India: An Overview On The CERT-IN Cyber Security Directions, 2022

The Indian Computer Emergency Response Team (“CERT-In“) is the national agency for incident response for cyber security and has been established under Section 70B of the Information Technology Act, 2000 (“IT Act“). Its functions include the collection, analysis and dissemination of information on cyber incidents, providing and implementing emergency measures for handling any cyber security incidents, coordinating cyber incident response activities, and issuing guidelines, advisories, vulnerability notes and white papers with information relating to security practices, procedures, prevention, response and reporting of cyber incidents. It is further empowered, under Section 70B (6) of the IT Act, to call for information and give directions to service providers, intermediaries, data centres, body corporate and any other person for carrying out the abovementioned activities.

Pursuant to the powers granted to the CERT-In, on April 28, 2022, it issued certain directions relating to, “information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet,” vide Direction No. 20(3)/2022-CERT-In (“Directions“)¹. Pursuant to its functions related to the handling of all cyber incidents and interactions, the CERT-In had identified certain gaps that were hindering its incident analysis, following which these Directions had been issued to address the identified gaps and issues to facilitate incident response measures,² to strengthen the cyber security infrastructure of the country, and to further the interests of, “the sovereignty or integrity of India, defence of India, security of the state, friendly relations with foreign states or public order or for preventing incitement to the commission of any cognizable offence using computer resource or for handling of any cyber incident.”

Reporting Cyber Incidents.

Under the Directions, all service providers, intermediaries, data centres, body corporates and government organisations shall have to mandatorily report all cyber incidents within 6 hours of becoming aware or being notified of the existence of such cyber incidents. Such compulsorily reportable cyber incidents are more particularly outlined in Annexure I of the Directions and include data breaches, data leaks, the targeted scanning or probing of any critical networks/systems, phishing attacks, the compromise of any critical systems or information, any unauthorised access to IT systems or data, the defacement of a website or intrusion into a website and unauthorised changes to any websites for instance inserting malicious code or links to external websites. The details, form and format of the reporting of cyber security incidents will be issued by the CERT-In and may be updated/amended from time-to-time.

Maintenance and Registration of Information.

Now, all data centres, virtual private server providers, cloud service providers and virtual private network service providers are required to register and maintain certain information about its users for a period of 5 years, or longer if required by applicable law, after the cancellation or withdrawal of any user's registration from the platforms. Such information includes the validated names of the subscribers or customers who are availing or utilising the services of these service providers, the period of time for which the services are being used (including the dates of usage), the IPs allotted to or being used by the users, the users' email address, IP address and time stamp recorded at the time of registration by the users, the purpose for utilising the services, and the ownership pattern of the users of the services. The provisions would require all such service providers to retain and localise all this customer/user information and data within India, even if such service providers do not physically operate in the country.

KYC and Financial Information Preservation.

The Directions further require all virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as so designated by the Ministry of Finance and as may be amended from time-to-time) to mandatorily maintain all information that has been obtained during the mandatory Know Your Customer (“KYC“) checks for the users and records of all the financial transactions conducted by them on these platforms for a period of 5 years. The Directions state that this measure has been introduced to, “ensure cyber security in the arena of payments and financial markets for all citizens of India and protect their data, their fundamental rights and economic freedom, in light of the increase in the traffic and dealing with virtual assets“. Such transaction records must be maintained by these service providers in a manner whereby the gathered information shall enable individual transactions to be reconstructed and traced. The information maintained shall include, but not be limited to, the relevant elements of information relating to the identification of the parties involved in any transaction on these platforms, such as the IP addresses of the users along with timestamps and time zones evidencing when and where such transactions are being conducted, the transaction IDs, the addresses or accounts involved (or equivalent identifiers), the nature and date of the transactions, and the amounts of money transferred, if any.

ICT Systems Logs.

The Directions further require all service providers, intermediaries, data centres, body corporate and Government organisations to mandatorily create and enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction. These logs shall be furnished and provided to CERT-In when reporting any cyber incident to the organisation and/or when ordered or directed by the CERT-In to disclose the same. The generality of this direction, and its wide applicability, would now require all such organisations, including but not limited to social media platforms, to maintain localised data logs and records in India, regardless of whether or not such organisations have a physical presence in the country.

Finally, in the event that any cyber incident has occurred, over which the CERT-In has jurisdiction, the entities outlined in the Directions shall be required to furnish any and all details as requested by the CERT-In. The failure to provide any such information, or in case of any non-compliance with the Directions, may be cause for the initiation of punitive action under any applicable laws and Section 70B (7) of the IT Act, whereby any non-compliance with the provisions of Section 70B (6) of the IT Act (the provision under which the Directions have been issued) may attract punishment of imprisonment for up to 1 year, a fine which may extend to Rs. 1,00,000, or with both. The Directions shall be effective from June 27, 2022, 60 days from the date of its issuance.

Footnotes

1. Indian Computer Emergency Response Team, Direction No. 20(3)/2022-CERT-In, April 28, 2022, Available at: https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf.

2. PIB, CERT-In issues directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet, April 28, 2022, Available at: https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1820904.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.