Cybersecurity in Infrastructure Development

Addressing Digital Vulnerabilities in Large Scale Projects

India has embarked on multiple large investment projects to achieve self-sufficiency in services, manufacturing, logistics, supply chain, and transportation. Many of these projects have been completed on time and at much lower, globally competitive rates. The COVID-19 period witnessed a significant shift in business operations, moving from physical to digital environments. As a result, numerous development activities are now planned and executed on digital platforms, reducing operational costs and the time required for planning and operating infrastructure projects. However, this shift has also given rise to new challenges related to cybersecurity.

The Ministry of Statistics and Program Implementation monitors infrastructure projects worth INR 150 crore and above. It was announced that out of 1,817 projects, 458 reported cost overruns and 831 were delayed. The total cost overruns for these 458 projects amount to more than INR 5.71 lakh crores as of May 2024. Additionally, many projects have experienced delays of up to 60 months, with the average time overrun for the 831 delayed projects being 35.1 months. Reasons for these delays include land acquisition, environmental clearance, financial issues, contractual and internal issues, manpower shortages, litigation, and digital transformation challenges.

Major companies involved in large project implementation create centralised dashboards to monitor progress. These dashboards are vulnerable to cyberattacks in numerous ways, with hackers relentlessly seeking out these vulnerabilities. A cyberattack is a malicious effort that seeks to damage data, steal data, or disrupt an organisation's business operation, usually for financial gain.

Supply chain vulnerabilities encompass weaknesses in software or hardware components crucial for government and business operations. These enterprise systems are not standalone islands, they are integrated with suppliers, contractors, service providers, and other third parties essential for their operations. These parties collectively form what is commonly referred to as an 'extended enterprise'. They engage in extensive digital data sharing and interconnected systems that expose various organisations to cyber risks originating from third parties. Managing cyber risk in this complex ecosystem is challenging, as each third party operates with its own set of vulnerabilities. Consequently, ensuring robust cyber risk management becomes critical, especially for large scale projects heavily reliant on third-party collaborations.

If a company does not invest in cyber security, can it justify a loss if there is a critical cyber-incident?

Cybersecurity oversight

Companies today face numerous challenges, including cybersecurity. Board directors have the difficult task of preparing businesses to handle crises. In past decades, risk management was mostly left to the senior leadership of a business organisation. Today, the prevalence of risk in everyday business operations makes it imperative for the board to factor in risk as an integral part of organisational strategy. Senior leaders are often quick to understand the strategic advantages of taking risks, but they struggle to balance the degree of risk versus the potential reward. This is where the board's role comes in. While the board should not take a direct role in managing risk, they must provide risk oversight to management and address corporate issues that affect risk. Boards must ensure that cyber risk management becomes an integral part of the organisation's culture, strategy, and day-to-day business operations.

The growing dependence on Information Technology for business operations and developing new businesses has made the management of cyber risk a key element of enterprise risk management.

The increasing frequency of cyberattacks that are capable of creating unprecedented levels of financial, reputational, and operational damage to an organisation has virtually forced cyber risk management to the forefront of the corporate board agenda.

Many directors have expressed concern in interviews about their effectiveness in overseeing cybersecurity. The dual challenge of ever-evolving risks and constant regulatory changes makes the task more difficult. Companies rely on the board for guidance and oversight on various cyber risk-related issues, and directors need to build on their experience and stay up-to-date to ensure effective cyber risk management.

Board directors should apply the same approach they use for other business risks when overseeing a company's cyber preparedness. A risk preparedness strategy should address cultural issues, emphasising that cybersecurity is not just an IT concern but a company-wide business issue. When establishing such a framework, the board should hire the right people and address policy and process issues. This ensures that when a cyber-incident occurs, the company has the right team to respond with planned protocols to mitigate negative consequences. Preparing the company for such situations involves both initial and recurring expenditures. For companies involved in infrastructure projects, day-to-day operational cybersecurity is also crucial. Thus, it is not a one-time effort but an ongoing commitment.

SEBI has been cautious, yet proactive in implementing regulations to build cybersecurity resilience in boardrooms. The first official circular on the cybersecurity and cyber resilience framework for stock exchanges, clearing corporations, and depositories was issued on July 6, 2015. On April 1, 2019, SEBI introduced a clause in the LODR regulations, requiring boards of directors to define the role and responsibility of the risk management committee to include cybersecurity. On May 5 and May 10, 2021, SEBI introduced a schedule for identifying internal and external risks related to cybersecurity and mandated business responsibility and sustainability reporting by listed companies. SEBI has introduced other regulatory requirements from time to time. On July 15, 2023, SEBI mandated that listed entities submit a quarterly compliance report on corporate governance, detailing cybersecurity incidents, breaches, or data loss.

Naturally, these new regulations have created a need for cyber experts on company boards. Given the relatively new and evolving nature of this threat, it is essential to integrate cyber experts into strategic planning and legal compliance. The main issue before the board is to consider the question: If a company does not invest in cyber security, can it justify a loss if there is a critical cyber-incident?