Mandatory Disclosure: Cyber Incidents, CERT-In Reporting, and LODR Compliance

The rising tide of cyber-attacks evidenced by recent events involving major listed entities like Tata Motors (JLR data breach), the National Stock Exchange (NSE), and HDFC Bank (digital fraud) underscores the critical importance of transparent and timely disclosure. For a listed entity, compliance demands navigating two distinct, yet interconnected, regulatory frameworks: CERT-In reporting and SEBI LODR disclosure.

The Primary Regulatory Mandate: Reporting to CERT-In

As per the provisions of the Information Technology (IT) Act, 2000, the Central Government appointed the Indian Computer Emergency Response Team (CERT-In) to strengthen national cybersecurity.

CERT-In directions mandate that service providers and corporates must report specific cyber incidents swiftly.

Incidents Requiring Reporting (IT Act, 2000)

You must report incidents to CERT-In if they fall under the following criteria:

• Severe Incidents: Cyber incidents of a severe nature, such as Distributed Denial of Service (DDoS), intrusion, or the spread of computer contaminants (e.g., Ransomware), impacting public information infrastructure.

• Data Events: Data Breaches or Data Leaks.

• Frequent or Large-Scale Attacks: Incidents like intrusion into computer resources or websites that are large-scale or highly frequent.

• Safety Impact: Cyber incidents impacting the safety of human beings.

Timelines and Confidentiality

• Reporting Deadline: The reporting entity must provide available details to CERT-In within 6 hours of noticing the incident.

• Data Usage: Crucially, data submitted to CERT-In is not made publicly available. It is used for analysis, awareness, and framing mitigation strategies.

The LODR Challenge: When to Inform Shareholders?

While CERT-In reporting focuses on national cyber defense, the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 (LODR) govern a listed entity’s duty to its shareholders.

The Materiality Test (Regulation 30)

Regulation 4(2)(e) requires disclosure of all material matters. Consequently, any cyber incident reported to CERT-In that is deemed to have a material impact on the listed entity’s operations or financial standing must be disclosed to the Stock Exchanges.

Disruption of Operations: The Key Disclosure Trigger

The relevant disclosure clause falls under Schedule III, Part A, Para B, Point 6, which mandates the disclosure of:

“Disruption of operations of any one or more units or division of the listed entity due to natural calamity or events such as strikes, lockouts etc.”

Applying the interpretation principle of ‘ejusdem generis’ (of the same kind), the word ‘etc.’ would logically include events initiated by individuals that disrupt operations—a category into which many severe cyber incidents (like ransomware or DDoS attacks) squarely fall.

• Definition of Disruption: Disruption includes any event that interrupts or impairs the normal functioning of a company’s processes, leading to operational downtime, reduced productivity, service delays, and potential compliance risks (e.g., the potential impact on Tata Motors’ profitability following the JLR incident).

A cyber incident that disrupts operations of the company or its unit(s) is therefore a material event requiring disclosure to the Stock Exchange within 24 hours.

Required Disclosures to the Stock Exchange (Regulation 30(4)(i)(c))

To assess materiality and inform shareholders accurately, the disclosure to the Stock Exchange must include, but not be limited to, the following information regarding the cyber incident:

• Expected Quantum of Loss/Damage caused.

• Details on whether the loss/damage is covered by insurance, including the amount.

• Insurance amount claimed and realized (until normalcy is restored).

• Details of steps taken to restore normalcy.

The impact can be analyzed based on the consolidated turnover or Profit After Tax (PAT) of the listed entity.

PKPK & Partners’ Expert View: Confidentiality vs. Compliance

Concerns about disclosing cyber incidents publicly, especially when critical assets are at risk, are understandable.

Our Recommendation: To maintain parity of information and uphold corporate governance standards, disclose the occurrence of the cyber security incident and the required minimum information promptly. Any sensitive information pertaining to the risk mitigation strategy can be updated in a timely manner after the immediate risk has been addressed.

Conclusion: The Dual Compliance Imperative

PKPK & Partners advises listed entities to treat the cyber incident disclosure framework as a dual compliance requirement. Cyber incidents that meet both CERT-In reporting criteria and the LODR materiality threshold must be disclosed to shareholders, ensuring transparency and adherence to all statutory and regulatory mandates.