The Government of India's policy goal is to ensure that the Indian internet users experience a safe and trusted internet. In order to achieve this objective and develop a robust cyber security system, the Indian Computer Emergency Response Team (CERT-In) was set up as the national agency for cyber security incident response and to undertake proactive measures for prevention of cyber incidents in India. The CERT-In was created by the Government of India in 2004 and operates under the auspices of Ministry of Electronics and Information Technology (MeitY).
The directions recently issued by CERT-In made corporates across various sectors anxious about certain onerous compliance requirements. The said directions were issued by the CERT-In on April 28, 2022 (Cyber Security Directions) under sub-section (6) of section 70B of the Information Technology Act, 2000 (Act) to deal with the emerging cyber threats and to augment incident response measures in the country. Subsequently, to address queries on the nuances of the new directions, the CERT-In released clarifications in FAQ format on May 18, 2022 (FAQs).
We have received number of inquiries from corporates operating across different sectors seeking clarifications on the new directions, specifically in relation to maintenance of logs and incident reporting requirements. The FAQs provide clarifications, but to a limited extent. This update provides a brief snapshot of the new requirements imposed by the Cyber Security Directions.
The Cyber Security Directions will be made applicable from June 27, 2022. The said directions are applicable to service providers, intermediaries, data centres, body corporate (any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities), Virtual Private Server (VPS) providers, Cloud Service Providers (CSPs), Virtual Private Network (VPN) service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organisations.
- Synchronisation of ICT system clocks
In order to ensure usage of standard time facilities across all entities, the Cyber Security Directions mandated all entities to connect to Network Time Protocol (NTP) of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with other NTP servers traceable to those maintained by NIC or NPL for synchronisation of their ICT system clocks. While the global entities are permitted to use a different time source that is in sync with the NTP, it is to be ensured by the entities that their time source does not deviate from NPL and NIC.
- Reporting of cyber security incidents within 6 hours
The Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (CERT-In Rules) are silent on the timeline for reporting cyber security incidents and only require reporting within 'reasonable time'. The Cyber Security Directions require entities to report cyber security incidents within stipulated time of 6 (six) hours.
Given the short time frame for reporting, the entities would need to review their approach and practice in relation to reporting of cyber security incidents. This requirement is likely to be met with feasibility and practical challenge. The proposed period of 6 (six) hours is short to conduct damage control management which involves detecting the cyber security breach and its degree (which itself is often a complex process). Moreover, the stipulated time frame of 6 (six) hours is in contrast with the global best practices.
The FAQs make it clear that the reporting requirement is statutory in nature and overrides any contractual confidentiality clause. The FAQs also provide that the entities may provide information to the extent available at the time of reporting and any additional information may be reported later within reasonable time to CERT-In. The expression 'reasonable time' is not defined in the new directions, but is generally understood to mean- as soon as possible.
- Information requests by CERT-In
CERT-In can seek information from the entities in specified formats and time frames for responding to cyber incidents. The Cyber Security Directions also require the entities to designate a Point of Contact (PoC) to interface with CERT-In.
- Maintenance of ICT system logs
The Cyber Security Directions require the entities to mandatorily store logs of ICT systems and maintain them securely for a rolling period of 180 (one hundred and eighty) days. Further, the directions required such logs to be stored within the jurisdiction of India.
Given that maintenance and storage of all logs of ICT systems would trigger a substantial infrastructure cost and feasibility issues, a number of entities approached the CERT-In seeking clarifications.
The clarifications issued by way of FAQs brought a relief with a confirmation that the logs may be stored outside India as long as the obligation to produce logs to CERT-In is adhered to by the entities within a reasonable time.
However, the clarifications on the ambit of logs to be maintained has not put forth the requirements in black and white, but has left an element of subjectivity for the entities to take a call on the logs to be maintained. The FAQs provide that the logs that are to be maintained would depend on the sector that the organisation is in. By way of examples, the CERT-In expects logs such as Firewall logs, Intrusion Prevention Systems logs, SIEM logs, web/ database/ mail/ FTP/ Proxy server logs, Event logs of critical systems, Application logs, ATM switch logs, SSH logs and VPN logs to be maintained. The FAQ further states that the list of logs is not exhaustive and has been mentioned only to provide flavour of logs to be maintained by the relevant teams.
Given the clarifications provided in the FAQs, it would be advisable for corporates to maintain the logs expressly mentioned in the FAQs to the least. Given that the Cyber Security Directions read with FAQs leave the interpretation and decision of the extent of applicability to the entities, the standards and practices around maintenance of logs can be expected to develop over next few months and years. It is also likely that corporates and IT players will approach CERT-In for further clarifications.
- Registration and maintenance of information by data centres and service providers
Cyber Security Directions require data centres, VPS providers, CSPs and VPN service providers to record certain information accurately in relation to its subscribers, similar to the Know Your Customer (KYC) requirement imposed by other sectoral regulators. This information needs to be maintained for at least 5 (five) years after the cancellation of the user registration, or a longer period when mandated by law.
The said requirement has triggered concerns for privacy and would lead to imposition of high financial costs on the businesses. The FAQs clarified that the corporate and enterprise VPNs will not be required to maintain logs of their customers. The new directions will only apply to general internet users who use commercially available VPNs.
- KYC information and financial transaction record
Certain specified entities, namely- virtual asset service providers, virtual asset exchange providers and custodian wallet providers are mandated to maintain all the information obtained as a part of KYC and financial transaction records for a period of 5 (five) years.
- Non-compliance with the Cyber Security Directions
Any non-compliance with the Cyber Security Directions may attract the penal provisions under sub-section (7) of section 70-B of the Act. i.e., imprisonment for a term which may extend to 1 (one) year or fine which may extend to 1 (one) lakh rupees or both.
The Cyber Security Directions are set to bring fundamental changes to the landscape of cyber security in India. The new directions have attracted mixed reaction from the corporates and specifically the IT industry. While the IT industry anticipates the new directions to create robust cyber security framework in India, many corporates have raised concerns on practical feasibility, infrastructure related cost burden and data privacy issues (specifically in absence of an exhaustive data privacy legislation).
Although the intention of introducing the Cyber Security Directions is to tighten the cyber security in India, the prescribed requirements might cause initial operational hurdles and practical challenges, specifically due to gaps and ambiguities in the directions. Additionally, certain crucial compliances such as maintenance of logs is open to interpretation and subjectivity for the corporates and other industry players and therefore the practices are likely to develop into standards over time.
Therefore, going forward, once the complexities are ironed out by way of such practices and co-operation of CERT-In to provide guidance and clarifications, these directions can be expected to have a positive impact on the cyber security system and controls in India.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.