It is often the case that systemic failures in monitoring and oversight only enter the public discourse after incidents causing unprecedented monetary and reputational loss come to light.
In relation to such incidents, the pace with which government agencies and regulators swing into action reveals an important facet of the approach to regulation within India: that it often takes a full-blown crisis in the public glare to stimulate system-level reform. While it is unfair to paint all policy-making or regulators as being reactive, there is no doubt that market-intervention is often driven by the need to respond to crises. In other words, a precondition to reform has been the occurrence of actual loss–both of tangibles and of trust. However, this need not always be the case. Regulators must be able to learn not only from actual system failures, lapses, or criminal activity but also those incidents which–while coming close–did not result in actual harm due to detection or prevention. For instance, fraudulent transactions which were prevented, suspicious activity that was detected, or calculation errors which were discovered. In other words, the ‘near misses’.
Within this context, ‘near miss’ regulation refers to an approach which treats near misses on a par with consummated incidents as grounds for regulatory or policy reform. While the approach is well recognised in relation to hazardous substances, aviation and similar high (physical) risk sectors, ‘near misses’ have not frequently entered the discourse in other spheres. However, there is reason to suggest that learnings from such ‘near misses’ might be as valuable as those from catastrophic failures–only without the actual harm. For instance, air traffic controllers make more system changes owing to learnings from near-collisions of airplanes (“Airprox” incidents) than actual crashes. An analogous approach can have benefits for the financial regulatory system–especially in relation to emerging concerns such as cybercrime and cybersecurity.
Encouraging information-sharing in relation to near misses in data breaches or cyber-attacks may have system-wide benefits. From the regulator’s point of view, ‘near miss’ reports provide insight into emerging threat patterns, vulnerabilities, and lacunae within legal frameworks. These may directly feed into forward-looking policy. From a regulated entity point of view, receiving reports of near misses facilitates adoption of safeguards and development of counter-measures to emerging threat vectors. In addition, entities–based on reports of others–may be able to profile the vulnerability of a technology solution prior to implementation. Informed regulators and participants also ensure that consumer or investor interest is not compromised by lack of preparedness or remedies. In other words, regulators may be able to account for common risks before they manifest as tangible loss or harm and there is a need to adopt a clear framework.
Core to effective ‘near miss’ regulation is creating a regulatory ecosystem which incentivises logging and reporting such incidents in the first place.
At the outset, any legal requirement to disclose near misses must be clear and precise. For instance, under the IT Act framework, ‘real as well as suspected’ adverse cybersecurity incidents must be reported to CERT-In. This language creates uncertainty as it remains unclear if the term ‘suspected’ includes attempted attacks as well. The RBI’s approach in the ‘Cybersecurity Framework for Banks’ circular is clearer–requiring disclosure of “all unusual cyber-security incidents (whether they were successful or were attempts which did not fructify)”.
While clear regulations are key, cultural change is equally critical. While none will deny the importance of reporting near misses, there is a tendency to sweep an incident under the carpet as reporting often means stigma. Therefore, there is a need for a well-defined incentive structure for employees and organisations to report near misses without fear of consequence.
First, ‘near miss’ reports should be anonymised and all reporting entities should have access to this database to help them develop their own risk management systems. Second, regular ‘near miss’ reporting may be made a ground that regulators must factor while calculating penalties or compensation in the event a fault results in tangible harm from an incident (for instance, a successful cyber-attack). Similarly, to encourage reporting without fear for adverse legal consequences, a statutory safe harbour–recognising that ‘near miss’ reports may not be the trigger for regulatory action–will go a long way. As will providing reporting organisations an opportunity to engage with the regulator in relation to the policy development pursuant to reports.
Last, the regulatory framework must facilitate seamless information sharing between various regulators on emerging threats. Under the current model, raw reports to CERT-In are kept confidential while data reported to the RBI remains in a silo. In the absence of a well-defined cross-agency threat-sharing mechanism for raw data, learnings from ‘near miss’ reports may not adequately inform the decision-making of other agencies.
To conclude, with organisations ranging from credit scorers to hospitals reporting major breaches around the world, there is a need for regulation which encourages ‘near miss’ reporting through tangible incentives for participating organisations. ‘Near miss’ reporting by a broader array of organisations will ensure that the regulator is informed by the latest threat intelligence while ensuring that policy is current and forward-looking. Importantly, it will ensure that we do not have to wait for the next black swan event to swing into action.
About the authors:-
Prashant Saran is Senior Consultant at Shardul Amarchand Mangaldas. He is a former Whole-Time Board member at SEBI and has also served in senior positions with the RBI.
Tarun Krishnakumar is an Associate at Shardul Amarchand Mangaldas and focusses on emerging issues at the intersection of technology, law, and public policy.
Both are based in New Delhi. Views expressed are personal.