Cyber security incidents to be reported quarterly to stock exchanges

/0 Comments/in , /by

Circular differs from the discussion in SEBI Board meeting

– Aisha Begum Ansari | corplaw@vinodkothari.com

Brief background

With business operations going digital, the threat of cyber attacks have increased considerably. Effective from April 2019, the Risk Management Committee of a listed entity was mandated by SEBI to discharge the function for laying down a framework for identifying the cyber security risks. In case of financial sector entities, the requirements laid down by the sectoral regulators are stricter and elaborate[1].

Additionally, the companies are required to report the cyber security incidents to an agency called Indian Computer Emergency Response Team (‘CERT-In’) which is established in terms of section 70B of the Information Technology Act, 2000 and comes under the Ministry of Electronics and Information Technology (‘MEITY’).

Present Circular

Since, the cyber security incidents are material in nature and may be relevant for the investors, SEBI vide its notification dated June 14, 2023 inserted reg. 27(2)(ba) in the Listing Regulations mandating the listed entities to disclose the details of cyber security incidents or breaches or loss of data or documents in its quarterly Corporate Governance (CG) report filed in terms of Reg. 27 (2) effective from July 13, 2023. Pursuant to the same, the stock exchanges, on September 29, 2023, released a format for disclosure of cyber security incidents in the quarterly CG report commencing from quarter ended September 30, 2023 , which covers the following:

  • Confirmation on any instance of cyber security incident or breach or loss of data or documents during the quarter;
  • Date of the event;
  • Brief details of the event.

This article analyzes the above requirement in light of the proposal made in the consultation paper, discussion in SEBI Board meeting agenda and the gaps arising therefrom .

Scope of disclosure of cyber security incident and breach

The term ‘cyber security incident’ and ‘cyber security breach’ is not defined in the Listing Regulations. The reference may be drawn from the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (‘CERT-In Rules’).

The term ‘cyber security incident’ is defined under 2(1)(h) of CERT-In Rules which means “any real or suspected adverse event in relation to cyber security that violates an explicitly or implicitly applicable security policy, resulting in unauthorised access, denial of service or disruption, unauthorised use of a computer resource for processing or storage of information for changes to data, information without authorization.”

Further, the term ‘cyber security breach’ as defined under 2(1)(i) of CERT-In Rules means “unauthorised acquisition or unauthorised use by a person as well as an entity of data or information that compromises the confidentiality, integrity or availability of information maintained in a computer resource.”

Consultation paper on disclosure of cyber security incidents and breaches

SEBI, in its consultation paper dated November 12, 2022 (Para 3.11) discussed the issue of cyber security incidents, breaches and loss of data/ documents. With respect to the stage of disclosure, it provided that such incidents should not be disclosed immediately as the entity may be vulnerable to further attacks and accordingly, proposed disclosure as part of the quarterly CG report under reg. 27(2) of the Listing Regulations. The format of disclosure proposed by SEBI covered the following information:

  • Nature of the event (cyber security incident / cyber security breach / loss of data or documents);
  • Date of the event;
  • Brief of the event;
  • Impact on the operations of the listed entity;
  • Corrective actions taken;
  • Compliance with the guidelines of CERT-In or other concerned authority.

Public comments

As given in Para 10.3 of the SEBI Board Meeting Agenda dated March 29, 2023, there were certain comments on the scope of disclosure of cyber security incidents, exemptions, etc. summarised as below:

  1. Type of incidents to be disclosed– it was suggested that the scope of disclosure should be restricted to only the reportable events covered under the Directions issued by CERT-In on April 28, 2022 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (‘CERT-In Directions’). The list of incidents required to be reported to CERT-In are given in Annexure I to this article.
  • Disclosure in succeeding quarter – It was also suggested that in case the disclosure may pose further risk or threat to the entity, then the disclosure should be allowed to be made in the succeeding quarter.
  • Exemption to certain entities – The disclosure requirement should be exempted to the public sector undertakings and critical sectors due to national security reasons. Further, the cyberattacks pertaining to Critical Information Infrastructures (‘CIIs’) and protected systems in terms of section 70(1) of the Information Technology Act, 2000 should also be exempt from disclosure.
  • Disclosure of corrective actions – The comments were also received against the disclosure of corrective actions taken by the listed entity as the same may further elevate the information security risk exposure of the entity.
  • Public disclosure of cyber security incidents – Some comments were against the public disclosure of cyber security incidents. Under the CERT-In Rules, the entities are required to disclose only to CERT-In and such disclosure is not available in public domain. It was also suggested that instead of disclosing the details of incident, the listed entity may be asked to affirm in the quarterly compliance report that the necessary intimations have been made to relevant authorities for cybersecurity related incidents/ breaches.
  • Defining the term cyber security incident and cyber security breach – This was mainly for the perspective of ensuring uniformity and better understanding of the terminologies.  

SEBI’s final proposal

Basis the comments received from the industry, SEBI decided that the cyber security incidents and breaches should be disclosed on a quarterly basis in the quarterly compliance report and the clarification may be provided on the following:

  1. Definition of ‘cyber security incident’ and ‘cyber security breach’;
  2. Type of incidents to be disclosed;
  3. Affirmation in the quarterly compliance report on the corrective actions taken;
  4. Where the corrective action has not been taken or completed during the quarter, the disclosure should be made in the succeeding quarter;
  5. Entities exempt from the disclosure requirement.

Concluding remarks

While the format of disclosure of cyber security incidents only requires brief details of the event, there is no clarity on the incidents or breaches that are required to be reported. Further, the disclosure requirement is applicable to all the listed entities and no exemption has been provided to the public sector undertakings, CII and other critical sectors. It is to be noted that the quarterly CG report is required to be submitted within 21 days from the end of the quarter. One will have to see if SEBI or the stock exchange issues any clarification on the said issues raised in the public comments.

Annexure I

Types of cyber security incidents mandatorily required to be reported to CERT-In

  1. Targeted scanning/probing of critical networks/ systems
  2. Compromise of critical systems/ information
  3. Unauthorised access of IT systems/ data
  4. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious code, links to external websites etc.
  5. Malicious code attacks such as spreading of virus/ worm/ Trojan/ Bots/  Spyware/ Ransomware/ Cryptominers
  6. Attack on servers such as Database, Mail and DNS and network devices such as Routers
  7. Identity Theft, spoofing and phishing attacks
  8. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  9. Attacks on Critical infrastructure, SCADA and operational technology systems and Wireless networks
  10. Attacks on Application such as E-Governance, E-Commerce etc.
  11. Data Breach
  12. Data Leak
  13. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
  14. Attacks or incident affecting Digital Payment systems
  15. Attacks through Malicious mobile Apps
  16. Fake mobile Apps
  17. Unauthorised access to social media accounts
  18. Attacks or malicious/ suspicious activities affecting Cloud computing systems/ servers/ software/ applications
  19. Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Block chain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
  20. Attacks or malicious/ suspicious activities affecting systems/ servers/ software/ applications related to Artificial Intelligence and Machine Learning.

[1] For e.g. Format of reporting cyber security incident by NBFCs to RBI.

Other resources related to the topic:

LODR Resource Centre
You might also like
LODR Reg 30 changes: Clause-by-clause guide to implementation
Changes under regulatory framework for IDs
Continuing Disclosures by listed entities: Regulation 30 of SEBI LODR
RPT compliances by subsidiaries of listed entities (Presentation)
Framework for voluntary delisting of debt securities notified
SEBI widens the sweep of related party provisions drastically
Managing significant transactions & arrangements with subsidiaries
Extended disclosure u/r 30A w.r.t. Agreements
0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *