Unwinding CERT-In’s Directions on cyber security practices and reporting of cyber incidents

1. Introduction

With information leaks, ransomware assaults and different cyber security incidents turning into more and more rampant and round 18% (eighteen per cent) of Indians being victims of such cyber security incidents[1], one would anticipate the Indian Computer Emergency Response Team (“CERT-In”) – “the trusted referral company for cyber customers in India for responding to cyber security incidents”[2] to be main half of the discourse on cyber security in India. On the opposite, to date, the CERT-In has not been almost as conspicuous or pro-active as different Indian governmental companies in exercising its powers till just lately when it issued ‘Directions regarding data security practices, process, prevention, response, and reporting of cyber incidents’ (“the Directions”) and explanatory FAQs thereunder (“the FAQs”).[3]

This article seeks to unwind the function of CERT-In, the Directions and the trail forward for affected stakeholders.

2. What is CERT-In, its roles and features?

The CERT-In has been practical underneath the Ministry of Electronics and Information Technology, Government of India (“MEITY”) since January, 2004.[4] CERT-In was designated because the nodal company for responding to laptop security incidents as and once they happen by way of an modification to the Information Technology Act, 2000 (“IT Act”) in 2008.[5] Accordingly, the designated features of CERT-In is to be the nationwide company for (i) assortment, evaluation and dissemination of data on cyber incidents[6]; (ii) forecast and alerts of cyber security incidents[7]; (iii) coordination of cyber incidents response actions; (iv) concern pointers, advisories, vulnerability notes and white papers regarding data security practices, procedures, prevention, response and reporting of cyber incidents; and (v) such different features regarding cyber security as could also be prescribed by MEITY.[8]

In gentle of the aforesaid features, MEITY has issued the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”). The CERT-In Rules inter alia supplies for the requirement to mandatorily report sure cyber security incidents, the way of responding to such incidents by CERT-In, the gathering, evaluation and disclosure of data regarding such cyber security incidents together with the ability of CERT-In to concern instructions and making certain its compliance. The mentioned reporting obligations nonetheless is obligatory for service suppliers, intermediaries, information facilities and physique corporates underneath the CERT-In Rules[9]. It is underneath the CERT-In Rules learn with Section 70B (6) of the IT Act that the Directions have been issued.

3. Highlights of the Directions and Stakeholder Concerns 

The Directions mandate 6 (six) necessities to be adhered to by all service suppliers, intermediaries, information centres, physique company and Government organisations, nonetheless, sure necessities prescribed underneath the Directions are extra particularly relevant to Virtual Private Servers (“VPS”), Cloud Service Providers (“CSP”), Virtual Private Network (“VPN”) service suppliers, digital asset service suppliers, digital asset exchanges and custodian wallets. (collectively “Stakeholders”).[10] The highlights of these necessities have been supplied hereinbelow:

a. Synchronization with National Time Protocol – All Stakeholders have been mandated to synchronise their Information and Communication Technology (“ICT”) system clocks with the National Time Protocol (“NTP”) server of the National Informatics Centre (“NIC”) or the National Physical Laboratory (“NPL”). An exception has been carved out within the FAQs for Stakeholders with ICT infrastructure throughout a number of geographies whereby  they’re free to make use of correct and commonplace time supply aside from NPL and NIC supplied that the time supply relied on by such Stakeholders don’t deviate from NPL or NIC. MEITY within the FAQ has clarified that the intention of introducing this requirement within the Directions is to make sure that solely commonplace time services are used throughout all entities.[11] Although,  a number of issues have been raised on this regard by Stakeholders stating that issues concerning latency might be extenuated provided that probably the most Stakeholders already use greater high quality servers which might be already out there to them. Questions have additionally been raised concerning the reliability of NIC and/or NPL servers which can be simply overwhelmed.[12] Further, within the FAQs, the MEITY has additionally clarified that, there isn’t a must mandatorily set system clocks in Indian Standard Time (IST) and the present directive requires uniform time synchronisation throughout all ICT techniques irrespective of time zone.

b. Mandatory Reporting of Certain Cyber Security Incidents – All Stakeholders mandatorily need to report cyber incidents talked about in Annexure-I of the Directions inside 6 (six) hours of noticing such incidents. It is to be famous that Annexure-I of the Directions provides 10 (ten) new varieties of cyber incidents which might be mandatorily required to be reported along with the ten (ten) varieties of cyber incidents that had been already prescribed underneath the Annexure to the CERT-In Rules. The new additions inter alia embrace (a) information breaches; (b) information leaks; (c) assaults by way of malicious cellular apps; (d) assaults or incidents affecting digital funds; (e) unauthorised entry of social media accounts; (f) Attacks or malicious/suspicious actions affecting techniques/ servers/ networks/ software program/ functions associated to cloud computing, blockchain, digital property and so forth.

MEITY has clarified within the FAQs that the burden of reporting such cyber security incidents has been positioned on any entity that notices it and that such obligation can’t be handed all the way down to another entity contractually. Additionally, provided that this  requirement has been extensively debated and criticised, MEITY has, within the FAQs clarified that the requirement for reporting inside 6 (six) hours is proscribed to the supply of data out there to the Stakeholder at such time and that extra data might be reported to CERT-In later inside ‘affordable time’.[13] Additionally, given that there’s ambiguity on the which means of the categories of cyber security incidents to be reported to CERT-In (as listed within the Annexure I of the Direction), MEITY has supplied an illustrative checklist of explanations on the categories of cyber security incidents required to be reported in Annexure-I of the FAQs.[14] That mentioned, Stakeholders have raised issues stating that the categories of cyber security incidents required to be mandatorily reported are quite a few and have broad connotations. It is feared that this requirement could not solely be onerous to Stakeholders but additionally could worsen the scenario for cyber security in India because the capability of CERT-In to successfully reply to the sheer quantity of the cyber security incidents that it might obtain can be drastically lowered.[15]

c. Mandatory upkeep of logs by all Stakeholders – The Directions require all Stakeholders to mandatorily allow logs of all their ICT techniques securely on a rolling foundation for a interval of 180 (100 and eighty) days and preserve the identical inside Indian jurisdiction.  Such logs are required to be produced when ordered by CERT-In. However, MEITY has clarified within the FAQs that such logs could be saved outdoors India additionally if the duty to provide the identical to CERT-In is adhered to by the entities in an affordable time.[16] MEITY has additionally clarified within the FAQs that the requirement to keep up and produce such logs isn’t solely on Indian entities but additionally on any entity that provides companies to customers in India. Several issues pertaining to privateness and safety of private data of customers, particularly information topics of overseas jurisdictions akin to Europe and the USA and its long run affect on the free transferability of information have been raised by Stakeholders[17] though they appear to have gone unaddressed within the FAQs.[18]

d. Registration of sure data by VPS, VPN and CSP – VPS, VPN and CSPs have been mandated to gather and preserve data its respective subscribers/prospects for a interval at least 5 (5) years. The data required to be collected and saved as per the Directions embrace (a) validated names, tackle, and contact particulars of the subscribers/prospects; (b) interval of rent/engagement; (c) e-mail id and IP tackle used throughout registration amongst others. Additional clarification on the kind of information sought to be collected and saved by VPS, VPN and CSP has been given within the FAQs whereby it has been clarified that the Directions apply to VPN service suppliers who present “web proxy like companies” and to not enterprise/company VPNs.[19] This directive has seen the sharpest criticism by removed from affected Stakeholders and has additionally led to the exodus of VPN service suppliers out of India successfully being a dying knell for high quality VPN companies in India.[20]

e. Appointment of a Point of Contact – The Directions require all Stakeholders to nominate some extent of contact to interface with the CERT-In very like the nodal officer envisioned in Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”). Further clarifications on this regard have been supplied within the FAQs whereby it has been confirmed that even these entities which would not have a bodily presence in India however provide companies to customers in India must appoint some extent of contact. The far reaching penalties of this requirement particularly from a tax residence, everlasting institution and so forth. could need to be examined.

f. Maintenance of Know Your Customer Records – All digital asset service suppliers, digital asset alternate suppliers and custodian pockets service suppliers have been directed to keep up all Know Your Customer (“KYC”) information obtained by them for a interval of 5 (5) years. While the competence of CERT-In to concern instructions concerning KYC information  in itself has been questioned by some, there may be extreme regulatory uncertainty vis-à-vis digital property and digital asset exchanges even with regard to the applicability of the KYC norms prescribed by the Reserve Bank of India, the Securities and Exchange Board of India (“RBI”) and the Department of Telecom (all referenced within the Directions) to entities coping with digital property. In such a situation, one could argue that CERT-In neither has the legislative competence neither is it prudent for it to intrude in sectors which have already been nicely regulated by extra environment friendly sectoral regulators such because the RBI.

4. INDUSLAW View & The Path Ahead

The Directions has now come into power efficient from June 27, 2022 apart from micro, small and medium enterprises and for VPS, VPN and CSPs concerning the upkeep of validated data of customers/prospects as supplied within the Directions. The efficient date for such exempted Stakeholders has been prolonged to September 25, 2022. That mentioned, all different Stakeholders need to adjust to the Directions instantly if not already in compliance, particularly provided that the penalty relevant for non-compliance features a punishment of imprisonment for a time period of as much as 1 (one) 12 months or with wonderful which can of as much as INR 1,00,000/- (one lakh rupees), (roughly USD 1,250/-) or each.[21] It is to be famous that by advantage of the extraterritorial applicability of the IT Act,[22] the Directions should not solely relevant Stakeholders in India however can be relevant to overseas Stakeholders who serve prospects in India. The similar has additionally been reiterated within the FAQs.[23]

That being mentioned, the trail to compliance could also be onerous and toilsome for all Stakeholders given the strategy adopted by MEITY in addressing the issues of the trade as is clear from  its determination to maintain the 6 (six) hour timeline for reporting of cyber security incidents unchanged regardless of representations from affected Stakeholders[24] and its statements inviting Stakeholders who don’t adjust to the Directions to go away India.[25] In the present situation, probably the most prudent course of motion is to adjust to the Directions on a greatest efforts foundation and being clear with authorities concerning the challenges that Stakeholders face on this regard.