NEW DELHI: In a gazette notification dated June 16, 2022, the Government of India has declared ICICI Bank as a “Protected System” under IT Act.
This is crucial for a bank, and given the system’s criticality and the risks associated with a security breach, it is critical to guarantee that the system is safeguarded both technically and legally.
The current notification means any person who secures access or attempts to secure access to a protected system in contravention of the provisions of this section shall be punished with imprisonment of either description for a term which may extend to ten years and shall also be liable to fine.
The notification reads: In exercise of the powers conferred by sub-section (1) of section 70 of the Information Technology Act, 2000 (21 of 2000), the Central Government hereby declares the computer resources relating to the Core Banking Solution, Real Time Gross Settlement and National Electronic Fund Transfer comprising Structured Financial Messaging Server, being Critical Information Infrastructure of the ICICI Bank, and the computer resources of its associated dependencies to be protected systems.
WHO ARE AUTHORISED
The notification authorises access to the protected systems authorised employees of ICICI Bank, third part vendors authorised by the bank and regulator, government officials, auditor and stakeholders authorised by the ICICI Bank on case to case basis.
PUNISHMENT FOR ATTACK ON CRITICAL INFRASTRUCTURE
However, legal experts told The420.in that any attempt by a person to manipulate and tamper with the critical infrastructure will be considered an act of cyber terrorism. Section 66F(B) of IT Act says knowingly or intentionally penetrates or accesses a computer resource without authorisation or exceeding authorised access, and by means of such conduct obtains access to information, data or computer database that is restricted for reasons of the security of the State or foreign relations; or any restricted information, data or computer database, with reasons to believe that such information, data or computer data base so obtained may be used to cause or likely to cause injury to the interests of the sovereignty and integrity of India, the security of the State, friendly relations with foreign States, public order, decency or morality, or in relation to contempt of court, defamation or incitement to an offence, or to the advantage of any foreign nation, group of individuals or otherwise, commits the offence of cyber terrorism.
Under this section whoever commits or conspires to commit cyber terrorism shall be punishable with imprisonment which may extend to imprisonment for life.
OTHER CASES OF CYBER TERRORISM
For example, any threat email, hacking, or cyber-attack on the stock exchange, docks, shipyards and other critical infrastructure is considered an act of cyber terrorism. It is interesting to know in April 2022, Bengaluru Police invoked the cyber terrorism provisions in the hoax bomb threat emails to over 15 schools in the city. This is probably the first time the section has been invoked in connection with a hoax threat case.
Central has earlier identified the data repository of UIDAI to be a protected system.
“Looking at the recent sophisticated cyber attack, it is high time all the banks and financial institutions get themselves notified as a protected system. Similarly, the control system of all the electricity, oil, airports, railways, metros and transport system are critical infrastructure and must be declared as a protected system,” Prof Triveni Singh, SP, Cyber Crime, UP Police.
“Section 66F(B) is a grievous offence and this notification means all ethical hackers need to stay away from ICICI Bank servers or they would be prosecuted for Cyber Terrorism which is also a Non Bailable offence. I also feel the same should done for all Banks and Financial organisations of High value,” said Advocate (Dr.) Prashant Mali.
READ THE FULL NOTIFICATION HERE