Blog Details

The Indian Government has established the Indian Computer Emergency Response Team (CERT-IN or ICERT) under the Ministry of Electronics and Information Technology. Its primary responsibility is to address cyber security threats such as hacking and phishing, with the goal of bolstering the overall security of the Indian internet space. On April 28, 2022, CERT-In issued instructions pursuant to section 70B(6) of the Information Technology Act, 2000, which pertained to information security measures, protocols, prevention strategies, incident response plans, and cyber incident reporting, all of which are aimed at creating a safer and more trustworthy online environment.

Key Highlights of the Directives:

• All service providers, intermediaries, data centers, government entities, and corporate bodies are required to synchronize the clocks of their ICT (Information and Communications Technology) systems with the Network Time Protocol (NTP) Server of either the National Informatics Centre (NIC) or the National Physical Laboratory (NPL), or with NTP servers that are traceable to these sources. In the case of entities that have ICT infrastructure spanning multiple geographic locations, they may use alternate sources of accurate and standardized time, but it is imperative that these sources do not deviate from the NPL and NIC.

• It is mandatory for all service providers, intermediaries, data centers, government organizations, and corporate bodies to report cyber incidents within 6 hours of their occurrence or discovery, as specified in Annexure I to CERT-In. Incidents can be reported to CERT-In through various means, such as email (incident@cert-in.org.in), phone (1800-11-4949), and fax (1800-11-6969). The methods and formats for reporting such incidents are available on the CERT-In website (www.cert-in.org.in) and will be updated as needed.

• In contrast to other developed nations, which require incident reporting within 48-72 hours, CERT-In has established a highly aggressive 6-hour timeframe for incident reporting. This requires companies to implement effective monitoring mechanisms for identifying cyber security incidents and to have a well-equipped incident response team in place, along with a comprehensive incident response plan. All relevant stakeholders must be immediately informed of suspected security breaches and must be capable of triaging and avoiding false positives.

• In order to facilitate communication with CERT-In, companies are required to designate a Point of Contact (POC) who will be responsible for providing any necessary information. CERT-In has also provided a specific format in which such information should be submitted.

• In order to comply with regulations, all companies are required to retain logs in India for a period of 180 days. This necessitates a careful examination of their log management policies, logging capabilities of devices and applications, secure log storage, and accessibility. It is imperative for organizations to conduct an assessment to validate these aspects and ensure compliance. If a company's data related to India is hosted in overseas data centers, it is mandatory to replicate the logs in India. It is crucial to ensure that vendors and clients who handle or store data are also made aware of these obligations, so that they can comply with the directives in case of a breach.

• In addition to the aforementioned requirements, certain obligations have been outlined for Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers.

• CERT-In has specified a list of data points that must be retained by data centers and server providers for a minimum of 5 years.

• Virtual asset service providers, virtual asset exchange providers, and custodian wallet providers are required to maintain Know Your Customer (KYC) details for a period of 5 years.

Implementation:

The government has issued directives aimed at enhancing and reinforcing cyber security measures in the country, with effect from June 27, 2022, 60 days after the date of issuance. Requests for an extension of the implementation timelines for the Cyber Security Directions of April 28, 2022, with respect to Micro, Small and Medium Enterprises (MSMEs), have been received by MeitY and CERT-In. Furthermore, additional time has been requested for the implementation of subscriber/customer validation mechanisms by Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers. CERT-In has reviewed the matter and has decided to grant an extension until September 25, 2022, to MSMEs, to enable them to build the necessary capacity for the implementation of the Cyber Security Directions. Additionally, Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers have also been given until September 25, 2022, to implement mechanisms for validating subscriber/customer details.

References:

https://www2.deloitte.com/content/dam/Deloitte/in/Documents/risk/in-risk-Cert-IN-Deloitte-noexp.pdf

https://www.mondaq.com/india/it-and-internet/1202576/everything-you-need-to-know-about-indias-new-guidelines-related-to-cyber-incident-reporting-by-cert-in

https://www.legal500.com/developments/thought-leadership/cert-ins-six-hour-reporting-rule-for-cyber-security-incidents-statutory-interpretation-and-analysis/