The undersigned has been highlighting the need for Directors of Companies and the CEO to take responsibility for Cyber Security in an organization. Section 85 of ITA 2008 as well as Section 79 has clearly laid out the need for “Due Diligence” without which Directors of Companies may find themselves saddled with civil and criminal liabilities.
The infamous Baazee.com litigation dragged the CEO Mr Avnish Bajaaj to a Court battle which prolonged for 8 years. Though he escaped conviction because of a technical error by the Police which in reasonable probability could be deliberate, the need for due diligence at Board levels was well emphasized in the process.
This article in Forbes titled “Boards are still Clueless about Cyber Security” highlights that even in US the level of Board attention on Cyber Security is still lacking. According to a Carnegie Mellon report,
71% of their boards rarely or never review privacy and security budgets
79% of their boards rarely or never review roles and responsibilities
64% of their boards rarely or never review top-level policies
57% of their boards rarely or never review security program assessments.
If this is the situation in a Compliance sensitive corporate community like US, one can imagine that the status in India can be pretty bad.
The undersigned has a personal experience of how the well known CEOs of ICICI Bank, Axis Bank and PNB have shown absolute incompetence and arrogance in understanding the cyber security risks which have landed some of their customers in trouble when confronted with complaints on Phishing and other frauds. It is only when one or more of such celebrity CEOs find themselves confronting FIRs like Avnish Bajaj, they will realize their true responsibilities. However as the wheels of justice grind slowly, it is possible that these executives may be long retired when law tries to catch up with them. However, if law can catch up with a retired executive like the Coal Secretary Mr Parakh, may be one day law will also catch up with the current CEOs of Banks who are playing with Customer’s lives by adopting a commercially motivated risky banking policies.
It is high time that the Boards of all IT user organizations to start devoting some attention on Cyber Security before it is too late.