top of page
Search

Cybersecurity Landscape in India

Updated: Jun 30




Cyber security – Meaning 

 

Cybersecurity refers to the practice of protecting systems, networks, software and data from digital attacks, theft, and damage. In today’s interconnected world, almost every aspect of our lives involves some form of digital interaction—whether it’s financial transactions, communication, or personal data storage. Cybersecurity ensures that this information remains confidential, integral, and available only to authorized users. Without proper cybersecurity measures, individuals and organizations become vulnerable to a range of cyber threats, such as data breaches, identity theft, and financial fraud.

 

Magnitudes of Cybercrime


According to recent statistics, cybercrime in India has been on a steep rise. In the first four months of 2024 alone, over 740,000 cybercrime cases were reported to the Indian Cyber Crime Coordination Centre (I4C). The financial losses from these incidents exceeded ₹1,750 crore. Furthermore, India has witnessed a growing number of ransomware attacks, Globally, the financial impact of cybercrime is projected to reach a staggering $10.5 trillion annually by 2025.


Common Types of Cybercrimes in India


India has witnessed a significant rise in cybercrimes over the years. Here are some prevalent types:


1.Phishing Attacks:


Cybercriminals trick users into revealing sensitive information like passwords, bank account details, or credit card numbers through fake emails or messages.


2.Identity Theft:


Unauthorized access to personal information is used for financial fraud or other illegal activities.


3.Ransomware Attacks:


Malicious software encrypts user data, and attackers demand a ransom to restore access. India ranks among the top 5 countries targeted by ransomware globally.


4.Online Financial Fraud:


Includes scams like fraudulent online transactions, card cloning, and UPI-based fraud.


5.Social Media Exploitation:


Cyberbullying, fake profiles, and exploitation through manipulated content.


6.Cyberstalking: 


Persistent online harassment targeting individuals, often women and children.


7.Child Pornography and Exploitation:


Illegal sharing of explicit content involving minors, which is heavily penalized under Indian laws.


8.Cyber Espionage and Hacking:


Targeted attacks on government, corporate, or individual systems to steal sensitive data.


How to stay safe online


There are several fundamental steps every individual should follow to stay safe online:


1.Use Strong Passwords: 


Ensure your passwords are long, unique, and a combination of letters, numbers, and symbols. Avoid using easily guessable information like birthdates.


2.Enable Multi-Factor Authentication (MFA): 


MFA adds an extra layer of security by requiring a second form of verification, such as a code sent to your phone.


3.Keep Software Updated: 


Regularly update your operating system, antivirus software, and applications to protect against known vulnerabilities.


4.Be Cautious with Emails and Links: 


Phishing is a common method used by attackers to steal information. Always verify the source of emails and avoid clicking on suspicious links.


5.Use Secure Networks: 


Avoid using public Wi-Fi for sensitive activities like online banking unless you are using a VPN (Virtual Private Network).


6.Regular Backups: 


Regularly back up your data to prevent loss in case of ransomware attacks or system failures.

 

RBI Guidelines and Frameworks for financial sectors:


The Reserve Bank of India (RBI) has issued several comprehensive guidelines and frameworks to strengthen cybersecurity in the financial sector. These are aimed at ensuring the resilience of banking systems, securing digital payment channels, and protecting sensitive financial data. Here’s an overview of some key RBI guidelines related to cybersecurity:


1. Cyber Security Framework for Banks (2016)


The RBI introduced this framework to ensure banks adopt a robust cybersecurity posture. Key points include:


  1. Board-Level Oversight: Banks are required to have a dedicated Chief Information Security Officer (CISO) and establish a Cyber Security Committee at the Board level.


  2. Comprehensive Cybersecurity Policy: Banks must draft and implement a detailed cybersecurity policy that covers data protection, incident response, and risk management.


  3. Monitoring and Reporting: Banks are required to regularly monitor cybersecurity threats and report significant incidents to the RBI within a defined timeframe.


2. Guidelines for Digital Payments Security (2021)


With the rapid adoption of digital payment systems, RBI issued these guidelines to enhance security in digital transactions. Key provisions include:


  1. Customer Awareness: Banks and payment operators are mandated to educate customers about safe online practices.


  2. Fraud Monitoring: Institutions are required to establish real-time fraud monitoring systems and take proactive measures to prevent fraud.


  3. Secure Authentication: Multi-factor authentication (MFA) is mandatory for high-value transactions, ensuring an additional layer of security.


3. IT Risk Management Guidelines (2011)


These guidelines focus on managing risks associated with IT systems and ensuring operational resilience. Key requirements include:


  1. Business Continuity Planning (BCP): Banks must have a robust BCP and Disaster Recovery (DR) strategy to handle cyber incidents and ensure minimal disruption.


  2. Third-Party Risk Management: Banks are required to assess the cybersecurity practices of third-party service providers to mitigate supply chain risks.


4. Cyber Security Controls for Payment System Operators (2020)


Since payment system operators (PSOs) handle sensitive financial information, RBI issued separate guidelines for them. Key highlights include:


  1. Data Localization: PSOs must store all financial data related to Indian users within the country.


  2. Incident Response: PSOs are required to implement an incident response mechanism and regularly conduct cybersecurity drills.


  3. Periodic Audits: Regular internal and external audits are mandated to ensure compliance with the cybersecurity framework.


5. Guidelines on Internet Banking Security (2001 & updated in 2014)


These guidelines focus on ensuring the security of internet banking channels. Key aspects include:


  1. Encryption Standards: Strong encryption protocols must be used for internet banking transactions.


  2. Customer Protection: Banks are required to establish grievance redressal mechanisms and provide compensation in case of unauthorized transactions due to system flaws.


6. Guidelines for Cyber Resilience of NBFCs (2022)


Non-Banking Financial Companies (NBFCs) also play a critical role in the financial ecosystem. RBI introduced guidelines requiring NBFCs to:


  1. Implement a Cybersecurity Policy: Similar to banks, NBFCs are required to develop a comprehensive cybersecurity policy.


  2. Periodic Vulnerability Assessment: Regular vulnerability assessments and penetration testing are mandated to identify and mitigate security risks.


  3. Incident Response: NBFCs must have a dedicated incident response plan and report significant cyber incidents to the RBI.


7. Data Localization and Security for Card Payment Transactions (2018)


RBI mandates that all data related to payment systems operated in India must be stored within the country to enhance data sovereignty and ensure timely access to law enforcement agencies.


Encryption and Security Protocols: Stringent guidelines are in place for encrypting sensitive customer data during transmission and storage.


8. IT Governance, Risk, and Compliance (GRC) Framework


Banks and financial institutions are required to adopt a GRC framework that covers:


  • IT Governance: Ensures proper alignment of IT strategies with business goals.

  • Risk Assessment: Regular assessments of IT and cybersecurity risks.

  • Compliance: Adherence to various regulatory norms and periodic submission of compliance reports to the RBI.


  1. RBI Zero Liability Policy (2017)


  • The RBI Zero Liability Policy is designed to protect customers from financial losses due to unauthorized electronic banking transactions. Its primary purpose is to ensure that victims of cyber fraud do not suffer financial setbacks if they report the fraud promptly.


  • By holding banks accountable for security flaws and fraudulent transactions occurring due to their systems, the policy encourages financial institutions to strengthen fraud detection and prevention mechanisms.


  • Additionally, the policy aims to build customer confidence in digital transactions by reassuring users that they have recourse in case of fraud. It also establishes clear guidelines on liability, ensuring swift action from banks while encouraging consumers to adopt safe banking practices.

 

  1. General Points across All Guidelines:


  • Cybersecurity Awareness Training: Institutions are mandated to conduct regular cybersecurity awareness programs for employees and customers.


  • Periodic Cybersecurity Audits: Internal and external audits are necessary to ensure continuous compliance with RBI guidelines.


  • Incident Reporting: All cybersecurity incidents must be reported promptly to RBI’s Cyber Security and IT Examination Cell (CSITE).


Common Law / Guidelines / Standards applicable to all sectors


1. Information Technology Act, 2000 (IT Act)


The IT Act is the primary legislation governing cybersecurity for all organizations in India, whether public or private. It covers:

  • Cybercrimes: Unauthorized access, identity theft, data breaches, and hacking are punishable under the IT Act.


  • Data Protection: Section 43A mandates that organizations handling sensitive personal data implement reasonable security practices. Failure to do so can result in liability and compensation to affected individuals.


  • Adjudication and CERT-In: The IT Act empowers the Indian Computer Emergency Response Team (CERT-In) to act as the national nodal agency for cybersecurity incidents and issue guidelines for critical infrastructure


2. CERT-In Guidelines


CERT-In plays a critical role in guiding organizations on cybersecurity best practices. In April 2022, CERT-In issued specific guidelines for:


  • Mandatory Reporting of Cyber Incidents: All organizations must report cyber incidents within 6 hours of detection.


  • Log Retention: Organizations are required to maintain logs of all ICT systems for a period of 180 days.


  • VPN Providers and Data Centers: Service providers, intermediaries, and data centers must store customer information for a specific duration to aid in incident investigation.


3. Personal Data Protection Bill (PDPB) (proposed)


Though not yet enacted, the Personal Data Protection Bill aims to regulate data collection, processing, and storage across all sectors. Once enforced, it will:


  • Mandate Data Protection Practices: Organizations handling personal data will need to implement strict cybersecurity measures.


  • Define User Rights: It will establish the rights of individuals over their data and impose penalties on organizations for non-compliance.


  • Require Data Localization: Critical personal data of Indian citizens must be stored within the country.


4. NCIIPC Guidelines for Critical Information Infrastructure


The National Critical Information Infrastructure Protection Centre (NCIIPC), under the National Technical Research Organisation (NTRO), is responsible for protecting critical information infrastructure (CII) in sectors like defense, energy, transportation, and telecommunications. Key responsibilities include:


  • Identifying critical assets and ensuring robust cybersecurity.

  • Coordinating incident response for attacks targeting critical infrastructure.

  • Issuing advisories and best practices for CII organizations.


5. Data Security Standards – ISO and PCI-DSS


For organizations in sectors without specific regulators, adhering to industry standards is essential. Common standards include:


  • ISO 27001: An international standard for information security management systems (ISMS).

  • PCI-DSS: Mandatory for organizations handling credit card transactions, ensuring secure payment environments.


Other Sector-Specific Guidelines


Sector Specific Guidelines and Frameworks


In India, while banks and financial institutions are regulated by the Reserve Bank of India (RBI) for cybersecurity, other organizations fall under different regulatory bodies and frameworks based on the industry they belong to. This multi-layered approach ensures that cybersecurity is addressed comprehensively across industries. Here's an overview of how cybersecurity regulations apply to various sectors beyond banking:


Different regulators oversee specific industries and issue cybersecurity guidelines accordingly:


a) Telecom Sector – Department of Telecommunications (DoT)


  • The DoT mandates telecom operators to implement stringent cybersecurity controls and periodically conduct security audits.


  • Data privacy and network security are critical areas governed by the DoT.


b) Healthcare Sector – Ministry of Health & Family Welfare


  • The National Digital Health Mission (NDHM) framework emphasizes data privacy and cybersecurity for healthcare providers.


  • Guidelines ensure that sensitive health information is stored securely and transmitted using encrypted channels.


c) Power Sector – Central Electricity Authority (CEA)


  • The CEA mandates cybersecurity practices for power grid operators, ensuring protection against cyberattacks that could disrupt critical infrastructure.


  • Operators must conduct regular vulnerability assessments and report incidents to CERT-In.


d) Stock Market & Financial Services – SEBI


  • The Securities and Exchange Board of India (SEBI) has issued cybersecurity guidelines for stock exchanges, mutual funds, and depositories.


  • These entities are required to implement security controls, conduct audits, and report cyber incidents promptly.


General Responsibilities for All Organizations


Even if specific sectorial guidelines do not apply, organizations must:


  1. Implement Reasonable Security Practices: Following industry-standard frameworks such as ISO 27001, NIST Cybersecurity Framework, or COBIT.

  2. Conduct Security Audits: Regular internal and external audits to identify and mitigate vulnerabilities.

  3. Employee Awareness and Training: Ensuring employees are educated on cybersecurity threats like phishing, social engineering, and ransomware.

  4. Incident Response Planning: Developing an incident response plan to minimize the impact of cyber incidents.


In India, while the RBI regulates banks and financial institutions, other sectors fall under frameworks established by agencies like CERT-In, NCIIPC, SEBI, DoT, and others. Additionally, the IT Act provides a broad legal framework for cybersecurity across all sectors. Organizations that aren’t explicitly covered by sector-specific guidelines should adhere to best practices like ISO 27001, NIST, and CERT-In advisories to ensure robust cybersecurity.

 

 


Comments

bottom of page