India does not have a dedicated cybersecurity law. The Information Technology Act 2000 (the IT Act) read with the rules and regulations framed thereunder deal with cybersecurity and the cybercrimes associated therewith. The IT Act not only provides legal recognition and protection for transactions carried out through electronic data interchange and other means of electronic communication, but it also contains provisions that are aimed at safeguarding electronic data, information or records, and preventing unauthorized or unlawful use of a computer system. Some of the cybersecurity crimes that are specifically envisaged and punishable under the IT Act are hacking, denial-of-service attacks, phishing, malware attacks, identity fraud and electronic theft.
With the rise of digital payments, cybercrimes involving payment transactions in the online space have significantly increased and become complex. While the RBI has been active in requiring companies operating payment systems to build secure authentication and transaction security mechanisms, given that these payment companies often offer real-time frictionless payments experiences to their consumers, it leaves less time for banks and other entities operating in the payment ecosystem to identify and respond to cyber threats. In light of the above, there is an increased need to identify and develop cybersecurity standards commensurate with the nature of information assets handled by them, and the possible harm in the event of any cybersecurity attack, to ensure that these emerging risks are mitigated.