CERT Directions Relating to Information Security Practices, Prevention and Reporting of Cyber Incidents

Introduction

The Ministry of Electronics and Information Technology (“MEIT”) along with the Indian Computer Emergency Response Team (“CERT”) vide Notification No. 20(3)/2022-CERT-In 1 dated April 28, 2022 (“Notification”) have issued directions under section 70B(6) of the Information Technology Act, 2000 (“IT Act”) relating to information security practices, procedure, prevention, response and reporting of cyber incidents for a safe and trusted internet. The directions notified under the Notification was proposed to become effective after 60 (sixty) days from the date of issuance i.e., with effect from June 28, 2022.

The implementation of the Notification has however been extended (vide notification dated June 27, 20222)  to September 25, 2022 for: (i) the Micro, Small, & Medium Enterprises (MSME) sector; and (ii) the requirement relating to the aspects of registration and maintenance of “validated names of subscribers/customers hiring the services” and “validated address and contact numbers” by data centres, virtual private server (“VPS”) providers, cloud service providers and virtual private network service (“VPN Service”) providers.

In terms of the IT Act, CERT has been designated as the national agency for performing various functions vis-à-vis cyber security and is empowered to call for information and give directions to service providers, intermediaries, data centres and body corporates.

Directions

For the purposes of security and defense of India and for inter alia preventing incitement to the commission of any cognizable offence using computer resource or for handling of any cyber incident, the Notification has issued the following directions:

  1. Synchronization of System Clocks: All service providers, intermediaries, data centres, body corporate and government organizations will need to connect to the Network Time Protocol (“NTP”) Server of National Informatics Centre (“NIC”) or National Physical Laboratory (“NPL”) or with NTP servers traceable to these NTP servers, for synchronization of all their Information and Communication Technology (“ICT”) systems clocks. Entities having ICT infrastructure spanning multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source does not deviate from NPL and NIC.
  1. Reporting of Cyber Incidents: Any service provider, intermediary, data centre, body corporate and government organization shall mandatorily report cyber incidents such as targeted scanning/probing of critical networks/systems; compromise of critical systems/information; unauthorized access of IT systems/data and such other incidents as stated in Annexure I of the Notification to CERT within 6 (six) hours of noticing such incidents or being brought to notice about such incidents.
  1. Compliance with Directions: When required by the order(s)/direction(s) of CERT, the service provider/intermediary/data centre/body corporate is mandated to take action, or provide information or any such assistance to CERT, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness. Non-compliance with the directions of CERT, would be treated as non-compliance of the Notification.
  1. Point of Contact: The service providers, intermediaries, data centres, body corporate and government organizations will need to designate a Point of Contact to interface with CERT. All communications from CERT seeking information and providing directions for compliance will be sent to the said Point of Contact.
  1. Maintenance of Logs: All service providers, intermediaries, data centres, body corporates and government organizations will need to mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and maintain the same within the Indian jurisdiction. These should be provided to CERT along with reporting of any incident or when ordered/directed by CERT.
  1. Maintenance of Information: Data centres, VPS providers, cloud services providers and VPN Service providers, shall be required to register and maintain accurate information including names of subscribers hiring the services, e-mail addresses and IP addresses, purpose of hiring,  contact details, ownership pattern of the subscribers etc., for a period of 5 (five) years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be.
  1. KYC Requirements: The virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by the Ministry of Finance) will also need to mandatorily maintain all information obtained as part of Know Your Customer (KYC) (as prescribed under Annexure III of the Notification) and records of financial transactions for a period of 5 (five) years so as to ensure cyber security in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets.

Analysis

The Notification has referred to various instances of cyber incidents and cyber security incidents and the absence of requisite information as the data is either not found available or readily not available with service providers/data centres/body corporates which hampers investigation and co-ordination as per the process of law. To minimize and mitigate against this information technology compliance shortcomings of Indian service providers/intermediaries, CERT believes that the above directions would secure the cyber security infrastructure and would develop the incident reporting functionaries within the country.

However, the Notification and its directions have also been widely criticized by civil society for lack of its transparency including the manner of its announcement without any prior consultation. The requirement of data collection, storage and retention including maintenance of data for a period of 5 years or longer as may be mandated by the law after cancellation or withdrawal of registration by VPS, data centres, VPNs etc., has been argued as excessive and unwarranted. The Notification is indeed stringent and the tedious data localization requirement under the Notification that requires the service providers to maintain logs securely within the Indian jurisdiction is a cause of concern. Concerns are also being raised on privacy violation of users especially in the absence of a working privacy/data protection laws in India which are still being drafted, discussed, and pending for long. Further, the reporting requirement for cyber incidents by service providers/intermediaries to CERT within 6 (six) hours of noticing such incidents or being brought to notice about such incidents is being argued as burdensome and impractical. Exposure to punitive action for failure to furnish the information or non-compliance with the directions in terms of the Notification under the IT Act, 2000 and other applicable laws is causing further heartburn.

Whether the Notification will have a long-term beneficial impact and compliance as suggested by CERT or will it lead to forced exits from the Indian markets by service providers and VPN operators and/or dissuade foreign service providers from introducing their services and products in India will need to be seen once the Notification is fully implemented.

Endnotes:

[1] https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf

[2] https://www.cert-in.org.in/PDF/CERT-In_directions_extension_MSMEs_and_validation_27.06.2022.pdf

Private Equity & Venture Capital in India

Seema Jhingan

Partner
LexCounsel