The Computer Emergency Response Team (“CERT-In”) has notified new directions dated 28th April 2022, under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (“Directions”). CERT-In is a functional organisation of Ministry of Electronics and Information Technology (“MeitY”), Government of India, with the objective of securing Indian cyber space. CERT-In provides Incident Prevention and Response services as well as Security Quality Management Services. The mission of CERT-In is to enhance India’s communication and information infrastructure through proactive action and effective collaboration.
The task of CERT-In is to collect, analyze and disseminate information of cyber incidents, forecast and alert cyber security incidents, take emergency measures for handling cyber security incidents and issue guidelines, advisories etc. relating to information security practices etc. With the advent of digitalization and increase in cyber security incidents, CERT-In has been facing challenges in accessing data to analyze and investigate such incidents. Keeping this in mind, the Directions have been issued to take action against such incidents, mitigate them and take information to make it easier to track and monitor.
The directions have been issued on 28 April 2022 and will be effective after 60 days from the date of issue. The directions have mandated compliance in relation to cyber security incidents by mandating fixed timelines for reporting of incidents, storage of system logs in Indian jurisdiction, power to seek information, norms pertaining to data retention etc.
Key Highlights of the Directions for reporting Cyber incidents
Reporting of incidents within 6 hours- The directions require any service provider, intermediary, data center, body corporate and government organisation to mandatorily report cyber incidents to CERT-In within 6 Hours of noticing such incidents or being brought to notice about such incidents. The types of cyber security incidents which are mandatorily to be reported by service providers, intermediaries, body corporate and Government organizations include targeted scanning, probing of critical networks, identity theft, phishing, data breach, data leaks, unauthorized access of IT systems, defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites. etc. The list of cyber incidents are mentioned in an annexure to the Directions. Please read here
While there already exists an obligation to report Cyber Security Incidents as provided under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, there was no time limit prescribed under the said rules and was only to be reported in a reasonable period. However, the Directions have provided clarity in this regard by fixing a timeline of 6 hours. The incidents can be reported to CERT-In via email (firstname.lastname@example.org), Phone (1800-11-4949) and Fax (1800-11-6969).
Crypto exchanges and wallets to maintain KYC Details and records – The virtual asset service providers, virtual asset exchange providers and custodian wallet providers will have to mandatorily maintain KYC and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.
Further, the Directions mandate that the transaction records shall be maintained in such a way that an individual transaction can be reconstructed along with the relevant elements comprising of information relating to the identification of relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.
Service Providers to maintain information- Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers have been required to register information pertaining to name of subscribers, period of hire, IPs allotted to/being used by members etc. for a period of 5 years or more as mandated by the law after any cancellation or withdrawal of the registration.
Designation of Point of Contact- The service provider, intermediary, data center, body corporate and government organizations are mandated to designate a Point of Contact to interface with CERT-In. All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact
Order/Directions issued by CERT-In- For the purpose of cyber incident response, protective and preventive action related to cyber incident, CERT-In can issue orders to entities to take action and demand information that may be of assistance to CERT-In. The order may contain the format of information and a specified time-frame. Non-adherence to such compliance would be treated as non-compliance of this Direction.
Maintenance of Logs- The Directions have mandated that all service providers, intermediaries, data centers, body corporate and government organisation shall mandatorily enable logs of all their ICT systems and maintain them securely for a period of 180 days within Indian jurisdiction. Such logs will have to be provided to CERT-In along with reporting of any incident or when ordered/directed by CERT-In.
The ambit of this provision is broad and has the potential of bringing in such service intermediaries under its lens who do not have any physical presence in India and thus will be required to maintain system logs in India.
Penalty- Failure to comply with the directions will result in both, imprisonment of up to 1 year and a fine which may extend to 1 lakh rupees
Observations to CERT-In Directions
The list of mandatorily reportable incidents is broad and may require further clarity on their definitions of incidents such as Data Breach which has not been defined in existing laws.
While such guidance on reporting of cyber incidents was much needed, it is felt that the timeline of notifying such breach within a period of 6 hours of noticing such breach could pose some challenges. Further, under existing laws, organizations are already mandated to report such incidents but there were no penalties imposed for non-compliance and it is expected that with current guidelines will result in better compliance.
The cost of compliance would increase significantly since some cyber incidents such as phishing happen often and thus intimation of such breach on a 6-hour timeline means that the organizations will have to rework on their internal processes to meet the short timelines.
Storage of records of financial transactions and KYC information by virtual assets service providers, within Indian jurisdiction is a step in ensuring cyber security and will help in reconstructing any individual transaction along with the relevant parties entering into the same. Perhaps, CERT-In aims to pin the responsibility to an Indian entity. This appears that data localization, which is debated highly in India, is making its presence via these Directions.
Another facet of these directions is that cyber incident that needs to be reported is not just limited to incidents originating in India but can be extra-territorial in nature.
Further clarity is needed with respect to the nature of orders that CERT-In will issue pursuant to reporting of such incidents and to what extent can it demand information.