Recently there have been news around cyber-attack being made on listed companies. Tata Motors informed regulators of potential JLR customer data breach[1]. National Stock Exchange faces around 170 million daily cyber-attacks[2]. HDFC bank also reported high instances of fraud and financial losses related to phishing and digital fraud attempts[3]. Disclosure of cyber related frauds and cyber attacks hence becomes crucial.
Background
Central Government in terms of the provisions of sub-section (1) of section 70B of Information Technology (IT) Act, 2000 (IT Act, 2000) has appointed “Indian Computer Emergency Response Team (CERT-In)” vide notification dated 27th October 2009. The purpose of the CERT-In is to strengthen national cyber security by mandating timely reporting (within 6 hours) and coordination of cyber incidents across service providers and corporates, as per the IT Act, 2000. Listed entities must disclose cyber security incidents in prescribed formats, pursuant to CERT-In directions and circular by Bombay Stock Exchange [BSE’] and National Stock Exchange [‘NSE’][4].
In this article we will see whether disclosure of cyber incidents would require disclosure to stock exchange as per reg 30 read with schedule III?
Introduction
Disclosure of cyber incident to CERT-In
Cyber incidents as stated in annexure I of Cyber Security Directions dt: April 28, 2022, shall be reported to CERT-In if they fulfill following criteria:
- cyber incidents and cyber security incidents of severe nature (such as denial of service, distributed denial of service, intrusion, spread of computer contaminant including Ransomware) on any part of the public information infrastructure including backbone network infrastructure
- Data Breaches or Data Leaks
- large-scale or most frequent incidents such as intrusion into computer resource, websites etc.
- cyber incidents impacting safety of human beings.
[1] https://www.business-standard.com/companies/news/tata-motors-informs-regulators-of-potential-jlr-customer-data-breach-125111401915_1.html
[2] https://www.business-standard.com/companies/news/tata-motors-informs-regulators-of-potential-jlr-customer-data-breach-125111401915_1.html
[3] https://www.hdfcbank.com/content/bbp/
[4] https://nsearchives.nseindia.com//web/sites/default/files/inline-files/NSE_Circular_29092023_0.pdf and https://www.bseindia.com/markets/MarketInfo/DispNewNoticesCirculars.aspx?page=20230929-26
This article is published on Taxmann link below.
https://www.taxmann.com/research/company-and-sebi/top-story/105010000000027414/cyber-attacks-and-disclosure-a-guide-for-companies-experts-opinion