India: De-Coding The Cert-In Directions On Cyber-Security

As internet usage and penetration in India continues to grow at a rapid pace, there has been a corresponding rise in cyber-crime and other online security challenges. An increased reliance on technology caused by the COVID-19 pandemic has further rendered corporates as well as the general population vulnerable to online exploitation with several companies having witnessed cyberattacks resulting in large-scale theft of personal data. The Indian Computer Emergency Response Team (CERT- In), a nodal agency under the Ministry of Electronics and Information Technology responsible for handling cybersecurity related functions, has also reported more than 2.12 Lakhs cybersecurity incidents as of February 2022.¹ It is in this context that CERT-In has, on April 28, 2022, issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (Directions). The Directions have been issued under provisions of Section 70B (6) of the Information Technology Act, 2000 (IT Act 2000) read with the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (2013 Rules) with the objective to augment and strengthen cyber security in India in order to ensure a secure, trusted and accountable internet in the country.

The Directions are intended to provide for compliances relating to information security practices, procedures and ensure timely reporting of cyber-crimes to CERT-In, supplemented by necessary information, which may be required for analysis of such incidents/attacks. As the Directions are expected to come into effect after 60 days from the date of their issuance i.e. end of June, 2022, CERT-In issued a set of frequently asked questions (FAQs) in May, 2022, to explain nuances of the Directions for enabling better understanding of the same by relevant stakeholders. While these FAQs are stated to be an evolving document which may undergo changes in the future, the same help in giving context to the compliances required by the Directions.

APPLICABILITY

The Directions will be applicable on service providers, intermediaries, data centres, body corporate, Virtual Private Server (VPS) providers, Cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organizations. It must be noted that individual citizens are not covered by these Directions. It has also been clarified in the FAQs that the Directions shall, in matters of cyber incidents and cyber security incidents, apply to 'any entity whatsoever'. In this regard, provisions of the IT Act 2000, particularly Section 1 and Section 75, extend its applicability to offences committed outside India by a person so long as the offence or contravention involves a computer, computer system or computer network located in India.

OBLIGATION TO REPORT

Obligation to report cyber security incidents to CERT-In is statutory in nature and will, by virtue of the provisions of section 81 of the IT Act 2000, override any law or contract to the contrary, such as contracts providing for confidentiality. Further, in cases where multiple entities are affected by a cyber incident, it is the obligation of the entity, which notices the cyber incident, to report the same to CERT-In as this obligation is neither transferrable nor indemni?ed or can be dispensed with. Accordingly, all covered entities must mandatorily report cyber incidents, as listed in Annexure 1 of the Directions, within the time period stipulated in the Directions. The listed events can be reported over e-mail (incident@cert-in.org.in), phone (1800-11-4949), fax (1800-11-6969).

COMPLIANCES

Reporting of cyber incidents

While the 2013 Rules lacked clarity on the time period within which a cyber incident was to be reported, the Directions provide that all covered entities must report any cyber incident within 6 hours of noticing or being brought to notice about such incident. The FAQs clarify that entities may, except in certain scenarios where all details of the cyber incident need to be reported within the said timeline², provide information to the extent available at the time of reporting and additional information can be subsequently reported to CERT- In within a reasonable period of time. The Directions also require the covered entities to designate a point of contact (POC), who shall serve as an interface with CERT-In. The said requirement shall also apply to service providers who do not have physical presence in India but are rendering services to users in India.

Logs

The Directions require covered entities to maintain logs of `ICT systems` for 180 days on a rolling basis. Such logs may be stored outside India, provided the covered entity is capable of providing relevant logs to CERT-In within a reasonable time. Further, any covered entity offering services to users in India will need to enable and maintain logs and records of financial transactions in India. The type of logs that should be maintained by covered entities would depend upon the sector in which the said entities are operating in.

Compliance for data centers, VPN service providers, etc.

Data centers, VPN service providers, cloud service providers and virtual private server (VPS) providers are required to register details such as names of subscribers/customers hiring services, period of hire, IPs allotted to/being used by the members, email, validated address, contact numbers, etc. and store such information for a period of 5 years or longer, as mandated after cancellation or withdrawal of registration. The said requirements do not apply to enterprise/corporate VPNs.

Time Protocol

The Directions require covered entities to connect to the Network Time Protocol (NTP) server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers for synchronization of all their 'ICT system' clocks. Entities with ICT infrastructure spread across several geographies can use other standard time sources, provided such standard time sources should not deviate from NIC or NPL. In this regard, it is not mandatory for covered entities to set system clocks in Indian Standard Time and they may use the UTC time stamp provided by NIC or NPL. The said requirement of synchronization is to ensure that only standard time facilities are used across the board by all covered entities so as to ease analysis of cyber security incidents affecting multiple systems at the same time.

PUNISHMENT

Failure by a covered entity to furnish required information or any other non-compliance of the Directions, may invite punitive action under Section 70B(7) of the IT Act 2000 and other laws as applicable. The said section provides for imprisonment for a term which may extend to 1 year or with fine which may extend to INR100,000 or with both.

CONCLUSION

While the Governments' intent behind issuing the Directions is laudable, the same has resulted in several entities raising concerns around implementation and feasibility of compliance. Some of the main concerns include increased financial and administrative burden of the covered entities, potential of increase in incidents relating to breach of data privacy. Further, the requirement to report cyber incidents within 6 hours may not be feasible for a large number of medium and small entities, who may not be equipped to comply with the said requirement. Additionally, some industry experts have raised concerns around the ability of covered entities to augment their existing data security framework in order to ensure data integrity for longer time periods considering the 5-year time period mandated under the Directions.

With a well-meaning Government standing behind the Directions and the date of implementation fast approaching, it is important for covered entities to actively analyze and initiate the process for implementing the Directions in their day-to-day functioning.

Footnotes

1. 2.12 Lakh Cybersecurity Incidents Reported In 2022: Indian Govt (inc42.com)

2. Cyber incidents and cyber security incidents of severe nature, data breaches or data leaks, cyber incidents impacting safety of human beings, etc.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.