Nepal: Overview of the cybersecurity bylaw
With the ever-growing number of beneficiaries of information communication and technology, cybersecurity practices in Nepal have remained vulnerable to cyber threats, and Nepali companies were targetted by some of the largest cyberattacks in recent years. The Cyber Security Bylaw 2020 ('the Bylaw'), issued by the Nepal Telecommunication Authority ('NTA') in August 2020, therefore, is a commendable legislative development to strengthen cybersecurity in Nepal.
The Bylaw is applicable to entities licensed by the NTA ('Licensees'), such as telecommunication service providers, internet service providers, etc. Licensees are required to comply with the security standards and requirements set out in the Bylaw. Anjan Neupane and Saurav Karki, Partner and Senior Associate at Neupane Law Associates respectively, discuss the Bylaw in this article.
Security standards and practices
In addition to security standards, the Bylaw sets out specific technical and functional standards that Licensees must comply with. Licensees must use licensed operating systems, applications, and antivirus software in their servers, desktops, and other devices, as per Rule 14 of the Bylaw. Additionally, operating systems, antivirus software, application libraries, and databases must be regularly updated. The Bylaw also mandates that Licensees follow the best practices recommended by institutions such as SANS, CIS, etc., pursuant to Rule 15 of the Bylaw.
The Bylaw, in Rule 11, provides for standards that Licensees must enforce in relation to user accounts and passwords used in their system. The provisions for user accounts must ensure, among other things, that user accounts and accesses are subject to an approval process, and that admin privileges and other special access privileges are only restricted to authorised individuals.
Furthermore, the Bylaw also sets out specific password requirements and rules that Licensees must adopt within their organisations. Passwords must be of a minimum of ten characters, with a combination of uppercase and lowercase letters and must be different from the user's username. Moreover, passwords must not contain identical characters next to each other. Licensees must also ensure that measures are made to ensure that passwords require renewal every 90 days, with a restriction on renewing a password with a password that has been used previously.
ICT security policies and business continuity plans
Licensees are required to arrange for ICT Security Policies and Business Continuity Plans to be put in place upon having these policies and plans approved by their boards of directors, pursuant to Rule 4 and Rule 23 of the Bylaw, respectively.
While the Bylaw does not prescribe the issues that must be included in the ICT Security Policy, the Business Continuity Plan must include identification of possible attacks and security breaches, an incident response plan, a communication plan, and an escalation matrix. Additionally, Licensees are also required to make arrangements for an offsite location for backups and disaster recovery in their Business Continuity Plans.
Infrastructure security, network security, and core system security
The Bylaw prescribes specific technical requirements that Licensees must comply with in relation to infrastructure security and core system security. Pursuant to Chapter 3 of the Bylaw, Licensees are required to implement specific technical requirements in relation to infrastructure security. For example, licensees must use distributed denial of service ('DDoS') detection and mitigation systems to avoid possible distributed denial of service attacks on network infrastructure, use VPN when accessing systems remotely, deploy Mutually Agreed Norms for Routing Security ('MANRS'), and implement WLAN standards like WPA-2/3.
Additionally, the Bylaw provides for security standards in relation to infrastructure security when using or accessing third party services. For example, Licensees are required to provide two factor authentication to authenticate users when providing access to third parties such as value-added service providers, into core system.
It must be noted that the NTA, even prior to the Bylaw, had a practice of directing Licensees to block access to certain services through their network. For example, in 2018 NTA directed ISPs to block access to pornography through their networks. In a similar manner, Licensees are required to arrange for a network firewall to block unapproved or vulnerable services at the gateway itself, pursuant to Rule 34 of the Bylaw.
Chapter 4 of the Bylaw sets elaborate standards in relation to security of the core system of the Licensee. 'Core system' has been defined as the system which provides core services while 'core services' has been defined broadly to include services including exposed services to the public internet such as web, email, domain name system, billing, customer relationship management, etc. To protect the core systems, Licensees are obliged to, inter alia:
- use a next generation firewall to protect their core service system from vulnerabilities, and to restrict access to default logins, and frequently update the firewall policy;
- define the maximum number of failed attempts within a time limit to save the system from brute force attacks on remote access ports;
- provision for an IP block list/allowed list and port-knocking as needed; and
- synchronise the system clocks of information processing systems within the organisation or security domain with an NTP server within the time zone of Nepal, to protect its public facing systems in the public DMZ.
Data security and privacy
While the Privacy Act 2018 and Privacy Regulation 2019 are the major pieces of legislation relating to the protection of private data and privacy, the Bylaw also sets out certain standards for the protection of data and privacy vis-à-vis data in the possession of Licensees. Importantly, Rule 52 of the Bylaw restricts Licensees from sharing the digital data of customers with the vendor or any other third party without the consent of the customer, except if required by law enforcement agencies. The enforcement agencies must obtain an order from a district court pursuant to the Access to Information (Procedural) Directive 2074 (2017) when requesting the data and information from Licensees. In case the data must be obtained in an urgent manner, for instance on a public holiday, law enforcement agencies can request the data and information upon informing the contact person designated by the judge of the court. The Bylaw does not define 'digital data', and it is likely that the term must be read in line with the restriction to use all protected personal data and information under the Privacy Act.
In order to protect data and privacy, Licensees are required to:
- apply encryption techniques to data in transit;
- adopt data masking, anonymising techniques, or encryption for customer data and use hash encryption to store sensitive data; and
- sign non-disclosure agreements with employees, vendors, or any other third parties to prohibit copying, reproduction, distribution, or sale of the Licensee's digital data without the consent of the Licensee.
Obligation to conduct an information system audit
Chapter 7 of the Bylaw sets out the obligations in relation to system audits and submission of an audit to the authority. Together, the Bylaw prescribes for three types of system or security audits, or assessments are as follows:
- as per Rule 53 of the Bylaw, Licensees must have a dedicated security audit team and submit the security audit report to the authority (i.e. the NTA) every six months;
- Licensees are required to perform penetration testing and vulnerability assessment every three months; and
- Licensees must perform an information system audit on an annual basis in order to verify whether it has complied with the Bylaw. The information system audit must include the security policy and standards, audit checklist along with the inventory list of Licensees as prescribed in Annex -1 of the Bylaw. It must be noted that this information system audit will be verified by the NTA or the information security auditor appointed by the Government of Nepal ('IS Auditor'), and Licensees have an obligation to rectify the vulnerabilities and gaps identified by the IS Auditor.
Incident response teams and security operations centres
Licensees are required to form an incident response team or computer emergency response team ('CERT') within their organisations. The minimum number of members in a CERT, or qualifications required to be a member of such team are not defined.
Rule 60 of the Bylaw require Licensees to coordinate with the task force of the NTA in order to minimise any loss and identify the source of attacks or threats. Nevertheless, there is an ambiguity in events that the NTA must be informed of as the Bylaw does not define 'security incidents'.
In addition to CERTs, Licensees are also required to maintain security operation centres pursuant to Rule 64 of the Bylaw. These security operation centres are responsible for logging and monitoring security alerts and events at all times in order to avoid any severe impact on the service and business of the Licensee, and to take preventive measures based on security logs and events to avoid attacks.
Enhanced accountability of employees
The Bylaw places accountability on the employees of Licensees to strengthen the security protocols within Licensees by setting out the provisions relating to internal organisational structure and management of employees within the Licensee. For example, Rule 6 of the Bylaw requires Licensees to maintain an organogram with defined roles and responsibilities for its personnel (system operators, system developers, network administrator, etc.). Rule 7 provides for Licensees' obligation to arrange for employee related policies to address proper handling of social media, use of official and personal devices, and handling of official emails and accounts. Furthermore, Licensees are required to conduct security awareness and capacity building programs for their employees and relevant stakeholders as per Chapter 11 of the Bylaw, although the frequency of such programs is not specified.
Non-compliance as an offence
The Bylaw has been issued by the NTA, acting in accordance with its power granted by section 62 of the Telecommunications Act 1997. As per section 57 of the Telecommunications Act, the NTA may impose a fine of up to NPR 50,000 (approx. €370) to any person who does not comply with an order or directive issued by the NTA. The NTA also has the authority to order payment of compensation or damages, suffered by any party, because of a failure of a person to comply with an order or directive issued by the NTA.
Accordingly, Licensees may be fined the amount of NPR 50,000 (approx. €370) for their failure to comply with Bylaw. In case of loss or damage to any customer as a result of a cyber-attack on the system of Licensees, Licensees may also be liable to pay compensation for the loss or damage suffered by their customers.