The CERT-In has published Frequently Asked Questions (“FAQ’s”) in furtherance of its Cyber Security Directions dated 28th April 2022 (“CERT-In Directions”). The FAQ’s are a response to the general queries received by the CERT-In.
The FAQ’s state that “The CERT-In Directions are intended to mandate cyber security best practices by the service providers and organisations so that safety of users’ data is ensured and trusted services are available to users on continuous basis.” Implementation of the measures mandated in the CERT-In Directions is aimed at facilitating timely detection & mitigation of breaches and effective investigation of cyber-crimes.
The FAQ’s state that CERT-In under the aegis of the MeitY held stakeholder consultation in March 2022 towards finalisation of the directions.
Clarifications provided under the FAQ’s:
The FAQ’s clarify that while the The Information Technology (Inermediary Guidelines and Digital Media Ethics Code) Rules,2021 ("Intermediary Rules 2021") concern themselves solely with “Intermediaries”, the CERT-In Directions have a wider scope, with their applicability covering not only Intermediaries but also service providers, data centres, body corporate Virtual Private Server (VPS) providers, Cloud service providers, VPN Service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and Government organisations. [Sl. No. 11 of the FAQ]
The FAQ’s clarify that the term “body corporate” is to be understood as explained under Section 43A of the Information Technology Act, 2000 (“IT Act”), i.e., “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;” [Sl. No. 25 of the FAQ]
On the issue of whether the CERT-In Directions apply only to Indian companies or also to foreign firms that serve Indian customers; to virtual asset service providers, virtual asset exchange providers and custodian wallet providers not located in India but catering to Indian users; the FAQ’s clarify that the CERT-In Directions are applicable to any entity only in the matter of cyber incidents and cyber security incidents. Section 1 and Section 75 of the IT Act are referred to in order to highlight the extra territorial application of the IT Act and consequently, the CERT-In Directions. [Sl. No. 26 and 27 of the FAQ]
On the question of whether entities are required to report information regarding cyber security incidents which has affected their data stored in a third party’s systems, the FAQ’s affirm the same by stating that the CERT-In Directions are applicable to all entities in so far as reporting of a cyber incident is concerned. [Sl. No. 31 of the FAQ]
The FAQ’s also state that a “VPN Service provider” refers to an entity that provides “Internet proxy like services” through the use of VPN technologies, standard or proprietary, to general Internet subscribers/users. Accordingly, the requirement to register and maintain certain specific information about the subscribers/customers would not apply to Enterprise/Corporate VPNs. [Sl. No. 34 of the FAQ]
- Reporting Requirements and Designating a PoC:
The FAQ’s provide an illustrative list of explanations of the types of incidents referred to in Annexure I of the CERT-In Directions. [Sl. No. 9 of the FAQ]
In case of multiple parties being affected by a cyber security incident, such as a consumer facing business as well as its outsourcing partner, the FAQ’s clarify that any entity which notices the cyber security incident, shall report to CERT-In and the obligation of reporting of cyber incident is neither transferrable nor indemnified or dispensed with. [Sl. No. 13 of the FAQ]
Further, with respect to whether “vulnerability reporting” as mentioned in Para 2, Rule 12(1) (a) of the CERT-In Rules, 2013, the FAQ’s clarify that “the reporting of vulnerability as a standalone or in isolation, unconnected with the cyber security incident is not mandatory.” (emphasis supplied). [Sl. No. 15 of the FAQ]
On whether service providers who do not have a physical presence in India are required to designate a Point of Contact, the FAQ’s confirm that service providers, intermediaries, data centres and body corporate offering services to the users in India (even if they do not have a physical presence in India) shall designate a Point of Contact to liaise with CERT-In. [Sl. No. 29 of the FAQ]
In relation to the 6-hour reporting requirement, the FAQ’s clarify that entities may provide information to extent available at the time of reporting and additional information may be reported later within a reasonable time period. Furthermore, the 6 hour reporting timline will be required for the incidents (under Annexure I of the Cert-In Directions) as long as they fall under 4 broad descriptions/criteria provided in the FAQs:
Cyber incidents and cyber security incidents of severe nature (such as denial of service, distributed denial of service, intrusion, spread of computer contaminant including Ransomware) on any part of the public information infrastructure including backbone network infrastructure
Data Breaches or Data Leaks
Large-scale or most frequent incidents such as intrusion into computer resource, websites etc.
Cyber incidents impacting safety of human beings [Sl. No. 30 of the FAQ]
The broad descriptions/criteria provided by CERT-In from a practical perspective may end up covering most if not all cyber security incidents listed under Annexure I of the directions, given that there are no distinctions in terms of proportionality, severity and extent of cyber incidents set out by CERT-In.
- Privacy Related Concerns:
With regard to the impact of the CERT-In Directions on the Right to Privacy of individuals, the FAQ’s state that the right to informational privacy of individuals is not affected by the CERT-In Directions and that the CERT-In Directions do not envisage seeking of information by CERT-In from the service providers on a continuing basis as a standing arrangement. CERT-In may seek information from service providers in case of cyber security incidents and cyber incidents, on case to case basis, for discharge of its statutory obligations to enhance cyber security in the country. [Sl. No. 20 of the FAQ]
The FAQ’s note that the obligation of reporting of Cyber Security incidents to CERT-In as enshrined in Section 70B of the IT Act, 2000 read with CERT-In Rules, 2013 is statutory in nature and, by virtue of the provisions of section 81 of the IT Act, overrides any confidentiality clause that an entity may have with its customer, not to disclose any details. [Sl. No. 22 of the FAQ]
- Logs and Data Localisation:
On the aspect of whether logs of Foreign Service providers and foreign part of financial transactions need to be stored in the Indian Jurisdiction, the FAQ’s state that any service provider offering services to the users in the country, needs to enable and maintain logs and records of financial transactions in Indian jurisdiction. [Sl. No. 36 of the FAQ]
Further, the CERT-In has clarified that logs may be stored outside India as long as the obligation to produce logs to CERT-In is adhered to by entities in a reasonable time. [Sl. No. 35 of the FAQ]
Regarding the type of logs to be stored for ICT Systems to help in cyber incident analysis, the FAQ’s clarify that the logs should be maintained depending on the sector that the organisation is in, such as Firewall logs, Intrusion Prevention Systems logs, SIEM logs, web / database/ mail / FTP / Proxy server logs, Event logs of critical systems, Application logs, ATM switch logs, SSH logs, VPN logs etc. The list of logs is not exhaustive but has been mentioned to provide a “flavour of logs” to be maintained by the relevant teams. From the incident response and analysis perspective both successful as well as unsuccessful events shall be recorded. [Sl. No. 37 of the FAQ]
- Synchronizing of Clocks:
On the rationale behind the requirement to synchronize ICT systems clocks with Network Time Protocol (“NTP”) Server of National Informatics Centre (“NIC”) or National Physical Laboratory (“NPL”), the FAQ’s state that the requirement of synchronising time is stipulated to ensure that only standard time facilities are used across all entities. Organisations may use accurate and standard time source other than NPL and NIC as long as the accuracy of time is maintained by ensuring that the time source used conforms to time provided by NTP Servers of NPL and NIC. The FAQ’s also clarify that there is no requirement to synchronise clocks in Indian Standard Time (IST). [Sl. No. 40 of the FAQ]
The entities relying on the native time services offered as part of Cloud may continue to use the same, however, if any entity operates their own NTP service (using NTP server or any other device), which synchronises with time sources other than native cloud time services, the NTP Servers of NPL, NIC or other accurate and standard time sources may be used as long as the accuracy of time is maintained. It is to be ensured that time source other than NIC/NPL, if used, shall not deviate from NPL and NIC. [Sl. No. 42 of the FAQ]
The clarificatory FAQ’s were an attempt to accommodate the concerns of relevant entities, including clarifying that the directions will not apply to enterprise/corporate VPNs, allowance of storage of logs outside India, an indicative list of the types of ICT system logs that need to be stored, etc. However, in certain aspects, the FAQ’s may lead to greater confusion. For instance, the categorization of the cyber security incidents as provided under Annexure I of the CERT-In Directions into the four broad groupings (under the response to Q. 30 of the FAQs) may cause uncertainty regarding what may be considered mandatorily reportable within the 6 hour timeline specifically when there is no distinction regarding the severity and extent of the cyber security incident covered.
Link to CERT-In Directions - https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf