How to comply with the CERT-IN India 6 hours timeline?
The Computer Emergency Response Team (“CERT-In”) has notified new directions dated 28th April 2022, under sub-section (6) of section 70B of the Information Technology Act, 2000 relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet (“Directions”). CERT-In is a functional organization of the Ministry of Electronics and Information Technology (“MeitY”), Government of India, with the objective of securing Indian cyber space. CERT-In provides Incident Prevention and Response services as well as Security Quality Management Services. The mission of CERT-In is to enhance India’s communication and information infrastructure through proactive action and effective collaboration.
The directions have been issued on 28 April 2022 and will be effective after 60 days from the date of issue. The directions have mandated compliance in relation to cyber security incidents by mandating fixed timelines for reporting of incidents, storage of system logs in Indian jurisdiction, power to seek information, norms pertaining to data retention etc.
Key Highlights of the Directions for reporting Cyber incidents
Reporting of incidents within 6 hours- The directions require any service provider, intermediary, data center, body corporate and government organization to mandatorily report cyber incidents to CERT-In within 6 Hours of noticing such incidents or being brought to notice about such incidents. The types of cyber security incidents which are mandatorily to be reported by service providers, intermediaries, body corporate and Government organizations include targeted scanning, probing of critical networks, identity theft, phishing, data breach, data leaks, unauthorized access of IT systems, defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites. etc.
While there already exists an obligation to report Cyber Security Incidents as provided under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013, there was no time limit prescribed under the said rules and was only to be reported in a reasonable period. However, the Directions have provided clarity in this regard by fixing a timeline of 6 hours.
Crypto exchanges and wallets to maintain KYC Details and records
Providers, virtual asset exchange providers and custodian wallet providers will have to mandatorily maintain KYC and records of financial transactions for a period of five years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.
Further, the directions mandate that the transaction records shall be maintained in such a way that an individual transaction can be reconstructed along with the relevant elements comprising of information relating to the identification of relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.
Service Providers to maintain information
Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers and Virtual Private Network Service (VPN Service) providers have been required to register information pertaining to name of subscribers, period of hire, IPs allotted to/being used by members etc. for a period of 5 years or more as mandated by the law after any cancellation or withdrawal of the registration.
Designated of Point of Contact
The service provider, intermediary, data center, body corporate and government organizations are mandated to designate a Point of Contact to interface with CERT-In. All communications from CERT-In seeking information and providing directions for compliance shall be sent to the said Point of Contact.
Order/Directions issued by CERT-In
For the purpose of cyber incident response, protective and preventive action related to cyber incident, CERT-In can issue orders to entities to take action and demand information that may be of assistance to CERT-In. The order may contain the format of information and a specified time-frame. Non-adherence to such compliance would be treated as non-compliance of this Direction.
Maintenance of Logs
The Directions have mandated that all service providers, intermediaries, data centers, body corporate and government organization shall mandatorily enable logs of all their ICT systems and maintain them securely for a period of 180 days within Indian jurisdiction. Such logs will have to be provided to CERT-In along with reporting of any incident or when ordered/directed by CERT-In.
The ambit of this provision is broad and has the potential of bringing in such service intermediaries under its lens who do not have any physical presence in India and thus will be required to maintain system logs in India.
Penalty
Failure to comply with the directions will result in both, imprisonment of up to 1 year and a fine which may extend to 1 lakh rupees.
Conclusion
The direction does come as a surprise in terms of the broadly worded provisions. While the intention behind the direction is laudable, the provisions of the direction are overreaching and may not be the most efficient manner of dealing with cybersecurity threats. Considering that the direction requires several technological changes, businesses must internally assess their practices and determine how and where changes are required. In some cases, constant manual intervention may also be required .
Considering that the Direction has far-reaching implications along with penal consequences, it would be helpful if CERT-In can provide a window seeking queries from industry participants and other stakeholders, subsequent to which requisite clarifications or amendments to the direction can be issued.
To learn more about how Ardent Privacy can help you comply with the CERT IN 6 hours timeline, reach out to schedule a demo with one of our technical experts.
Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with various global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.