Most of the provisions of the Indian Companies Act, 2013 (PDF) have been recently notified by the Ministry of Corporate Affairs (MCA). These include the relevant Rules under various chapters of the Companies Act 2013 as well. For the first time the Companies Act 2013 and the Rules are talking about cyber law and cyber security obligations on the part of Indian and foreign companies operating in India and their directors and key personnel.
Thus, the regulatory compliances under Indian Companies Act 2013 have been given a new meaning. The increased cyber obligations under the 2013 Act now require the companies to comply with techno legal requirements in India. These include cyber law due diligence (PDF), cyber security due diligence, e-discovery compliances, cyber forensics, etc. Even the cyber security obligations of law firms in India has significantly increased and various stakeholders, including companies and law firms, must keep in mind the international legal issues of cyber security.
The cyber security trends and development in India 2013 (PDF), provided by Perry4Law’s Techno Legal Base (PTLB), have also indicated that various corporate stakeholders would be required to comply with cyber law and cyber security related obligations in the near future. As on date, companies and directors are not complying with the cyber law and cyber security obligations as prescribed by Indian laws and regulations.
Although we have no dedicated cyber security law in India as on date yet the same may be formulated in the near future as India has announced that cyber security breach disclosure norm would be formulated very soon. There is no doubt that cyber security breaches notification in India must be made mandatory as these cyber security breaches would raise serious cyber security issues.
Section 1(4) of the Indian Companies Act, 2013 provides that the provisions of this Act shall apply to—
(a) companies incorporated under this Act or under any previous company law;
(b) insurance companies, except in so far as the said provisions are inconsistent with the provisions of the Insurance Act, 1938 or the Insurance Regulatory and Development Authority Act, 1999;
(c) banking companies, except in so far as the said provisions are inconsistent with the provisions of the Banking Regulation Act, 1949;
(d) companies engaged in the generation or supply of electricity, except in so far as the said provisions are inconsistent with the provisions of the Electricity Act, 2003;
(e) any other company governed by any special Act for the time being in force, except in so far as the said provisions are inconsistent with the provisions of such special Act; and
(f) such body corporate, incorporated by any Act for the time being in force, as the Central Government may, by notification, specify in this behalf, subject to such exceptions, modifications or adaptation, as may be specified in the notification.
Section 2 of the Indian Companies Act, 2013 provides that in this Act, unless the context otherwise requires,—
(20) “company” means a company incorporated under this Act or under any previous company law;
(34) “director” means a director appointed to the Board of a company;
(42) “foreign company” means any company or body corporate incorporated outside India which—
(a) has a place of business in India whether by itself or through an agent, physically or through electronic mode; and
(b) conducts any business activity in India in any other manner.
(51) “key managerial personnel”, in relation to a company, means—
(i) the Chief Executive Officer or the managing director or the manager;
(ii) the company secretary;
(iii) the whole-time director;
(iv) the Chief Financial Officer; and
(v) such other officer as may be prescribed;
(59) “officer” includes any director, manager or key managerial personnel or any person in accordance with whose directions or instructions the Board of Directors or any one or more of the directors is or are accustomed to act;
(60) “officer who is in default”, for the purpose of any provision in this Act which enacts that an officer of the company who is in default shall be liable to any penalty or punishment by way of imprisonment, fine or otherwise, means any of the following officers of a company, namely:—
(i) whole-time director;
(ii) key managerial personnel;
(iii) where there is no key managerial personnel, such director or directors as specified by the Board in this behalf and who has or have given his or their consent in writing to the Board to such specification, or all the directors, if no director is so specified;
(iv) any person who, under the immediate authority of the Board or any key managerial personnel, is charged with any responsibility including maintenance, filing or distribution of accounts or records, authorises, actively participates in, knowingly permits, or knowingly fails to take active steps to prevent, any default;
(v) any person in accordance with whose advice, directions or instructions the Board of Directors of the company is accustomed to act, other than a person who gives advice to the Board in a professional capacity;
(vi) every director, in respect of a contravention of any of the provisions of this Act, who is aware of such contravention by virtue of the receipt by him of any proceedings of the Board or participation in such proceedings without objecting to the same, or where such contravention had taken place with his consent or connivance;
(vii) in respect of the issue or transfer of any shares of a company, the share transfer agents, registrars and merchant bankers to the issue or transfer;
(94) “whole-time director” includes a director in the whole-time employment of the company;
These definitions and other provisions under the Companies Act 2013 have imposed many obligations upon the directors of a company to safeguard company’s interests. These include safeguarding the assets of the company and for preventing and detecting fraud and other irregularities during the conduct of company’s business.
The board of directors would also be required to attach to statements laid before a company in general meeting a report about various compliances under the Companies Act 2013. These include cyber law, cyber security, e-discovery, cyber forensics and many more such techno legal compliance obligations on the part of directors.
The directors must also prove that they had devised proper systems to ensure compliance with the provisions of all applicable laws and that such systems were adequate and operating effectively. Now this would require techno legal expertise as cyber law and cyber security issues are not easy to manage.
The board of directors must also issue a statement indicating development and implementation of a risk management policy for the company including identification therein of elements of risk, if any, which in the opinion of the Board may threaten the existence of the company.
The directors, in the case of a listed company, must also formulate internal financial controls to be followed by the company and such internal financial controls must be adequate and must operate effectively. The term “internal financial controls” means the policies and procedures adopted by the company for ensuring the orderly and efficient conduct of its business, including adherence to company’s policies, the safeguarding of its assets, the prevention and detection of frauds and errors, the accuracy and completeness of the accounting records, and the timely preparation of reliable financial information.
If a company contravenes these provisions, the company shall be punishable with fine which shall not be less than fifty thousand rupees but which may extend to twenty-five lakh rupees and every officer of the company who is in default shall be punishable with imprisonment for a term which may extend to three years or with fine which shall not be less than fifty thousand rupees but which may extend to five lakh rupees, or with both.