it had diffused into organisational culture through regular training and drilling.
- Failure to audit: The failure to audit can gut even the best of incident response plans. Without regular audits at pre- and post-policy formulation stages, businesses may risk policies that are either not sufficiently comprehensive or which are not externally validated for being in line with industry standards.
Other issues commonly observed include lack of cybersecurity capacity or, more broadly, awareness in an entity’s culture. Traditionally such issues are more likely to be associated with SMEs and businesses in non-technical sectors.
The way ahead
The problems above, if unaddressed, can not only lead to a policy that fails to properly account for the various threats in cyberspace, but one that can lead to failure to properly mitigate disruption to operations and legal liability. Below, we discuss some high-level steps that can be taken to ensure a more robust framework:
- Compliance landscaping: In a post-breach scenario, it is important to quickly head off potential sources of liability, comply with incident notification requirements and — where the incident is severe — proactively engage with regulators. However, a post-breach scenario does not afford the time to carry out a comprehensive survey of the applicable legal and regulatory frameworks. Therefore, a comprehensive — even if high-level — survey of applicable laws and regulations should precede or form part of every policy formulation exercise. Carrying out the exercise prior to policy formulation aids in effectively allocating responsibilities for different tasks such as notifying breaches and working with specific regulators.
- Broad-based policy formulation: The security incident policy-formulation process should ideally include all of an entity’s verticals and departments — to ensure ownership of responsibilities and engagement in the event of an incident. Typically, this should include representation of not only technical and governance functions but also legal, compliance, government affairs and communications/PR verticals to ensure preparedness for all types of potential fallout. External legal and communications consultants can also play a crucial role in the process — ensuring that legal and PR risk mitigation forms a core part of the policy’s DNA.
- Ensuring dedicated resources: A response and remediation policy is only as robust as the individuals implementing it. Many otherwise prepared businesses fail to maintain dedicated staffing for cybersecurity-related planning and response. Specialised staffing is required on the technical, legal, compliance and governance levels. Larger businesses may consider having dedicated in-house resources (either through hiring or repurposing through training) while smaller entities may find the use of external vendors and consultants more economical. In either scenario, a certain level of investment may be required as it must be duly recognised that existing internal IT teams — being more oriented towards administrative and maintenance functions — may not have the necessary skills or bandwidth to address security incidents.
- Pre-identified and empowered response team: A key aspect of the security incident policy formulation process is identifying — well in advance — the constituents of the primacy incident response team and providing for clear authority, decision-trees and dedicated communication channels. As is the case in policy-formation (discussed above), post incident remediation efforts should typically include broad-based representation from not only technical and governance functions, but also legal, compliance, government affairs and communications/PR verticals to ensure that all types of fallout are contained. External technical, legal and forensic service providers must also be pre-identified and retained to avoid delays.
- Periodic data and security auditing: At the outset, businesses must carry out audits to understand the various risks they may face in the normal course of operations. In consumer-facing businesses, the focus must be on comprehensive data auditing to understand the types of data collected and their sensitivity. Such a process aids risk profiling, identifying threat vectors and gaps where risk can be mitigated at the outset (for example, pseudonymisation or anonymisation of data) — all learnings which ultimately contribute to an effective response and remediation policy.
- Drilling and penetration testing: An essential component of a robust security and incident framework is period stress testing through drills for existing and new employees — with an emphasis on individuals and departments which have responsibilities under the policy. Such drilling should be accompanied by regular penetration testing — ideally by external consultants — to identify vulnerabilities. While predominantly targeted at technical issues, these should occasionally be combined with social engineering and spear phishing to account for human elements.
- Independent certification: Pursuing independent audit and certification from third party agencies is an important step which can demonstrate that measures implemented are commensurate with industry standards and practices. In the Indian scenario, CERT-In undertakes the function of empanelling of auditors to carry out security audits and investigations. However, there is no paucity of other quality cybersecurity service providers.
In addition to the above high-level measures, businesses should also look to imbibe cybersecurity concerns into standard operating risk. A key issue which may require to be addressed in this regard is factoring in cybersecurity into contractual relationships with consumers, vendors, or other partners. While existing contractual relationships may already be locked in, businesses should look to ensure that future iterations of standard terms adequately account for cybersecurity risks. An area where this can have a significant impact is where a security incident or attack substantially disrupts mission critical operations. In such a setting, contractual recognition of cyberattacks as a valid ground to declare force majeure may mean the difference between continuity of the relationship and termination followed by liability. Similar concerns arise in relation to non-disclosure-agreements.
All factors considered, cybersecurity risk is here to stay. Today, treating a cyber-attack as a black swan event is, at best, uninformed; at worst, negligent — and regardless of characterisation, wholly inadvisable. The sooner businesses begin to treat cybersecurity incidents on par with other shocks to supply and demand, the more likely that the legal and reputational butterfly effects of such incidents can be minimised, if not eliminated.