New Cybersecurity Incident Reporting Directions
(Vikram Jeet Singh, Kalindhi Bhatia & Prashant Daga)
The Indian Information Technology Act, 2000 (“IT Act”) designates the Indian Computer Emergency Response Team (“CERT-In”) to serve as the national agency for safeguarding cyber space in India. CERT-In can requisition information from entities targeted by cyber security attacks. Until now, the enforcement of compliance with the obligations on private entities to report cyber security incidents to CERT-In has been sporadic. Now, the Directions introduce compliances which may compel companies to revise their reporting strategy. These Directions shall be applicable from June 28, 2022.
A copy of the Directions can be accessed here.
The Directions introduce the following key compliances:
1. Synchronisation of ICT system clocks: All service providers, intermediaries, data centres, and body corporates (“Entities”) are required to connect to the Network Time Protocol (“NTP”) Server of National Informatics Centre (“NIC”) or National Physical Laboratory (“NPL”), or with NTP servers traceable to the NTP servers of NIC/NPL, for synchronization of their information and communication technology (“ICT”) system clocks. Entities with cross-border ICT infrastructure may use ‘time sources’ other than NPL and NIC as long as they do not deviate from the NPL/NIC.
2. Cyber security incident reporting: All Entities are now mandated to report cyber security incidents to the CERT-In within 6 hours of noticing an incident or upon being informed of such an incident. Earlier, the requirement was to report ‘within a reasonable timeframe’, so as to leave scope for action. (That said, the consequences of not reporting the cyber security incident and complying with CERT-In requests continues to remain the same as under Section 70(B) of the IT Act i.e., imprisonment (in egregious cases) and/or fine up to INR 100,000). The cyber security incidents include (inter alia) unauthorized access of IT systems/data; compromise of critical systems; data breach; data leak; identity theft and phishing; malicious malware affecting cloud computing systems, softwares related to big data, block chain, virtual assets, drones, additive manufacturing, AI/ML; cyber threats/attacks to social media accounts, payment systems, IoT devices; etc. (Please refer to Annexure I of the Directions for the complete list of instances classified as a cyber security incident).
Store logs locally: All Entities have been mandated to enable the logs of their ICT Systems and maintain them securely for a rolling period of 180 days in India. This information is to be submitted while reporting a cyber security incident or when required by CERT-In.
Maintain information on customers: Data Centres, Virtual Private Service Providers (VPS), Cloud Service Providers and Virtual Private Network Service Providers (VPN Service) are now required to maintain certain information pertaining to customers (such as names of subscribers/customers, IP addresses allotted to members, contact details and ownership pattern of the subscribers/customers, etc.) for a period of 5 years.
KYC records: Virtual asset service providers and exchange providers (such as NFT Platforms and Cryptocurrency Exchanges) are mandated to keep a record of all information obtained as a part of Know Your Customer (“KYC”), and transactions data (e.g., IP addresses, account details, etc.) for a period of 5 years. (Please refer to Annexure III of the Directions for details of the KYC information to be maintained).
4. Point of Contact: All Entities have to designate a Point-of-Contact to act as a liaison between the Entity and the CERT-In. Details of such point of contact are to be intimidated to the CERT-In.
What this means for you
Businesses will be tasked with the responsibility to report cyber security incidents, store specified information, and furnish it when required. Companies will need to formulate standard operating procedures in response to a cyber security incident/threat, formulate record-retention policies, etc. As a knock-on effect, contractual confidentiality obligations towards customers/end-users may have to be revised in light of the data disclosure duties under these Directions.
It is yet to be seen if these Directions are implemented “as is” in 2 months’ time, or if it is met with any pushback by stakeholders.