With data breaches multiplying in frequency and scale, the importance of addressing cybersecurity at the highest levels of corporate leadership cannot be understated.
Directors and senior management play key roles in managing cyber-risk through periodic monitoring, supervision, and improvement of security measures.
Management buy-in is also necessary to ensure retention of specialist expertise and deployment of security infrastructure that is commensurate with an organisation’s risk profile. However, despite emerging global consensus that cybersecurity firmly belongs on board agendas, corporate practice within India has been slow to adapt.
While sectoral regulators such as RBI, SEBI, and IRDA have issued comprehensive guidelines on cybersecurity including mandating its board-level consideration, these do not extend to entities outside the respective sector. Not being subject to the jurisdiction of any specific sectoral regulator, a vast swathe of large enterprises is not legally mandated to address cybersecurity risk at board level.
Within this context, the SEBI’s recent decision to implement the recommendations of the Uday Kotak Committee on Corporate Governance will partially address this dichotomy as far as listed entities are concerned.
The Committee was constituted by SEBI in June 2017 under the chairmanship of Uday Kotak with the aim of improving standards of corporate governance of listed companies in India. The Committee’s final report, released in October 2017, recommended several sweeping changes to the Indian corporate governance landscape including in relation to board size and diversity, the role of independent directors, monitoring of group entities, enhanced disclosure requirements, and improvements to measures for investor protection.
As regards cyber concerns, the Committee acknowledged that cybersecurity was a key priority in ensuring that shareholder interest was safeguarded. The Committee also noted that the scope and periodicity of core board committees such as Audit, Risk, and Technology be enhanced so as to specifically account for cyber-risk.
In terms of specific proposals, the Committee recommended that the role of a listed entity’s Risk Management Committee be legally mandated to include cybersecurity concerns. In addition, the obligation for listed entities to constitute Risk Management Committees was expanded to apply to the Top 500 listed entities – a marked increase from the existing Top 100.