Cyber Security Obligations Of Directors Of Indian Companies Under Indian Companies Act, 2013 Are Ignored By Them

Cyber security is no more a problem of technology people of an organisation. Now the top management is equally concerned and responsible for various cyber law and cyber security related issues. Recently the Reserve Bank of India (RBI) declared that it would constitute an IT subsidiary for managing cyber security issues of banks in India. Even the Indian government has appointed Dr. Gulshan Rai as the first Chief Information Security Officer (CISO) of India.

It has been long felt that we need a dedicated cyber security law of India. Presently few provisions pertaining to cyber security can be found in information technology act, 2000. However, the IT Act 2000 is not sufficient to address the complex and techno legal issues of cyber security especially those arising at the international level. International legal issues of cyber security are still not clear as there is no universally acceptable cyber law treaty and cyber security treaty (pdf). The position has become really alarming as malware are easily defeating cyber security products and services these days.

Recently the Ministry of Corporate Affairs (MCA) notified many provisions of the Indian Companies Act, 2013 (PDF) and corresponding rules under the same. Most of the corporate stakeholders have considered the new company law of India as a purely corporate regulatory framework. However, this is not true as the Indian Companies Act 2013 has prescribed legal obligations that are far more complicated than the traditional company law.

The truth is that the new company law of India has prescribed many techno legal compliance requirements that very few companies and their directors are capable of managing. As a result cyber law and cyber security related legal violations would be in abundant in the coming times.

With the formulation of the proposed cyber security breach disclosure norms of India and possible cyber security laws in India, Indian companies and their directors would find themselves in a legal fix. The powers of Serious Frauds Investigation office (SFIO) have also been significantly increased by the Companies Act 2013. SFIO has become very active in prosecuting Indian companies and their directors in the recent past. With the notification of the Companies (Inspection, Investigation and Inquiry) Rules, 2014 (PDF) SFIO would become more active in this regard.

The legislature made it sure that the regulatory compliances under Indian Companies Act 2013 should cover cyber law and cyber security compliances as well. The directors’ liabilities under the Indian Companies Act 2013 also cover cyber law due diligence (PDF), cyber security due diligence, e-discovery compliances, cyber forensics, etc on their part. Even the cyber security obligations of law firms in India has significantly increased and various stakeholders, including companies and law firms, must keep in mind the international legal issues of cyber security.

The Companies (Management and Administration) Rules, 2014 (PDF) also prescribe many techno legal and cyber security obligations upon the directors of a company. The directors must be well versed with the techno legal regulatory provisions under the Companies Act 2013 and other technology laws of India.

The cyber security trends in India 2016, provided by Perry4Law Organisation (P4LO), have also indicated that various corporate stakeholders would be required to comply with cyber law and cyber security related obligations in the near future. As on date, companies and directors are not complying with the cyber law and cyber security obligations as prescribed by Indian laws and regulations.

As the cyber law and cyber security obligations of the directors of companies operating in India have been clearly mandated by various laws of India, it is in their own interest to ensure their due compliance.