On 28th April 2022, the Indian Computer Emergency Response Team (“CERT-In”) issued ‘Directions under Section 70B (6) of the Information Technology Act, 2000 (“IT Act”) enlarging reporting obligations of several categories of corporate organizations in relation to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet’ (“Directions”).
The Directions will come into effect after 60 days from the date of issue i.e., on 27th June, 2022 and are applicable to all service providers such as [Virtual Private Server (“VPS”) providers, Cloud Service providers and Virtual Private Network Service (“VPN Service”) providers], intermediaries, data centres, body corporate (“relevant entities”) and Government organisations.
The purpose of introducing the Directions is to stream line tracking and reporting of cyber security incidents and taking required action, which according to the CERT-In becomes a challenge, since the requisite information is not found available/not readily not available with the relevant entities to carry out the analysis and investigation as per the process of law.
- Short 6 Hour Reporting Requirement: The Directions have made it mandatory for relevant entities to report cyber security incidents to the CERT-In within 6 hours of noticing any cyber security incidents or the same being brought to notice.
- Expansion of types of cyber security incidents requiring mandatory reporting: Recognising the spread of technology, Annexure-I of the Directions has added new categories/types of cyber security incidents that are mandatorily required to be reported, including contemporary technology related concerns like “malicious code attacks such as Ransomware/Cryptominers”, “Data Breach”, “Data Leak”, “Fake Mobile Apps”, “Unauthorised access to social media accounts”, “Attacks or incident affecting Digital Payment systems”, “Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers” etc.
- Obligations on VPN Service providers, VPS providers, Cloud Service providers Registration and Data Centres: Such entities are required to mandatorily register accurate information (such as validated names of subscribers, email addresses and IPs allotted to members, validated address & contact numbers) which must be maintained by them for a period of 5 years or a longer duration as mandated by the law after any cancellation or withdrawal of the registration.
- Order/Direction by CERT-In for cyber incident response: When required, CERT-In may issue an order/direction for cyber incident response to the relevant entity which in turn will be mandated to take action/provide information/any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness. The order/direction may include the format of the information that is required (up to and including near real-time), and a specified timeframe, which has to be mandatorily adhered to.
- Designation of Point of Contact (“POC”) with CERT-In: Relevant entities are required to provide the POC related information to CERT-In as per the format prescribed in Annexure-II. All communications from CERT-In seeking information and providing directions for compliance shall be sent to a POC designated by the entities.
- Record Maintenance by Virtual Asset Service Providers (“VASP”), Virtual Asset Exchange Providers (“VAEP”) and Custodian Wallet Providers (“CWP”):
- The VASP, VAEP and CWP (as defined by Ministry of Finance from time to time) shall mandatorily maintain all information obtained as part of Know Your Customer (“KYC”) and records of financial transactions for a period of five years to ensure cyber security in areas related to payments and financial markets for citizens. The KYC Requirements are detailed in Annexure III.
- With respect to transaction records, entities will be required to maintain accurate information in such manner that individual transaction can be reconstructed with information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.
- Synchronisation and alignment of clocks: Relevant entities have been directed to connect to the Network Time Protocol (“NTP”) Server of National Informatics Centre (“NIC”) or National Physical Laboratory (“NPL”) for synchronisation of systems clocks. Entities having infrastructure spanning multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source does not deviate from NPL and NIC.
- Penalisation: In the instance of a cyber security incident, the relevant entities under the Directions must furnish details as mandated by CERT-In. Failure to furnish the information or non-compliance with the Directions (and CERT-In orders issued under these Directions) is likely to invite punitive action under Section 70B (7) of the IT Act i.e. imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both. Entities may also be penalised under other corresponding laws as applicable.
The Directions have brought about a significant enlargement in the scope of obligations and reporting requirements for relevant entities as can be seen from the differences between the Directions, and the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (“CERT-In Rules 2013”). For instance, the categories of entities have been specifically identified and expanded; a specific mandatory reporting requirement within the 6 hours timeline has been prescribed (which wasn’t the case previously); the types of cyber security incidents that require mandatory reporting have been expanded in Annexure I of the Directions including contemporary technology related concerns like “Ransomware and Cryptominers”, “Fake Mobile Apps”, “Data leaks”, “Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers” etc.
Offshore entities and servers will also be impacted given that there is a mandatory requirement to enable ICT system logs for a 180-day period (on a rolling basis) within the Indian jurisdiction.
Additionally, maintaining and reporting obligations to CERT-In, relating to KYC Data, Transaction data etc. may have potential privacy related implications given that the Data Protection Bill’ 2021 is still on the anvil and hasn’t been introduced yet. Therefore, there is a vacuum, from a statutory protection of personal data/sensitive personal data perspective.