This article has been written by Sharadha Krishnamurthy pursuing an Executive Certificate Course in Corporate Governance for Directors and CXOs from Skill Arbitrage.
This article has been edited and published by Shashwat Kaushik.
Table of Contents
Introduction
In this millennium, data is one of the vital assets which needs to be protected and safeguarded. With the wide use of the Internet today, all business data is stored and processed on computers. Cybersecurity speaks about securing data by preventing cyber attacks, detecting cyber hacks and malware posing threats, and using firewalls to protect the data, as it has direct implications for the financial growth of the company. Cybersecurity also plays a key role in maintaining the business secrecy of the company, the Board of Directors, and staff.
Cybersecurity oversight
Every big company has an Information Technology Team dedicated to developing tools to develop software solutions to enable the efficiency of work using computers. This will increase the efficiency of the workforce and, in turn, increase the productivity of the employees of a company. So the Directors and CXOs allocate substantial funds to develop good software solutions. Cybersecurity is assumed to be the responsibility of the IT department. So the directors and CXOs focus on the operations of the company to enhance the market share, increase the profitability of the company and ensure good returns to the stakeholders. Most of the time, there is oversight of cybersecurity by the directors and CXOs, which leads to cybersecurity threats. This is a very crucial risk which needs to be addressed with utmost diligence by the Board of Directors and CXOs.
Corporate governance
In this modern era of computers, business is no longer limited by the geographical boundaries of the world. We are practicing “Vasudeva Kutumbakam,” a phrase from the Gita, the holy book that narrates the conversation between God Sri Krishna and the devotee Arjuna, in our great epic Mahabharata, stating that the whole world is one family, God’s family. This Gita book is the first administrative guidebook to the laws of morality in life and business, leading to good corporate governance.
Since the geographical boundaries are shrunk due to the use of internet computers, mobile phones and other electronic gadgets, there are advantages and disadvantages relating to many factors. However, we are focusing on cybersecurity oversight as we deal with millions and trillions of dollars of data and funds that are being transacted on a daily basis across the world. With digitalisation, all money transfers are transacted using the internet and payment apps. Banks are also encouraging customers to go digital for their bank transactions.
As we are transacting digitally, there is a huge threat of cyber fraud, as most of the time, there is no physical communication between the parties due to geographical limitations. We use modern means of communication to ascertain the authenticity of the business and make commitments and payments in expectation of genuine business transactions. But there are chances of defaulting clients or counterparties and this can have huge losses for the company with regard to data, money, integrity and ethics. This can also lead to huge mistrust among the stakeholders if the Board of Directors fails to ascertain the genuineness of the business. The hacking systems are so well developed by corrupt minds that within minutes we are prone to the huge risk of getting cheated as directors and CXOs are inexperienced in handling this cyber security directly. They are relying on the specialised skills of their IT team. In this time gap, there can be huge cyber threats and cyber frauds.
So we encourage the Board of Directors and CXOs to prioritise and include directors with the key skills of cyber security knowledge and IT, so they can add value by focusing on cyber security so that their transactions are foolproof.
Case studies
Recently, a sole proprietor doing business for more than a decade thought of increasing their market presence by advertising in a national e-market. All these years, the business owner used to do business using the traditional method of direct sales, tenders and reference calls only, or direct marketing.
But as soon as the company got listed on this online ad platform, many cold call clients started approaching the business owner for the products. Since this is a new opportunity, the proprietor showcased a keen interest and trusted the clients. One international client posed as a buyer for a rare, high value chemical and said, due to their country and company restrictions, they could buy this chemical directly from the chemical manufacturer. So they wish to appoint us as an agent to buy and sell this chemical to them. They provided all the documents needed to establish trust and genuineness. So based on this, the business owner contacted the manufacturer through email and phone, a reference given by the client itself and they were also ready for the supply of material. They were also ready to give samples and assured they would take the samples back if the client rejected them and they were ready to refund 100% of the money. All this communication was documented through emails. Initially, they agreed to payment terms of 50% advance and a balance of 50% on acceptance of the material. Trusting the case to be genuine, the business owner transferred 50% of the payment as advance. As soon as they received the payment, they said their director did not allow for part payment as this is only a sample and we are new customers and requested a balance of 50% payment. On the other hand, the customer was under pressure to see the sample immediately. So, hoping for a good business, the balance was transferred and the sample chemical was received. Since the business owner did not have much knowledge about this particular product as this was the first time this product was transacted, he showed it to the client through a video call. Apparently the client was very happy and they confirmed the order for 5 gallons of the chemical. But they placed a condition that they will do advance payment only if we can prove that we can supply the material by giving them 1 gallon of the chemical in advance. They will pay us before taking delivery. Based on this, the business owner transacted with the supplier and paid the full advance for 1 gallon of material. Before making the payment, the proprietor checked the credentials of the supplier with their bank, everything proved good and they said there were good transactions in the account. Based on this, payment was transferred to the supplier account, hoping to receive the material. But unfortunately, they did not dispatch the material or refund the payment after several requests as well. Though all this had documented evidence, such as emails, WhatsApp and phone calls, and bank transactions, it was challenging to receive the funds. Then the business owner filed a cybercrime complaint. On verification by the department, it came to light that the supplier was a fraud and they have duped many people across the country. With the due diligence of the cybercrime officer team, they freeze the accounts of the supplier and get a court order issued with the assistance of a lawyer to retrieve the funds. However, all put together, only 50%-60% of the funds were traceable and it took about six months to retrieve this money. Business owners were not able to retrieve the balance amount as all the money was syphoned off by the fraudsters, and many cases were lodged against these gangsters.
So the modus operandi of these fraudsters was, posing as very genuine manufacturers and suppliers of products, filing GST returns, being listed on e-market websites, and having proper bank accounts. This is such a foolproof cyber fraud.
Measures for cybersecurity
So how do we ensure cyber security measures to prevent such cheating-they are white collared daylight robbers. The reason is easy access to data and digitalisation. So, we can visualise the extent of fraud which can happen in big companies and the direct financial implications to all the stakeholders. Now, as directors and CXO’s, it is imperative to develop skills and recruit the best talent to prioritise cyber security in their respective companies, as well as to train the staff to not fall prey to such lucrative fraudsters.
- Best skilled IT Team – The companies have to be diligent in hiring the best talents for the job so that prevention of frauds is better than investigation.
- Directors representation with IT skills- If we have one or two directors with specialised skill sets, it will have a huge impact on the board’s decision to implement rules and regulations. Cyber security and oversight can be avoided.
- Effective strategies implementation- Good strategies have to be engineered to be consistent with the dynamic changes in market requirements to take control of cyber security
CXOs and cybersecurity
In the rapidly evolving digital landscape, cybersecurity has become a critical aspect of corporate governance, and directors and CXOs (Chief Experience Officers) play a pivotal role in ensuring effective oversight. Here are some key points to elaborate on:
Understanding the significance
In today’s rapidly evolving digital landscape, cyber threats have become a pervasive and formidable challenge for organisations across all sectors. These threats range from sophisticated phishing attacks and malware infections to ransomware and targeted cyber espionage campaigns. The consequences of cyber incidents can be far-reaching, resulting in data breaches, financial losses, reputational damage, legal liabilities, and disruptions to critical operations. Directors and CXOs must recognise that cybersecurity is not merely a technical issue but a strategic imperative that has significant implications for the long-term success and sustainability of their organisations.
Board-level involvement
Effective cybersecurity oversight begins at the board level. Directors have a fiduciary responsibility to ensure that their organisations have adequate safeguards in place to protect sensitive information and critical assets. Boards should establish a dedicated cybersecurity committee or designate a board member with specific oversight responsibilities related to cybersecurity. Regular reporting on cybersecurity risks, incidents, and mitigation strategies should be provided to the board, enabling directors to make informed decisions and provide strategic guidance.
Collaboration with management
Directors and CXOs should work closely with the management team to ensure that cybersecurity is fully integrated into the organisation’s overall risk management framework. Management should be held accountable for implementing and maintaining appropriate cybersecurity controls, policies, and procedures. Regular assessments and audits should be conducted to evaluate the effectiveness of cybersecurity measures and identify areas for improvement.
Continuous education and awareness
Directors and CXOs must stay informed about the latest cybersecurity threats and trends to make informed decisions and provide effective oversight. Ongoing training and awareness programmes should be implemented to ensure that all employees understand their roles and responsibilities in maintaining cybersecurity. Employees should be educated about common cyber threats, such as phishing attacks and social engineering, and provided with best practices for protecting sensitive information and systems.
Regulatory compliance and reporting
Organisations are subject to various cybersecurity regulations and reporting requirements, both at the national and international levels. Directors and CXOs should ensure that their organisations are compliant with these regulations and disclose any material cybersecurity incidents or breaches promptly and transparently. Failure to comply with regulatory requirements can result in significant fines, reputational damage, and legal liabilities.
Cybersecurity incident response
In the event of a cybersecurity incident, directors and CXOs should work closely with the management team to manage the response effectively. A well-defined incident response plan should be in place to minimise the impact and restore operations as quickly as possible. The incident response plan should include procedures for containment, eradication, recovery, and communication.
Third-party risk management
Organisations rely on a complex network of third-party vendors and partners, which can introduce additional cybersecurity risks. Directors and CXOs should ensure that proper due diligence is conducted when selecting third parties and that contractual agreements include appropriate cybersecurity provisions. Third-party risk management should be an integral part of the organisation’s overall cybersecurity strategy.
Insurance and risk transfer
Cybersecurity insurance can provide financial protection against the costs associated with cyber incidents, but it should not be viewed as a substitute for robust cybersecurity practices. Directors and CXOs should consider the availability and terms of cyber insurance policies
By prioritising cybersecurity oversight, directors and CXOs can help their organisations navigate the cyber threat landscape effectively, protect valuable assets, and maintain trust with stakeholders.
Cybersecurity laws in India
India has a robust framework of cybersecurity laws and regulations to protect its critical infrastructure, sensitive information, and citizens from cyber threats.
The Information Technology Act, 2000 (IT Act)
The Information Technology Act (IT Act) was enacted in 2000 to provide a legal framework for electronic transactions and digital signatures in India. It also contains provisions to address cybercrimes such as hacking, data theft, and cyberstalking.
The IT Act has been instrumental in promoting the growth of e-commerce and digital governance in India. It has also helped to protect individuals and organisations from cybercrime.
Some of the key provisions of the IT Act include:
- Legal recognition of electronic transactions and digital signatures: The IT Act provides legal recognition to electronic transactions and digital signatures, making them as valid as paper-based transactions and signatures. This has facilitated the growth of e-commerce and digital payments in India.
- Cybercrimes: The IT Act contains provisions to address cybercrimes such as hacking, data theft, and cyberstalking. These provisions have helped to protect individuals and organisations from cybercrime.
- Data protection: The IT Act also contains provisions on data protection. These provisions regulate the collection, storage, and use of personal data by organisations.
The IT Act has been amended several times since its enactment in 2000. The most recent amendment was made in 2018. The 2018 amendment introduced several new provisions, including the requirement for social media platforms to remove harmful content within 24 hours of receiving a complaint.
The IT Act is a comprehensive law that has played a key role in the development of the digital economy in India. It has also helped to protect individuals and organisations from cybercrime. As the cyber threat landscape continues to evolve, the IT Act will need to be amended regularly to keep pace.
The National Cyber Security Policy, 2013
The National Cyber Security Policy (NCSP) provides a comprehensive framework for cybersecurity in India. It outlines the government’s vision for a secure cyberspace and identifies key areas of focus, including critical infrastructure protection, cybercrime prevention, and capacity building. The NCSP has been instrumental in guiding the development of India’s cybersecurity strategy.
The Cyber Security Framework for the Indian Power Sector, 2016
The Cyber Security Framework for the Indian Power Sector is a comprehensive set of guidelines and best practices developed by the Ministry of Power to protect the country’s critical power infrastructure from cyber threats. The framework is designed to help power utilities implement effective cybersecurity measures to safeguard their assets and operations.
The framework covers a wide range of cybersecurity topics, including:
- Governance and risk management: This includes establishing a cybersecurity governance structure, identifying and assessing cyber risks, and developing a risk management strategy.
- Incident response: This includes developing and implementing an incident response plan, conducting regular incident response exercises, and maintaining a cyber incident response team.
- Information security: This includes protecting sensitive information from unauthorised access, use, disclosure, or destruction.
- Operational security: This includes protecting the physical security of power utilities’ assets and operations, as well as implementing security controls for operational technology (OT) systems.
- Workforce security: This includes educating and training employees about cybersecurity risks and best practices, and implementing security controls for employee access to sensitive information and systems.
The Cyber Security Framework for the Indian Power Sector is an essential tool for power utilities to protect their critical infrastructure from cyber threats. By implementing the framework’s recommendations, power utilities can significantly reduce their risk of cyber attacks and ensure the continued reliability of the power grid.
In addition to the framework, the Ministry of Power has also established a number of other initiatives to improve cybersecurity in the power sector. These initiatives include:
- The Power Cyber Security Group (PCSG): The PCSG is a forum for power utilities to share information and best practices on cybersecurity.
- The National Centre of Excellence for Cyber Security (NCoE): The NCoE is a center of excellence for cybersecurity research and development.
- The Cyber Security Scheme for the Power Sector: The Cyber Security Scheme provides financial assistance to power utilities for cybersecurity projects.
These initiatives are helping to improve cybersecurity in the power sector and protect the country’s critical power infrastructure from cyber threats.
The National Critical Information Infrastructure Protection Centre (NCIIPC)
The NCIIPC is a nodal agency responsible for coordinating cybersecurity efforts in India. It is responsible for developing and implementing cybersecurity policies, monitoring cyber threats, and providing incident response support. The NCIIPC also works closely with international organisations to share information and best practices.
India’s cybersecurity laws and regulations are comprehensive and effective. They provide a strong foundation for protecting the country’s critical infrastructure, sensitive information, and citizens from cyber threats. The government is committed to continuously strengthening its cybersecurity posture in order to keep pace with the evolving threat landscape.
Conclusion
So,with this, we conclude that cyber security is a continuous challenge for the Board of Directors and CXOs. They have to prioritise cyber security and any oversight can cause irreparable 360 degree losses to the company and all the stakeholders.
Most important is the credibility of the market and all its shareholders.
References
- https://www.imd.org/research-knowledge/corporate-governance/articles/board-oversight-cyber-risks-cybersecurity/#:~:text=%E2%80%9CDirectors%20need%20to%20understand%20and,to%20their%20company’s%20specific%20circumstances.
- https://www.sciencedirect.com/science/article/abs/pii/S0167404822002346
- https://www.zscaler.com/cxorevolutionaries/insights/how-cxos-can-enhance-boards-understanding-cyber-risk
- https://www.caalley.com/new-update/international-news-listings/audit-committees-rank-cybersecurity-as-top-priority-amid-sec-crackdown
- https://www.weforum.org/agenda/2022/03/cybersecurity-rules-prepare/
- https://corpgov.law.harvard.edu/2023/10/10/state-of-cyber-awareness-in-the-boardroom/
- https://publications.aaahq.org/cia/article/15/2/A9/7096/Academic-Research-on-the-Role-of-Corporate
- https://www.ftc.gov/business-guidance/blog/2021/04/corporate-boards-dont-underestimate-your-role-data-security-oversight