LEGAL FRAMEWORKS FOR ADDRESSING CYBERSECURITY RISKS IN THE SUPPLY CHAIN

This article is written by Sangamithirai V. of Chettinad School of Law, an intern under Legal Vidhiya

ABSTRACT

As cyber security risks in the supply chain increase, there is a consequential evolution of India’s legal framework to tackle threats digitally. The Information Technology Act, 2000 is the primary law governing cybersecurity which provides enabling framework for e-governance and electronic records. This might include sector-specific regulations like that of the RBI but also, more generally; this Law often contains outdated provisions and is too vague to allow for effective implementation against modern cyber threats. Indian government had witnessed the importance for cybersecurity laws long ago to bring comprehensive reform. Recent examples of massive data breaches implicating millions, reveal it all in black and white that the present model has become untenable. And while the Supreme Court recently held that cybercrimes are covered under both of these statutes, their reliance on older laws arguably only further confuses compliance and risk management for organizations working to navigate this legal landscape. Incident response and monitoring —The Indian Computer Emergency Response Team (CERT-In) with other key stakeholders such as the National Cyber Coordination Centre (NCCC), have been established to monitor, report on security problems in India’s cyberspace under the guidance of Ministry Of Electronics & Information Technology (MEITY). Yet their performance has been questioned due to India’s fragmented cybersecurity rules which differ from one sector of the economy to another, such as banking or telecoms or health.

KEYWORDS

Cybersecurity, IT Act 2000, Business, Supply Chain, Risk Management

INTRODUCTION

Cybersecurity risks associated with supply chains have been gaining centre-stage importance as India leaps closer to becoming all-digital. In a globally interconnected world, the vulnerability in one part of the supply chain sends ripples to affect businesses and consumers alike. The Indian government realises that this, and has therefore introduced numerous legal frameworks aimed at strengthening cybersecurity for critical information infrastructure.

IT act forms the bedrock of cyber security laws in India It provides the legal infrastructure for electronic governance (apart from defining cybercrimes) in India. The Act also provides for the setting up of a Computer Emergency Response Team (CERT-In) tasked with of responding to cybersecurity incidents and issue guidelines, advisories as well. The objective of National Cyber Security Policy is to create a framework for securing the information infrastructure in cyberspace. The NDF also underlined the necessity building capacity, public-private partnerships as well as establishing a strong legal framework to handle cybersecurity threats.

The Intermediaries Rules lay down rules for digital media companies, and platforms such as social media and OTT services. These include provisions for data protections, protection of user privacy and mechanisms to address complaints by users all lead toward securing cyberspace in digital transactions.

Specific regulations bind a multitude of sectors such as banking, telecommunications and energy to comply with the regulation that requires them all to have security policies. The Reserve Bank of India (RBI) has come out with a policy for banks to ensure secure systems while the Department of Telecommunication (DoT) has directed telecom operators to adhere by security protocols.

RESEARCH OBJECTIVES

• Nature of Cybersecurity Risks
• Risks Within Third-Party Software and Hardware
• Effect on Indian Supply Chains
• Consequences of  Shoddy Manufacturing Practices
• Key Cybersecurity Provisions
• Risk Management Strategies for Indian Supply Chains
• Future Directions for Cyber security

RESEARCH QUESTION

How can India strengthen its legal framework to address emerging threats in supply chain cybersecurity?

RESEARCH METHODOLOGY

The research methodology adopted in this paper is purely doctrinal in nature. Doctrinal research, also known as library-based research, involves exploring existing legal provisions, precedents, and scholarly works. It provides insight into theoretical and conceptual aspects of law through a systematic exposition of legal doctrines and principles. Primary sources driving doctrinal research include statutes, court decisions, and authoritative texts. Secondary sources such as commentaries, articles and digests are also examined. The process involves identifying, compiling, and critically analyzing these sources to derive logical conclusions and offer perspectives on issues under review. Through doctrinal research, this paper aims to deliver a thorough, coherent comprehension of the applicable legal framework. The methodology’s comprehensive study of sources and contextual analysis facilitates development of a unified perspective on the research question. By synthesizing diverse materials and viewpoints, doctrinal research constructs a balanced interpretation of the subject matter.

NATURE OF CYBERSECURITY RISKS

Interlinkages in Supply Chains- Indian supply chains have tight linkages and if one part is breached, it can affect the entire chain. Everyone knows that cybercriminals often target the less-secure links in a supply chain (smaller third vendors with fewer resources to pour into cybersecurity) as stepping stones to more secure entities.

TYPES OF CYBER THREATS

Ransomware Attacks Ransomware attacks encrypt important data makes it until a payment is made. These sectors are particularly vulnerable to such attacks, which have real potential disrupt operations at great scale.

Phishing attacks: Cybercriminals trick employees through deceptive emails to disclose sensitive information, consequently allowing access and data theft.

Supply chain attacks: attacking the weaknesses in supplier and partner networks. Including large-scale incidents like the SolarWinds breach that led to break-ins in thousands of organizations by forcing them all through targeted software updates.

Negative Effects of Cyber Attacks: The impact of cyber breaches may result in leaked data, financial fraud, and reputational or operational disruption. The 2013 Target breach, that affected millions of customers and cost the company millions more was a result of vulnerabilities in security with one if its third-party suppliers.

EFFECT ON INDIAN SUPPLY CHAINS

This new type of reliance has also expanded the risk landscape for Indian companies due to remote devices being accessed beyond a previously defined perimeter. Many reports reveal that approximately 40% of cyber-attacks take root in the extended supply chain. The COVID-19 pandemic has also driven digitalization at an even faster pace, along with headline reports that cybercrime may grow by 600% post-pandemic.

These threats need to be met head-on with comprehensive cybersecurity practices that organizations can implement:

Risk assessments: Comprehensive review and evaluate security posture of third-party vendors to detect vulnerability predictions. This scales up to audits and compliance checks.

Employee coding: Conduct continuous training with employees to teach them about cybersecurity threats, including phishing and ransomware schemes.

Segment Access with Business Data Plans Use multi-factor authentication (MFA) to increase safety protocols.

Plan for incidents: Create and maintain effective incident response plans so any future breaches can be responded to as quickly as possible. This comprises penetration testing and simulations to simulate possible attacks.

Collaboration & information sharing: Interact with industry alliances for threat intelligence and best practices that provide a shared defense against cyber threats.

Tech-spend: Spend on technology modernization and enhancing cybersecurity infrastructure, with an increase in cyber budgets amongst organizations based in India.

RISKS WITHIN THIRD-PARTY SOFTWARE AND HARDWARE

Malware Injection Adversaries may modify third-party software by inserting malicious code which will cause the organization to be compromised later on. This tends to happen through compromised updates or downloads — an eventful example of which occurred in the case of the July 2021 Kaseya VSA attack, where software supply chain attackers included malware with a security update; encrypting customer data and demanding ransom.

Interconnected supply chain: Another virtue of being interconnected is that vulnerabilities in one vendor’s system have resulted in breaches at others. An example from the SolarWinds breach: attackers leveraged trust-based relationships to impact a wide-scale number of organizations.

Data breaches: Third-party vendors with lax security may inadvertently expose sensitive customer data. The Target data breach in 2013 started after hackers first broke into the retailer using credentials stolen from a third-party vendor and thus managed to skim tens of millions credit card numbers. Third-party vendors can expose organizations to legal and regulatory risks if the business fails to comply with data protection regulations. This lack of compliance can haunt a company for years, like in the case with Uber’s 2016 data breach where fines were sought because they failed to report a third-party-data breach.

The security threats that this investigation revealed seem to confirm fears about misconfigurations and or outdated patches, considering the events earlier on Patch Tuesday. Moreover, failure to patch means there are attack surfaces left open for exploitation, with threat actors continually scanning the internet looking for unpatched vulnerabilities they can use.

To mitigate such risks, businesses need frameworks for managing these third-party relationships:

Assessment of Vendors: Make sure to assess all your third-party vendors and have a thorough understanding regarding their cybersecurity measures, this can give you an idea on what links they possess the ability to provide.

The Principle of Least Privilege (polp): Allow third-party access only to the least functionality necessary for enumerating that role, in order to minimize potential attack surface when a vendor gets hacked.

Also, adequate management controls such as continuous monitoring of traffic with third parties, network activity etc. to help detect and respond in real time for any attacks Japgolly Configure-access-controls-in-the-cloud.

COUNTERFEIT COMPONENTS: A RISING CONCERN

Counterfeit electronic components are an emerging and critical issue in the supply chain at the global level. The order of the parts mostly comes from China, and other nations present a grave threat to performance, safety, and reliability.

Counterfeiting occurs in electronics and accounts for a significant portion of the global market for counterfeit goods.

Dangers of Counterfeit

Counterfeit components can result in the following major issues:

• performance degradation: Specific and inferior materials and craftsmanship used in component manufacturing may result in early failure.
• safety hazards: The components are generally sub-par and increase the risk of fire, shock, or inappropriate operation, substantially in sensitive applications of healthcare.
• financial losses: when the imitation component fails, it must be replaced, and the lost capital may be higher than buying the real component.
• damaged credibility and brand: Destroys the company’s identification and could cost suits fines and reduce the business.

Methods of Avoiding the Counterfeit Risk Factors

• Companies and businesses should take the following measures to minimize the problem risk
• Can buy items just from reliable, certified vendors who can identify the part’s original maker and guarantee originality.
• Be vigilant in qualifying suppliers and inspecting their sites often to guarantee they supply genuine elements.
• Examine the goods visually, through x-ray or some other methodology, and create superior values to identify counterfeiting goods. Creating confirmation and validation databases to evaluate suppliers and equipment, community support, open sources.

CONSEQUENCES OF  SHODDY MANUFACTURING PRACTICES

Poor quality standards: lots of Indian manufacturers still do not follow a strict quality pattern, thus the product varies greatly. Such inconsistencies can lead to faulty products reaching the market, damaging consumer safety and brand reputation.

Inadequate training: Employees often lack the proper training in protecting and controlling quality. This lack of domain results in production errors because workers are unaware about best practices, or quality standards.

Poor communication: Lack of communication among members on a manufacturing team can lead to quality problems. Incomplete and delayed feedback about mistakes or quality errors, frequent repetition of the same error or unresolved issues.

Inadequate supplier management: In many cases, businesses will not fully screen their suppliers and they collaborate with manufacturers that may lack a focus on quality control. Not overlooking heavily on the supplier can result in a poor-quality material or component added to production.

Environmental and safety violations: Most of the factories in India do not follow all environmental regulations that more often result into unsafe working circumstances as well inferior quality. Such as wrong waste management practices contaminating products and harming people working with it.

Hiccup 3 (rushed production): Indian manufacturing often suffers from scheduling issues, which means you would be operating your line with a tight deadline coming up that makes for rushed production. This drives an urgency that in turn can result to compromised quality, just so the manufacturers can deliver orders timely.

Compliance impact: They might not be meeting international quality, standard of hygiene or, even local regulations opening them up to litigation and severely limiting market access. Failure to comply can also lead to recalls or market bans.

To remedy these quality control failures, organizations should implement the following best practices:

• Develop effective training programs: Creating a series of regular training sessions for your staff about quality standards and practices can result in positive quality control outcomes.
• Strengthen supplier audits: Multi-view audits on all suppliers to ensure quality standards and ethical practices are upheld. It assesses their quality management systems and conformity with regulations.
• Communication: Develop ways for quality issues and feedback to effectively communicate through all stages of production.
• Adopt QMS: Employ the right quality management systems (QMS) to manage and report on how well product is functioning/resulting so that ongoing improvements are made to maintain top-notch standards.
• Environmental compliance: Make sure its manufacturing practices meet environmental regulations to prevent contamination of the products and keep workers safe.

KEY CYBERSECURITY PROVISIONS

Cybercrimes laws

The crimes defined in the Act).[34] including unauthorized access to computer systems and data theft (these are covered by section 66[1][35]); identity fraud (such as when somebody accesses another’s email account without permission,[36][37]) phishing, and violating privacy) is also punishable crime with imprisonment or fine or both under Information Technology RulesA system administrator may be liable for prosecution if he indirect involves himself in case Privacy (Section 66C[2]); publishing private photographs of others.) It provides for penalties on these offenses and hence make the cyber space safer.

Intermediary liability: The Act puts down the liabilities of intermediaries (ISPs or online platforms) for content provided by their user base. It defines a framework for the liability of intermediaries in cyber offences by users.

Data scraping and monitoring: Section 69B [3]gives the government powers to authorize any agency of the state for enhancing cybersecurity by collecting traffic data are designed increase national security and prevent cyber threats.

Protected systems: As described in Section 70[4] the government can notify/specify that specific computer systems are “protected systems” means such class of computer resource as may be notified by the appropriate Government.

Adjudication and appeals: This ensures a well-defined legal process dealing with cybersecurity issues by providing for adjudicating officers and appellate tribunals to handle disputes pertaining to cyber offenses under the act.

Cyber regulations appellate tribunal: The Tribunal is constituted to entertain appeals against orders of the adjudicating officers, thus providing for redressal in cases of cybercrimes.

Data protection and privacy: It is aimed at protecting sensitive electronic data and maintaining structure, but has been widely criticized for not including more intellectual property measures.

Penalties for disclosure of confidential information: Penalties for disclosure of confidential information are laid down in the Act, and this enshrines a breach of respect to privacy.

The National Cyber Security Policy, 2013 [5]is a measure for enhanced security posture of the country and its associated information infrastructure. The policy lays out primary objectives and strategies.

OBJECTIVES OF SECURING THE CYBER ECOSYSTEM

• Build confidence and trust in electronic transactions via establishing secure computing environment.
• Information and Infrastructure Security:
• Protect personal, financial and national data from cyber threats.
• Capacity Building:
• Train a workforce of 500,000 cyber experts within five years to boost national capability.
• Regulatory Framework:
• Underpin existing guidelines to adhere with external security groups and best practices.
• Strengthening of Critical Information Infrastructure:
• Establish an (NCIIPC) National Critical Information Infrastructure Protection Centre operating on a 24×7 basis, to protect the critical infrastructure.

BANKING SECTOR RELATING TO CYBER SECURITY

1. Reserve Bank of India (RBI) Guidelines

• The RBI has established a comprehensive Cyber Security Framework applicable to all scheduled commercial banks. This framework mandates banks to implement robust cybersecurity measures, including:
• Risk Management: Regular risk assessments and audits to identify vulnerabilities.
• Incident Reporting: Banks must report cyber incidents to the RBI and CERT-In within stipulated timeframes.
• Cyber Crisis Management Plans: Banks are required to develop and maintain plans to manage cybersecurity incidents effectively.
• Board Oversight: The board of directors must ensure that cybersecurity policies are in place and regularly reviewed.

2. Information Technology Act, 2000[6]

1. Under the IT Act, banks must adhere to reasonable security practices to protect sensitive personal data. Violations can lead to penalties, including fines and imprisonment.

TELECOMMUNICATIONS SECTOR

1. Department of Telecommunications (dot) Regulations

• Telecom service providers must implement security measures to protect user data and ensure the integrity of their networks. Key requirements include:
• Network Security: Providers must have policies for network security management, including risk assessments and penetration testing.
• Privacy Protection: Measures to prevent unauthorized interception of communications must be in place.

2. Licensing conditions

• Telecom licenses require adherence to specific cybersecurity standards, including compliance with international security benchmarks like ISO/IEC 27001.

ENERGY SECTOR

1. National cyber security policy

• This policy emphasizes the protection of critical information infrastructure, including energy systems. It aims to create capacities to mitigate vulnerabilities and respond effectively to cyber incidents.

2. Critical infrastructure protection

• The energy sector must comply with guidelines set by the National Critical Information Infrastructure Protection Centre (NCIIPC) to safeguard critical infrastructure against cyber threats.

3. Regulatory compliance:

• Energy companies are required to implement cybersecurity measures that align with national standards and frameworks, ensuring the protection of operational technology and data integrity

RISK MANAGEMENT STRATEGIES FOR INDIAN SUPPLY CHAINS

Risk identification and assessment: Perform wide-ranging risk assessments to uncover the co-dependencies that may exist across suppliers and other aspects of transporting products as well as those related to regulations compliance, environmental factors etc. The evolving risk landscape needs to be kept in mind, for which regular assessments go a long way.

Supply chain mapping (visibility into your supply base):Map out your supply chain at a high level to include all of the possible suppliers and critical dependencies. Tracking and monitoring systems improve visibility which in turn helps anticipate disruptions early on.

Supplier risk management: Assess and track supplier performance on financial strength, quality management and business continuity plan This allows us to identify the risks of our suppliers in time, as they are audited on a regular basis.

Diversification and Redundancy: Diversify by leveraging multiple suppliers or sources in case of dependence on single source/supplier/region. Secure alternate suppliers and consider strategic component part stocking programs to maintain continuity of supply during disruptions.

Robust contract management: Have robust contracts with suppliers stating expectations, KPIs and penalty clauses in case of non-compliance. This is to help organize relationships and expectations appropriately.

Cooperation and Exchange of Information: Enable all supply chain partners to participate in problem solving and information sharing. This delivers more visibility on risks and greater clarity on how to resolve them together.

Digitalization & technology integration: Use technologies such as IoT, blockchain and predictive analytics in order to increase visibility into supply chain risks so that you can monitor them more closely, adjust when necessary. It can allow a much faster response to disruptions when digitalization is implored.

Inventory management: Utilize principles of lean inventory management, such as JIT systems with buffer stocks for critical components. This minimizes overstock but enables their readiness to avert any disruption.

Crisis management & business continuity planning: These may include disaster recovery and crisis management plans that explain the response required in different types of business interruptions. Drilling on these plans and keeping them up-to-date may help preparedness.

Regulatory compliance: Follow industry-specific rules and standards such as those from the Reserve Bank of India (RBI) for banking or Telecom Regulatory Authority of India (TRAI) in telecom industries. Safeguard compliance and prevent legal & operational risks.

External risk management: There is a risk preparedness in assessing the environmental risks, which would be natural calamities or climate change due to supply chains. Strategies to deploy, such as Mult sourcing and nearshoring to maintain service I levels.

Ongoing monitoring and reassessment: Establish KPIs to monitor supply chain on a continuous basis. Keep your risk management strategies up to date based on experience learnt through monitoring practices.

FUTURE DIRECTIONS FOR CYBER SECURITY

Data protection legislation: Requires a separate data protection law, in addition to the existing cybersecurity guidelines. This should include legislation with specific requirements around data handling, permission and disclosure of breaches so that companies are maintaining a high level security of their supply chains.

Strengthening the IT Act: Modifications to the Information Technology Act 2000 would need modifications too in order that they are capable of tackle modern threats associated cybersecurity. The four broad areas proposed to be revisited are defining cybercrimes, multiplying the penalties for violations and enabling provisions against future threats like ransomware attacks and supply chain breaches.

Sector-specific regulations: Given that disparate sectors are confronted by their own sets of cybersecurity woes, additional legislation may bring industry-specific laws requiring these verticals like banking or telecommunications to comply with a more stringent level of security protocols. For example, this can include stricter compliance requirements and routine audits.

Enhanced role of CERT-IN: CERT-In to have a larger role in incident response, threat intel sharing Soon organizations may be required to report cybersecurity incidents immediately to CERT-In and follow the incident management best practices.

Cyber Security Frameworks for Supply Chains: We must develop frameworks for managing cyber supply chain risks. There is a potential for future legislation to mandate organizations implement risk management protocols, regularly conduct assessments and hold their third-party vendors accountable in terms of cyber security standards.

More focus on compliance and accountability: Upcoming rules will concentrate on responsibility about cybersecurity guidelines within organizations. This should involve assigning chief information security officers (CISOs) and instituting well-defined responsibilities for cybersecurity governance.

Public-private partnerships: To create successful cybersecurity strategies, it will be necessary to foster a partnership between governmental offices and private-sector corporations. Upcoming legislation might encourage the spread of intelligence and best practices on threats to build greater defensibility in numbers.

Spending on cybersecurity infrastructure: This can range from providing incentives for organizations to better invest in cutting-edge cybersecurity technologies and training programs, potential legislative measures. The idea being an apprenticeship could create a trained workforce able to respond proactively with ever-evolving cyber threats.

International cooperation: This might lead to international cooperation on legislation against cyber threats since they are mostly transnational. This involves international norm setting & joint initiatives to counter cybercrime.

CASE LAWS

1. The Supreme Court in this case has made it very clear that their Tata Consultancy Services v. State of Andhra Pradesh [2005]: [7]is a need for data protection and cybersecurity especially when an electronic commerce or the digital transactions are between two foreigners but based into India. Mapping in Delhi However the Supreme Court decided that adequate security measures were necessary to protect sensitive information.
2. Shreya Singhal v. Union of India (2015)[8]: Though rooted in the right to freedom of speech, this seminal judgement underscored the importance for online platforms to work with responsibility — adding weight against unchecked data-sharing safeguards through digital outlets and indirectly casting an impactivity over supply chain cybersecurity needs.
3. K.S. Puttaswamy v. Union of India (2017):[9]An important case as it sealed the fundamental right to privacy, leading to increased obligations by companies when handling personal data in their supply chain regarding stringent cybersecurity measures.

CONCLUSION

India’s legal framework to counter cybersecurity risks through the supply chain becomes important at a time when digital vulnerabilities and threats are only rising. The Information Technology Act of 2000 continues to form the backbone for addressing cybercrime and safeguarding data, supplemented by newer laws like Digital Personal Data Protection Act 2023. Problems confront however, with the outdated provisions and fragmented regulations that adds burden to business in order for them to comply. However, the implementation of these laws is complicated by a swiftly changing cyber-threat landscape that demands constant updating and adaptation to make them meaningful. Recognition by SC of cybercrimes within the scope of current statutes has accentuated translation into updated and clearer legal definitions, punishment etc. Likewise, the absence of a standardized way cybersecurity laws are being enforced could result in enforcement-levels to be fragmented and offer little security for companies. Consequently, for businesses operating within India’s supply chains adherence to these legal frameworks are not only a regulatory requirement but also most definitely integral in their risk management strategies. Non-compliance puts businesses at risk of significant legal ramifications, as well as financial fines and damage to their name. As a result, organizations need to focus on fully comprehending and deploying secure security practices that meet legal requirements.

REFERENCES

1. Cybersecurity Law, Standards and Regulations (2nd Edition) Authored by Tari Schreider
2. https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf
3. https://www.bitsight.com/blog/7-cybersecurity-frameworks-to-reduce-cyber-risk

---

[1] Section 66 of IT Act 2000

[2] Section 66C of IT Act 2000

[3] Section 69B of IT Act 2000

[4] Section 70 of IT Act 2000

[5] The National Cyber Security Policy, 2013

[6] Information Technology Act, 2000

[7] AIR 2005 SUPREME COURT 371

[8] 2015 AIR SCW 1989 AIR 2015 SC (CRIMINAL) 834

[9] AIR 2018 SC (SUPP) 1841

Disclaimer: The materials provided herein are intended solely for informational purposes. Accessing or using the site or the materials does not establish an attorney-client relationship. The information presented on this site is not to be construed as legal or professional advice, and it should not be relied upon for such purposes or used as a substitute for advice from a licensed attorney in your state. Additionally, the viewpoint presented by the author is personal.