Corporate world being the pioneer in technological advancement carries most of its operation digitally, increasing it risk to succumb to cyber-attacks. The Pegasus spyware attack enhanced the need for securing the digital network of companies. Social Media Intermediaries such as Meta, Whatsaap face major threats to spyware such as Pegasus and complying with the cyber security rules is the need of the hour especially to carry out their operations in India.

Legal Frameworks

The legal landscape covering the Cyber-security framework in India consist of the Information and Technology Act, 2000, under section 43 A[1] of the act it is mandate for the companies to implement with the "reasonable security practices and procedures", to protect the information from potential cyber risks. Furthermore, Rule 3[2] of the (Information Security Practices and Procedures for Protected System), 2018, every corporate body having "Protected System", shall appoint or constitute an Information Security Steering Committee, under the chairmanship of Chief Executive Officer with Chief Information Security Officer as a vital part of the committee.

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 and The Digital Personal Data Protection Act, 2023. Furthermore, in the corporate aspect the Companies Act, 2013 mandates the appointment of Chief Information Security Officer to implement and overseeing a comprehensive cyber security framework for companies classified as 'Significant'.

Furthermore, the Reserve Bank of India's guidelines also requires the appointment of a technological officer to oversee the technological operations for the company operating in the financial sector. In addition, the Security and Exchange Board of India, also issued various guidelines for users and company while trading in stocks, clearing corporations and depositories to mitigate cyber risk in the capital market.

The Indian Computer Emergency Response Team (CERT-In), also issued various guidelines on implementing cyber security and cyber-risk incidents involving the business in India. Business shall ideally have an incident response plan in order to mitigate the impact of cyber incidents and safeguarding sensitive information.

Furthermore, the e-commerce and payments interface companies such as Phonepe and Google Pe, shall comply with the Payment Card Industry Data Securing Standards (PCI DSS), it not only protects the customer's financial data but also help the companies to establish credibility in the market. Cyber Insurance plan can also be an aid for the companies, choosing an appropriate cyber insurance plan adds an extra protection layer for the corporates in the event of a Cyber-attack.

Achieving Cyber security Compliance

In order to achieve cyber security compliance, organisation must implement a multi-faceted strategy such as Risk Assessment, Security Controls, Incident Response Plan, Employee Training, Third – Party risk management, Compliance monitoring and Continuous Improvement.

Though, the legal frame work is ensuring that the cyber work space of the corporates is intact, however certain rules and framework disrupt the working procedure of the companies, for instance in a recent case of Delhi High Court, Whatsapp was asked to break message encryption, it was unjust as the sole purpose of the end-to-end encryption is to facilitate the privacy of its user and will expose the user data to cyber risks. The company while replying said that if they break the message encryption, it may have to seize their operations in India.

In conclusion, the cyberspace shall be protected and the companies should comply with the cyber security framework to mitigate their cyber-risks and threats, however the legislative and judiciary shall also amend few laws, which may hamper the privacy policy of the companies. Furthermore, a proper legal frame work ensuring cyber security and privacy compliance for the corporates shall be implemented, which will indeed help the corporates to establish their credibility in the digital market.

End Notes:

1. Section, 43-A, The Inforamtion And Technology Act,2000
2. Information Security Practices and Procedures for Protected Systems, 2018