Govt declares ICICI, HDFC, NPCI's IT resources as Critical Information Infrastructure

Critical Information Infrastructure: The Union Ministry of Electronics and IT (MeitY) has declared IT resources of ICICI Bank, HDFC Bank and UPI managing entity National Payment Corporation of India (NPCI) as ‘critical information infrastructure’ (CII).

Key Points:

They have been declared as CII under Section 70 of the IT Act, 2000.
The Computer resources of their associated dependencies will also be regarded as the protected systems.
IT resources under CII include Core Banking Solution, Real Time Gross Settlement and National Electronic Fund Transfer (NEFT) comprising Structured Financial Messaging Server.
The notification to this effect was issued on June 16, 2022.

Why the protection of CIIs is necessary?

IT resources are the backbone of numerous crucial processes in a nation's infrastructure and given their interconnectedness, disruptions can have a cascading effect across sectors.
Power grid outages caused by information technology issues can have a devastating effect on other industries, including banking and healthcare.
The decision to put IT resources under CII has been taken due to cyber-attacks which raised the need for a protected system by all the banks and financial institutions.

For instance -

Recent attacks on various infrastructure and businesses like

2017 WannaCry and NotPetya ransomware attacks,
The 2015 attack on Ukrainian power grids and
2010 Stuxnet attack on Iranian nuclear reactor.
Cyber Wars: States are deploying cybersecurity attacks in order to have geopolitical gains.

What is critical information infrastructure?

The "Critical Information Infrastructure" (CII) is a "computer resource" as defined by the Information Technology Act of 2000.
The incapacitation or loss of such a resource has a crippling effect on national security, public health, the economy, or public safety."
According to the official notification, any harm to them could have an impact on national security, and anyone unauthorized accessing these resources could face a 10-year prison sentence.

Who has the power to declare an entity as a Critical Information Infrastructure?

The Union government, under Section 70 of the IT Act, 2000 has the power to declare any data, IT network, and database or communications infrastructure as Critical Information Infrastructure in order to protect that digital asset.
The government, under the Act, has the power to declare any data, database, IT network or communications infrastructure as CII to protect that digital asset.

Protection of CIIs in India:

The National Critical Information Infrastructure Protection Centre (NCIIPC), established in 2014 is the nodal agency taking all measures for protecting CIIs in India.

NCIIPC is mandated to guard CIIs against:-

Unauthorized access,
Use,
Modification,
Incapacitation,
Disclosure,
Disruption, or
Distraction”.

It monitors and forecasts national-level threats to CII for policy guidance, situational awareness and expertise sharing for early alerts or warnings.
In case of a threat to CII, the NCIIPC may call for information and provide directions to critical sectors or persons having a critical impact on CII.
As per NCIIPC, the basic responsibility for protecting the CII system shall lie with the agency running that CII.

About NCIIPC:

The National Critical Information Infrastructure Protection Centre (NCIIPC) is an organization of the Government of India (GoI).
NCIIPC was created under Section 70A of the Information Technology Act, 2000 (amended 2008), through a gazette notification in 2014.
It is designated as the National Nodal Agency in terms of Critical Information Infrastructure Protection.
It was founded on 16 January 2014
It is a unit of the National Technical Research Organisation (NTRO) and therefore comes under the Prime Minister’s Office (PMO).

NCIIPC has broadly identified the following as ‘Critical Sectors’: