By Anuradha Gandhi and Shantam Sharma
In an age where technology pervades every aspect of business and life, has emerged as a paramount concern for companies and investors alike. Recognizing the critical need for transparency and risk mitigation, the Securities and Exchange Board of India (SEBI) recently introduced significant amendments to the SEBI (Listing Obligations and Disclosure Requirements) (Second Amendment) Regulations, 2023. Among these amendments, sub-clause 27(2)(ba)1 stands out as a pivotal development, mandating the disclosure of cybersecurity incidents, breaches, or loss of data and documents in the Corporate Governance report, to be submitted quarterly to the stock exchanges. This article delves into the implications of this new regulation and its importance in the context of India’s financial markets.
SEBI (Listing Obligations and Disclosure Requirements) (Second Amendment) Regulations, 2023
As technology continues to evolve, companies increasingly rely on digital systems, making them vulnerable to cyber threats. Cybersecurity incidents and breaches have become a pressing concern, as they can disrupt operations, tarnish reputations, and even impact financial performance. According to a recent report by IBM and Phenom Research Institute2 , Indian companies incurred an average loss of Rs 17.6 crores in the fiscal year 2021-22 due to data breaches. With 29,500 reported breaches in India during the same period, it is evident that cybersecurity incidents are a grave concern. The repercussions of cybersecurity incidents are multifaceted. Financial losses, reputational damage, and operational disruptions can have a lasting impact on a company’s bottom line.
In light of the escalating threat landscape, transparency regarding cybersecurity incidents is crucial. Investors, stakeholders, and the broader financial market need to be informed about the associated risks and potential impacts on listed entities. This information is essential for making well-informed investment decisions and safeguarding the interests of the shareholders and investors.
Understanding the Amendment
The new amendment introduces sub-clause 27(2)(ba) into the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 20153 . This sub-clause mandates that listed entities disclose details of cybersecurity incidents, breaches, or loss of data or documents in their quarterly Corporate Governance Report (CGR). This regulation came into effect from July 14, 2023, and is a proactive step by SEBI to enhance transparency and safeguard the interests of investors and stakeholders.
Stock Exchange Implementation
To facilitate compliance with this regulation, India’s top stock exchanges viz. the Bombay Stock Exchange (BSE)4 and National Stock Exchange (NSE)5 with over 5,000 and 2,000 listed entities respectively, has introduced new reporting fields in the Corporate Governance Report utility. These fields include:
- Introduction of Disclosure Format: The NSE and BSE have taken proactive steps to facilitate compliance with SEBI’s new cybersecurity disclosure requirement. They have recently introduced a standardized format for the disclosure of cybersecurity incidents in the CGR
- Timely Reporting: Listed entities are required to submit the CGR to the stock exchanges within 21 days from the end of each quarter. This ensures that the reporting of cybersecurity incidents is timely and aligned with financial reporting cycles.
- Fields Introduced: To ensure consistency in the disclosure of cybersecurity incidents across listed entities, NSE and BSE, in consultation with SEBI, have introduced specific fields in the existing CGR format. These fields include:
1. Details of Cyber Security Incidence: Whether there have been any cybersecurity incidents, breaches, or data/document losses during the quarter, as per Regulation 27(2)(ba) of SEBI LODR Regulations, 2015.
2. Date of the Event: A field to specify the date when the cybersecurity incident occurred.
3. Brief Details of the Event: This field allows listed entities to provide a concise description of the cybersecurity incident or breach.
These changes in the XBRL utility became effective for the quarter ending on September 30, 2023, and for all subsequent quarters, making it imperative for listed entities to prepare for these changes and ensure compliance with the reporting requirements.
Why This Amendment Matters?
In light of the growing awareness regarding data security and protection, SEBI’s and the stock exchanges’ collaborative efforts hold great significance:
- Enhancing Transparency: The disclosure of cybersecurity incidents fosters transparency, enabling investors to make informed investment decisions. It helps them gauge the potential risks associated with the listed entity.
- Mitigating Cybersecurity Risks: Mandatory reporting encourages companies to adopt robust cybersecurity practices and respond effectively to incidents. This proactive approach can minimize the impact of cyber threats.
- Regulatory Vigilance: SEBI’s commitment to strengthening the regulatory framework reflects its dedication to maintaining the integrity and credibility of India’s financial markets.
- Timely Awareness: The requirement for timely reporting within 21 days from the end of each quarter ensures that relevant information about cybersecurity incidents is disseminated promptly to the market.
- Investor Confidence: Such standardized reporting bolsters investor confidence by providing clear and timely insights into cybersecurity risks, fostering informed investment decisions.
- Global Trend: The imperative for cybersecurity transparency is not unique to India. Several countries have recognized the critical importance of disclosing cybersecurity incidents:
1. Australia: The Australian Securities Exchange (ASX) Listing Rules, Schedule 3, Clause 18.7, mandates disclosure of material cybersecurity incidents.
2. European Union: The General Data Protection Regulation (GDPR), under Article 33, requires the reporting of personal data breaches to relevant authorities within 72 hours.
3. United States: The Securities Exchange Act of 1934, under Section 13(a), requires publicly traded companies to disclose material information, including cybersecurity incidents.
In a world driven by technology, cybersecurity is not just a buzzword; it is a fundamental aspect of modern business operations. Listed entities now stand at the crossroads of responsibility, where embracing robust cybersecurity practices and diligently reporting incidents are not just regulatory mandates but essential safeguards for their operations and reputations. By promptly adapting to these changes, companies can protect their businesses from emerging cyber threats, provide investors with a clearer risk profile, and ultimately, contribute to the resilience and trustworthiness of India’s financial ecosystem. As we navigate the complex intersection of finance and technology, SEBI’s amendment underscores the importance of proactive cybersecurity measures, positioning India’s listed entities on the path to a more secure and transparent future.
1 Available at: https://www.sebi.gov.in/legal/regulations/jun-2023/securities-and-exchange-board-of-india-listing-obligations-and-disclosure-requirements-second-amendment-regulations-2023_72609.html
2 Available at: https://www.ibm.com/reports/data-breach
3 Available at: https://www.sebi.gov.in/legal/regulations/jan-2022/securities-and-exchange-board-of-india-listing-obligations-and-disclosure-requirements-regulations-2015-last-amended-on-january-24-2022-_55993.html
4 Available at: BSE Circular No. 20230929-26 dated 29 September 2023
5 Available at: NSE Circular No. NSE/CML/2023/69 dated 29 September 2023