India: Stricter cybersecurity norms and reporting requirements - why MNCs and start-ups alike are gearing up for rippling change
The Indian Computer Emergency Response Team ('CERT-In'), the Government nodal agency that deals with cybersecurity threats in India, issued a direction relating to 'Information security practices, procedures, prevention, response, and reporting of cyber incidents for safe & trusted internet'1 ('the Direction') to impose stringent requirements for cybersecurity reporting and introduce broader compliance requirements. Subsequently, CERT-In released frequently asked questions2 ('the FAQs') to clarify certain aspects of the Direction. The Ministry for Electronics and Information Technology ('MeitY') has since held a meeting on 10 June 2022 with stakeholders to provide informal clarifications on certain aspects of the Direction and the FAQs. Aaron Kamath, Varsha Rajesh, and Aniruddha Majumdar, from Nishith Desai Associates, discuss the contents of the Direction, as well as its impact on the industry.
The Direction came into force on 27 June 2022, two months after it was issued. The timeline for compliance with the Direction was extended for certain specific entities, including for 'Micro, Small and Medium Enterprises' ('MSMEs') to 25 September 20223.
Existing cybersecurity framework
Prior to the Direction, the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 ('the CERT Rules') issued under the Information Technology Act, 2000 ('the IT Act') provided for certain compliance obligations for entities with respect to cybersecurity in India. The CERT Rules require affected service providers, intermediaries, data centres, and bodies corporate to mandatorily report certain cybersecurity incidents to CERT-In as soon as possible to leave scope for timely action. Other cybersecurity incidents which were not specifically identified in the CERT Rules could be reported voluntarily.
The CERT Rules are not specifically repealed or replaced with the Direction. The Direction supplements the existing CERT Rules, augments the powers of CERT-In, and introduces further obligations for reporting and compliance.
Applicability of the Direction
The obligations relating to the reporting of incidents under the Direction4 apply to both Indian and foreign entities which have computer infrastructure (i.e., a 'computer', 'computer system', or 'computer network') located in India. The Direction may also apply with respect to incidents affecting any computer infrastructure located outside India under limited circumstances such as if the cybersecurity incident originated from an attacker in India or if any computer infrastructure in India is adversely impacted.
However, the Direction also contains obligations in the nature of 'Know Your Customer' ('KYC') procedures for specific entities such as data centres and cloud service providers5. These obligations may apply even if such entities provide services to customers in India, regardless of the location of their computer infrastructure, or the origin or impact of any incident which affects such computer infrastructure.
Compliances under the Direction
Below are key compliances under the Direction applicable to service providers, intermediaries, data centres, bodies corporate, and Government organisations (collectively known as 'the Entities').
Point of contact
Entities offering services to the users in the country are required to designate a Point of Contact ('PoC') to liaise with CERT-In and update CERT-In of any changes in the PoC6.
Synchronisation of system clocks
The Direction requires all the Entities to synchronise ICT systems' clocks to the Network Time Protocol ('NTP') of the National Informatics Centre ('NIC') or National Physical Laboratory ('NPL'). Alternatively, the ICT systems' clocks may be synced with NTP servers traceable to those maintained by the NIC or the NPL. Global entities are permitted to use a different time source which is accurate and standard, but they need to ensure that their time source does not deviate from the NPL and the NIC. In case there is a deviation, the entity must make note of the deviation and report it to CERT-In at the time of reporting the incident.
Maintenance of logs and data localisation
All the Entities covered under the Direction should maintain logs such as Firewall logs, Intrusion Prevention Systems logs, SIEM logs, web/database/mail/FTP/proxy server logs, event logs of critical systems, application logs, ATM switch logs, SSH logs, and virtual private network ('VPN') logs etc, for all their ICT systems for 180 days in India. These logs are also required to be provided to CERT-In while reporting a cyber incident, or when sought by CERT-In pursuant to a direction. The logs may be stored outside India provided they can be produced to CERT-In upon request within a reasonable time7.
Additionally, data centres, virtual private server ('VPS') providers, cloud service providers ('CSP'), and VPN providers are required to record information in relation to subscribers8 and maintain records of such information for at least five years after the cancellation of the user registration, or a longer period when mandated by law. The requirement of maintenance of 'validated names of subscribers/customers hiring the services' and 'validated address and contact numbers' will be enforced post 25 September 20229.
Similarly, virtual asset service providers, virtual asset exchange providers, and custodian wallet providers shall mandatorily maintain all information obtained as part of KYC and records of financial transactions for a period of five years. With respect to transaction records, accurate information should be maintained in a manner so that individual transactions can be reconstructed along with the relevant elements like information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.
The Direction identifies certain kinds of cybersecurity incidents which are required to be reported by the Entities which are further explained in the FAQs.
The Direction introduces a six-hour timeframe for reporting the specified incidents which meet the following criteria:
- cyber incidents and cybersecurity incidents of severe nature (such as Denial of Service ('DoS'), Distributed Denial of Service ('DDoS'), intrusion, and the spread of computer contaminants including ransomware) on any part of the public information infrastructure including backbone network infrastructure;
- data breaches or data leaks,
- large-scale or most frequent incidents such as intrusion into computer resources and websites, etc.; and
- cyber incidents impacting safety of human beings.
Information to the extent available regarding incidents can be provided to CERT-In within the six-hour timeline. The detailed reporting for such incidents should be made as per the prescribed incident reporting form10 within a reasonable time. For all other mandatorily reportable cybersecurity incidents, information is required to be provided to CERT-In within a reasonable time.
The FAQs further clarify that in the event multiple parties are affected by the same cybersecurity incident, any entity which notices the cybersecurity incident, shall report to CERT-In. There was a subsequent informal clarification that the entity to report the cybersecurity incident to CERT-In should be the entity in-charge of the affected computer infrastructure. The obligation to report a cyber incident is neither transferrable nor can it be indemnified against or dispensed with.
Subsequent to reporting a cybersecurity incident, necessary action should be taken by the entity and/or information or assistance should be provided if directed by CERT-In.
The CERT Rules do not prescribe any specific penalties for non-compliance with directions issued by CERT-In or reporting requirements. However, the Direction provides that the penalty for non-compliance with the Direction shall be as per the IT Act. Accordingly, entities who fail to comply with the Direction, or otherwise fail to provide the information or assistance as directed by CERT-In will be liable to imprisonment which may extend up to one year and/or fine which may extend up to INR 100,000 (approx. €1,240)11.
Concerns regarding the Direction
In the wake of the Direction, industry players and experts have raised several concerns regarding the Direction. Primarily the stringency in the reporting requirements, i.e. the six-hour timeframe and the enlarged ambit of mandatory reporting, were met with objections from the industry due to the lack of capacity and infrastructure to identify and report cybersecurity incidents within the prescribed timeline. Furthermore, it appears that the internal escalation and administrative processes within the organisations may not have been accounted for by CERT-In while arriving at this timeframe.
The Direction also raises several privacy concerns. It appears to provide CERT-In with unbridled powers to demand disclosure of information (even without the occurrence of a cybersecurity incident). Such information may include personal information of individuals and, therefore, the Direction may need to be assessed in light of the three-fold test of legality, legitimacy of aims, and proportionality prescribed in K.S. Puttaswamy v. Union of India . Further, the Direction also requires VPN providers to maintain the data of subscribers for a period of five years and furnish it on request. Maintenance of such logs would contradict the purpose of the VPN which is primarily designed to protect user privacy.
On the contrary, the FAQs justify that the right of citizens is not affected since the Direction does not envisage the seeking of information by CERT-In from the service providers on a continuous basis as a standing arrangement. The FAQs further clarify that the reporting requirements placed on bodies corporate take precedence over any contractual obligations towards users to ensure confidentiality of their information.
Additionally, from a legal standpoint, the validity of the Direction may be controversial. CERT-In is vested with wide powers with respect to cybersecurity incidents under the IT Act, as specified above. While directions may be issued by CERT-In, it may be argued that the present Direction is beyond the scope of the powers of CERT-In, since it contains provisions which effectively amend the current provisions of the CERT Rules, and also contain KYC obligations which are beyond the scope of CERT-In's functions.
In light of these issues, there have been representations made to the Government to re-consider and delay the implementation of the Direction. The Government has issued some oral clarifications with respect to certain aspects of the Direction and has also extended the timeline for compliance for MSMEs, and certain KYC requirements. The Government has indicated that the implementation of the Direction will be reviewed and there may be further reconsiderations of the provisions.
Cybersecurity in India has been a concern of national security and interest. Despite the CERT Rules, 1,402,809 cybersecurity incidents were reported in 202112. The Direction serves as a facelift to the existing law and seeks to remedy the impassive outlook of the industry towards cybersecurity reporting and compliance.
The Direction also supplements the recent approach of the Government towards the protection of consumer data, governmental access to data for enforcement, and combatting security threats as seen in the proposed data protection law and sectoral data laws in the telecom, banking, and insurance industry.
Overall, while the Direction is important to ensure an open, safe, and accountable internet for citizens, some of the requirements require further clarity whilst enforcement action is also left to be observed.
Aaron Kamath Leader – Technology, Data Privacy and Cyber Security
Varsha Rajesh Member – Digital Health, Lifesciences and Data Privacy
Aniruddha Majumdar Member – Disruptive Technologies and Cyber Security
Nishith Desai Associates
1. Available at: https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf
2. Available at: https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf
3. See: https://www.cert-in.org.in/PDF/CERT-In_directions_extension_MSMEs_and_validation_27.06.2022.pdf
4. As contained in paragraphs (i) to (iv) of the Direction.
5. As contained in paragraphs (v) to (vi) of the Directions.
6. Question no. 29 of the FAQs.
7. Question no. 35 of the FAQs.
8. Specifically, the Directions requires the: (i) validated names of subscribers/customers hiring the services; (ii) period of hire including dates; (iii) IPs allotted to/being used by the members; (iv) email address and IP address and time stamp used at the time of registration/on-boarding; (v) purpose for hiring services; (vi) validated address and contact numbers; and (vii) ownership pattern of the subscribers/customers hiring services.
9. See: https://www.cert-in.org.in/PDF/CERT-In_directions_extension_MSMEs_and_validation_27.06.2022.pdf
10. Available at: https://www.cert-in.org.in/PDF/certinirform.pdf
11. Section 70B(7) of the IT Act.
12. See: https://www.cert-in.org.in/s2cMainServlet?pageid=PUBANULREPRT