[Editorial] Reporting cyber attacks



The Ministry of Electronics and Information Technology is likely to come out with new cyber security regulations, as indicated by Minister of State for Electronics and Information Technology at a recent cyber security event.

What the editorial is about?

How the incentive for the firms not to disclose security attacks affects cyber security and data protection.

Most probable and repeated topics of upsc prelims

Essence of the recent regulation

  • The essence of the new regulation will be to put the onus on organizations to report any cyber-crime that may have happened against them, including data leaks.
  • Clause 25 in the Data Protection Bill 2021 says that data fiduciaries should report any personal and non-personal data breach incident within 72 hours of becoming aware of a breach.
  • Even the golden standard for data protection, namely the European Union General Data Protection Regulation (EU GDPR), has a clause for reporting data breach incidents within a stringent timeline.

Why are there continuing breach incidents every minute?

  • While this, in principle, is likely to improve cyber security and reduce attacks and breaches.
  • According to Cybercrime Magazine, if it were measured as a country, then cyber-crime — which is predicted to inflict damages totaling $6 trillion globally in 2021 — would be the world’s third-largest economy after the U.S. and China.
  • Apart from private firms, government services, especially critical utilities, are prone to cyber-attacks and breach incidents.
  • The ransomware attack against the nationwide gas pipeline in 2021 in the U.S.
  • Virtually brought down the transportation of about 45% of all petrol and diesel consumed on the east coast.
  • Hence it is important that even cyber-attacks on government and state-owned enterprises be reported so that corrective actions can be taken on the security of critical infrastructure of the nation.

What is the logic behind incidence reporting?

  • If incidences are reported, the Indian Computer Emergency Response Team and others can alert organizations about the associated security vulnerabilities.
  • Firms not yet affected can also take precautionary measures such as deploying security patches and improving their cyber security infrastructure.

Why the firms are reluctant to disclose security attacks affects cyber security and data protection?

  • The firms are reluctant to notify the breach incidents to the regulators. because any security or privacy breach has a negative impact on the reputation of the associated firms.
  • An empirical study by Comparitech indicates that the share prices for firms generally fall around 3.5% on average over three months following the breach.
  • In the long term, breached companies underperformed in the market. After one year, share price of breached firms fell 8.6% on average, resulting in a poor performance in the stock market.
  • So, firms weigh the penalties they face for not disclosing the incidents versus the potential reputational harm due to disclosure, and decide accordingly.

How will the regulator come to know when a firm does not disclose a security breach?

  • It can be done only through periodic cyber security audits.
  • These audits should be comprehensive enough to identify such incidents that might not have been reported by the firm.
  • Unfortunately, the regulators in most countries including India do not have such capacity to conduct security audits frequently and completely.
  • If either the probability of such audits is low or the probability of finding breach incidents during such audits is low, there is incentive for the firms not to disclose security attacks.

Possible solutions apart from enacting rules

Cyber security auditors

  • A government empanel third party cyber security auditors for the conduct of periodical cyber security impact assessments can be considered, primarily amongst all the government departments, both at the national and State level, so that security threats and incidents can be detected proactively, and incidents averted.
  • The government can also mandate that periodic security audit reports be published by private firms and arrange to conduct surprise security audits towards enforcements.

Extending common criteria testing laboratories and certification bodies

  • The Ministry of Electronics and Information Technology, as part of cyber security assurance initiatives of the Government of India, to evaluate and certify IT security products and protection profiles, has set up Common Criteria Testing Laboratories and certification bodies across the country.
  • These schemes can be extended towards cyber security audits and assessments as well.
  • Much like IBM, which set up a large cyber security command centre in Bengaluru, other large firms can also be encouraged to set up such centres for protection of their firms’ assets.


  • Proper measures will pass the muster of the EU GDPR, thereby moving India closer to the set of countries that have the same level of cyber security and data protection as that of EU, for seamless cross-border data flow.


Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x