Information security refers to a broad policy that an organisation must devise to ensure the security of data in its possession, to prevent unauthorised access and use, and mandate confidentiality. Information security is distinct from data protection and privacy, as the former pertains to how body corporates responsibly manage the data in their possession; in contrast, the latter pertains to the right of individuals to protect their data.

In a world where data is the biggest currency and hackers and data breaches constantly threaten companies, information security is a key practice necessary to build trust. Thus, the existence of a policy sensitive to information security forms the cornerstone of modern-day corporate governance and is also imperative from a due diligence perspective.

Information Security in Practice

The company can adopt Information Security by incorporating the necessary provisions in its Code of Conduct. A Code of Conduct is a comprehensive set of obligations and directions that govern the ethical conduct of persons, as well as ensures compliance with various applicable laws. Companies frequently add provisions detailing the treatment of information that is in their possession in their CoC. For instance, companies can add provisions stipulating confidentiality, consequences of breach of such confidentiality, and those that govern data security during interactions with third parties. Such provisions would prevent secured and sensitive data from being accessed without prior authorization.

Information Security and ESG

ESG is a metric that allows investors to measure the company’s management of risks and opportunities around environmental, social, and corporate governance factors. It has been reported that ESG funds in India have witnessed exponential growth in the last four years, from INR 2,268 Cr in March 2019 to INR 12,447 in March 2022.[1] In India, the parameters of ESG for listed companies have been evolving under the direction of the Securities and Exchange Board of India. In 2015, the SEBI, through its circular no. CIR/CFD/CMD/10/201 notified the Business Responsibility Report, which required listed companies to file a report indicating their compliance with the ESG principles notified under Annexure II. [2] In 2022, SEBI, broadening the principles listed in the BRR, introduced the Business Responsibility and Sustainability Reporting regime (BRSR).[3] The BRSR was initially envisaged as a mandatory requirement for the top 1000 listed companies by market capitalization value. Under Principle 9 of BRSR, companies are now required to make disclosures of their cyber security policy to address issues pertaining to digital data breaches.[4] Thus, the cyber-readiness of a company forms a critical variable that determines the investment from ESG funds. Companies, therefore, must adopt nuanced and comprehensive information security provisions in their Codes of Conduct to not just prevent but also to adequately remedy any instance of a data breach.

Information Security and Due Diligence

Due diligence refers to the process of investigation required to determine the level of risk associated with a company being acquired in an M&A transaction. Thus, in the context of information security, due diligence is carried out by the buyer company to verify any cyber security concerns associated with the target company. In 2016, the Marriott Hotel Group announced its acquisition of Starwood Hotels and Resorts. However, while carrying out the due diligence process before the acquisition, Marriott failed to note that Starwood’s database was compromised, resulting in a massive data breach. Consequently, the UK Information Commissioner’s Office imposed a fine on the hotel group for improper due diligence.[5] The above case study underlines the importance of conducting cyber due diligence in the course of critical transactions.

In India, in the context of protecting sensitive information, cyber due diligence investigates compliance with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.[6] Rule 2 defines “sensitive information,” and Rule 4 mandates body corporates to provide a policy to disclose such “sensitive information.” Furthermore, Rule 6 lists the requirements for disclosing such “sensitive information.” Additionally, the Computer Emergency Response Team operating under the aegis of the Ministry of Electronic Affairs, issues guidelines pertaining to information security practices for body corporates. The most recent guidelines were introduced in April 2022, outlining strict timelines for registering complaints and maintaining computer system logs.[7]

Prospective investors enquire about the compliance of body corporates with the guidelines outlined in the above provisions during cyber due diligence. Therefore, incorporating a comprehensive information policy that complies with the requirements outlined in the above rules in the Code of Conduct could be a sure-shot way to those big money investments! Author: Kevin Davis, Research Associate, Law, Rainmaker Directions and Contributions: Akanksha Arora, AVP-Legal, Rainmaker

 References [1] ESG in India [2] Format for Business Responsibility Report (BRR) [3] SEBI Circular on Business Responsibility and Sustainable Reporting [4] Business Responsibility & Sustainability Reporting Format [5] Marriott Hotel Group - Starwood Hotels Data Breach [6] Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 [7] CERT Guidelines, 2022

DISCLAIMER – No information contained in this website may be reproduced, transmitted, or copied (other than for the purposes of fair dealing, as defined in the Copyright Act, 1957) without the express written permission of Rainmaker Online Training Solutions Pvt. Ltd.