Asia (Other)

By GV Anand Bhushan and Tarun Krishnakumar, SR_Anand Bhushan_2 without logo

Shardul Amarchand Mangaldas & Co



Cyber(in)security: The new status quo


Cybersecurity professionals are no doubt familiar with the oft-repeated adage that there are only two kinds of companies — ‘those that have been breached’ and ‘those who do not know it yet’.
While in many settings a third category of entities — affected by breaches which remain undisclosed — exists, the increasing potency of attacks and the public spill-over of their effects mean that this category is rapidly collapsing into the former. In this respect, the year 2016 heralded a paradigm shift in the way cybersecurity concerns were perceived by the Indian private sector. What were previously assumed to be largely hypothetical and remote concerns assumed manifest proportions with sophisticated attacks causing widespread disruption to critical sectors and services.
Notably, in mid-2016, an attack targeting Indian banks led to the details of more than 3 million debit cards being breached. Around the same time, neighbouring Bangladesh saw a thwarted attack on its central bank result in the theft of US$81 million. If successful, the attack would have siphoned off close to US$1 billion — 0.5 percent of Bangladesh’s GDP at the time. A similar attack in July 2016 almost resulted in the theft of US$170 million from the accounts of the Union Bank of India. The frequency and sophistication of attacks has only increased in 2017 with ransomware waves including WannaCry and Petya disrupting commerce globally — including at India’s largest container port in Mumbai.
These and other incidents have fuelled policy intervention with sectoral regulators including the Reserve Bank of India, the Insurance Regulatory and Development Authority of India, and the Securities and Exchanges Board of India acting to issue circulars mandating implementation of cybersecurity frameworks by regulated entities. India’s Computer Emergency Response Team (CERT-In) has also publicly indicated that it intended to strictly enforce incident notification requirements contained under Indian IT law — applicable across sectors.
While many of these regulatory frameworks are comprehensive, much of the Indian private sector — not covered by sectoral frameworks — has struggled to adapt. In the face of threats from cyberspace, it has become mission critical for companies to not only take preventative measures to mitigate effects of attacks on operations but to also manage the attendant contractual, governance and regulatory risks.
Based on our observations of market practice, this note flags certain key areas of concern for companies going forward and suggests steps that can be taken to contain risk. As opposed to being an exhaustive list, it is intended to provide a starting point for companies embarking upon broader cybersecurity planning. While some observations and conclusions may be specific to the Indian scenario, most of our analysis would equally apply to other jurisdictions with nascent cybersecurity regulatory ecosystems.

Screen Shot 2017-08-30 at 2.55.07 pm

Red flags for private sector
While businesses have been quick to realise the magnitude of risk posed by poor cybersecurity practices, many have been slow to implement frameworks and policies for mitigation, response and remediation of security incidents (‘security incident policies’). Where they have been implemented, most suffer from either critical or subtle deficiencies which undermine their effectiveness. Five common flaws we observed in the pre- and post-policy formulation process are as follows:

  • Lack of regulatory awareness: Thus far, the Indian approach to cybersecurity regulation has been characterised by the creation of various parallel bodies and agencies — often with overlapping mandates and jurisdictions. With such a multiplicity of regulatory frameworks and authorities, combined with non-existent enforcement, it is easy (and common) for businesses to have incomplete awareness of their various compliance requirements. This is especially likely to be the case where no designated sectoral authority or binding framework exists. In a post incident scenario, where regulatory enforcement or consumer action is possible, such information asymmetries may prove fatal.
  • Breach planning and preparedness: Most business (especially where no sectoral guidelines exist) do not have in place comprehensive security incident response and remediation policies or plans. The lack of such plans can open businesses — and their directors — up to liability from consumers, shareholders/investors, partners and regulators. This is to be seen in the context of the growing realisation that it is unreasonable to expect all forms of attacks to be prevented. With this in mind, not putting in place and comprehensive framework is an inexcusable failure to mitigate potential liability.
  • Lack of harmonised and holistic responses: Even where businesses have implemented incident policies, they are often narrowly tailored to apply to an entity’s technical and governance functions. Many policies make fatal omissions by not including other critical stakeholders such as communications/PR and legal. In a post breach scenario, the lack of a uniform and harmonised response — both internally and externally — is a certain recipe for chaos.
  •  Failure to test: An incident response plan is only valuable as the amount it has been assimilated through drilling and testing. In the absence of regular security drills involving all stakeholders in the decision chain, the chances that a plan will not be successful in a critical scenario increase manifold. Many businesses fail to realise this by treating policies as one-off exercises and make the mistake of assuming that the mere presence of a plan is sufficient to mitigate liability. This is a critical mistake as, in a contentious setting, corporate leadership may be called upon to demonstrate not only that there was a plan in place but that awareness of it had diffused into organisational culture through regular training and drilling.
  • Failure to audit: The failure to audit can gut even the best of incident response plans. Without regular audits at pre- and post-policy formulation stages, businesses may risk policies that are either not sufficiently comprehensive or which are not externally validated for being in line with industry standards.

Other issues commonly observed include lack of cybersecurity capacity or, more broadly, awareness in an entity’s culture. Traditionally such issues are more likely to be associated with SMEs and businesses in non-technical sectors.

The way ahead
The problems above, if unaddressed, can not only lead to a policy that fails to properly account for the various threats in cyberspace, but one that can lead to failure to properly mitigate disruption to operations and legal liability. Below, we discuss some high-level steps that can be taken to ensure a more robust framework:

  • Compliance landscaping: In a post-breach scenario, it is important to quickly head off potential sources of liability, comply with incident notification requirements and — where the incident is severe — proactively engage with regulators. However, a post-breach scenario does not afford the time to carry out a comprehensive survey of the applicable legal and regulatory frameworks. Therefore, a comprehensive — even if high-level — survey of applicable laws and regulations should precede or form part of every policy formulation exercise. Carrying out the exercise prior to policy formulation aids in effectively allocating responsibilities for different tasks such as notifying breaches and working with specific regulators.
  • Broad-based policy formulation: The security incident policy-formulation process should ideally include all of an entity’s verticals and departments — to ensure ownership of responsibilities and engagement in the event of an incident. Typically, this should include representation of not only technical and governance functions but also legal, compliance, government affairs and communications/PR verticals to ensure preparedness for all types of potential fallout. External legal and communications consultants can also play a crucial role in the process — ensuring that legal and PR risk mitigation forms a core part of the policy’s DNA.
  • Ensuring dedicated resources: A response and remediation policy is only as robust as the individuals implementing it. Many otherwise prepared businesses fail to maintain dedicated staffing for cybersecurity-related planning and response. Specialised staffing is required on the technical, legal, compliance and governance levels. Larger businesses may consider having dedicated in-house resources (either through hiring or repurposing through training) while smaller entities may find the use of external vendors and consultants more economical. In either scenario, a certain level of investment may be required as it must be duly recognised that existing internal IT teams — being more oriented towards administrative and maintenance functions — may not have the necessary skills or bandwidth to address security incidents.
  • Pre-identified and empowered response team: A key aspect of the security incident policy formulation process is identifying — well in advance — the constituents of the primacy incident response team and providing for clear authority, decision-trees and dedicated communication channels. As is the case in policy-formation (discussed above), post incident remediation efforts should typically include broad-based representation from not only technical and governance functions, but also legal, compliance, government affairs and communications/PR verticals to ensure that all types of fallout are contained. External technical, legal and forensic service providers must also be pre-identified and retained to avoid delays.
  • Periodic data and security auditing: At the outset, businesses must carry out audits to understand the various risks they may face in the normal course of operations. In consumer-facing businesses, the focus must be on comprehensive data auditing to understand the types of data collected and their sensitivity. Such a process aids risk profiling, identifying threat vectors and gaps where risk can be mitigated at the outset (for example, pseudonymisation or anonymisation of data) — all learnings which ultimately contribute to an effective response and remediation policy.
  • Drilling and penetration testing: An essential component of a robust security and incident framework is period stress testing through drills for existing and new employees — with an emphasis on individuals and departments which have responsibilities under the policy. Such drilling should be accompanied by regular penetration testing — ideally by external consultants — to identify vulnerabilities. While predominantly targeted at technical issues, these should occasionally be combined with social engineering and spear phishing to account for human elements.
  • Independent certification: Pursuing independent audit and certification from third party agencies is an important step which can demonstrate that measures implemented are commensurate with industry standards and practices. In the Indian scenario, CERT-In undertakes the function of empanelling of auditors to carry out security audits and investigations. However, there is no paucity of other quality cybersecurity service providers.

In addition to the above high-level measures, businesses should also look to imbibe cybersecurity concerns into standard operating risk. A key issue which may require to be addressed in this regard is factoring in cybersecurity into contractual relationships with consumers, vendors, or other partners. While existing contractual relationships may already be locked in, businesses should look to ensure that future iterations of standard terms adequately account for cybersecurity risks. An area where this can have a significant impact is where a security incident or attack substantially disrupts mission critical operations. In such a setting, contractual recognition of cyberattacks as a valid ground to declare force majeure may mean the difference between continuity of the relationship and termination followed by liability. Similar concerns arise in relation to non-disclosure-agreements.
All factors considered, cybersecurity risk is here to stay. Today, treating a cyber-attack as a black swan event is, at best, uninformed; at worst, negligent — and regardless of characterisation, wholly inadvisable. The sooner businesses begin to treat cybersecurity incidents on par with other shocks to supply and demand, the more likely that the legal and reputational butterfly effects of such incidents can be minimised, if not eliminated.










Tags: Cybersecurity
Related Articles by Firm
Foreign Banks Allowed to Operate in Myanmar
After more than 50 years of banning, the Central Bank of Myanmar has issued the first final licenses allowing four foreign banks to operate in Myanmar.
Tanzanian Draft National Energy Policy of 2015
Highlights on the ongoing and upcoming industry developments with focus on the transition of the energy sector since the introduction of the Big Results Now! campaign
Mineral Rights Available in Tanzania
Overview of the mineral rights available in Tanzania, with specific focus on the various categories of mineral rights
The Legal Framework of the Aviation Sector in Tanzania
As attention turns to Tanzania’s trade and energy opportunities, the spotlight has fallen upon the nation’s infrastructure. This update focuses on the capabilities and issues of the Tanzanian aviation sector.
Oil price volatility - Offshore oil storage
Are there any legal concerns with tankers being used for floating storage?
Oil price volatility - risks and opportunities in 2015
While many companies can weather the oil price slide and volatility, some industry players face a real risk of insolvency.
India: Union Budget 2015
A bullet-point overview of changes in Direct Tax, Indirect Tax and Goods and Service Tax in India in light of Finance Minister Arun Jaitley’s first full-year Budget…
Prohibition against transfer of personal data outside Hong Kong
Section 33 of the Personal Data (Privacy) Ordinance (PDPO) prohibits the transfer of personal data to places outside Hong Kong, except in circumstances specified in the PDPO.
Security of payment under FIDIC contracts: more secure, for now
The High Court of Singapore recently handed down an important judgment in relation to the enforceability of Dispute Adjudication Board (DAB) decisions under the FIDIC forms of contract.
Insurance Laws (Amendment) Bill passed as Ordinance in India
The long-awaited Insurance Laws (Amendment) Bill has become a provisional law in India. The Bill amends the Insurance Act (1938), the General Insurance Business (Naturalisation) Act (1972), and the Insurance Regulatory and Development Act (1999).
SICC: now open for business
On Monday 5 January 2015, the Singapore International Commercial Court ("SICC") was officially opened...
Myanmar insurance update
Clyde & Co partner Michael Horn recently visited Myanmar's commercial capital Yangon and reports on the current state of the insurance market...
Launch of the online mining cadastre transactional portal
Plus, a summary of the key mineral rights available in Tanzania; and, a look at the manner in which mineral rights can be transferred.
Restrictions imposed on holders of mineral rights
This briefing looks at some of the restrictions imposed on holders of mineral rights in Tanzania by the Mining Act 2010
Draft local content policy for the oil & gas industry in Tanzania
The first draft of the long-awaited local content policy for the oil & gas industry in Tanzania has now been published by the Ministry of Energy and Minerals ...
Tanzania: Revocation of mining licences
The Tanzanian government recently announced the cancellation of a total of 174 mining licences. This mining update examines the key continuing obligations imposed by the Mining Act upon mining licence holders.
Mining Development Agreements
In this month’s mining briefing we look at Mining Development Agreements (MDAs) and the role that they play in the mining sector in Tanzania.
The Tanzanian railway system: current legal framework
The railway system of mainland Tanzania has a total track length of 3,676 kilometers (km) with two separate networks, run by two separate organisations ...
Related Articles
A rapid response has been needed to control the coronavirus outbreak, but it remains to be seen how permanent the changes will be.
A rapid response has been needed to control the coronavirus outbreak, but it remains to be seen how permanent the changes will be ...
Compliance of import and export of epidemic prevention supplies
Currently, epidemic prevention supplies have special uses and significant importance, not only for the smooth development of economic activities ...
Antitrust Enforcement Review 2019: Monopoly investigations
China’s competition authority has acquired the competence and courage to investigate some of the most complicated and new types of monopoly behaviours ...
Related Articles by Jurisdiction
Redactions? How to Ensure There are no Nasty Surprises
With recent headlines highlighting the damage and embarrassment that can be caused by poorly redacted documents, it is no wonder many firms and corporates are turning to legal document management specialists to secure their redactions ...
Forewarned is forearmed
The third of four reports from Kroll and Liberty Asia on how to mitigate any hidden compliance and reputational risks relating to human trafficking issues …
3rd annual Representing Corporate Asia survey, including Firms of the Year, 2009
The issues affecting in-house counsel’s choice of external counsel, and a full list of the winning firms as voted by our in-house counsel community ...
Latest Articles
Nok Air Rehabilitation Proceedings – Updates for Creditors and Lessors
As the global travel industry continues to grapple with the effects of COVID-19, many companies are now beginning to seek protections under various insolvency regimes ...
Vietnam Insurance Market – Share/Capital Acquisition
The Vietnamese insurance market is heating up with many high-valued M&A deals over the last two years ...