Why Are Industry Players Unhappy with India’s New Cybersecurity Directives?
India’s new cybersecurity directives, issued in late April by CERT-In and in effect from June 2022, have troubled industry players as they challenge norms of user privacy. We note the new reporting timelines, KYC requirements, and other technical compliance obligations in this article as well as the responses from key stakeholders.
On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In) released a circular containing cybersecurity directives to government and private agencies, mandating the reporting of cybersecurity incidents. The directives will come into effect from June 2022 and will have a direct bearing on the functioning of data centers, virtual private server (VPS) providers, cloud service providers (CSPs), and virtual private network (VPN) providers in India.
These new directives aim to augment incident reporting in India and prevent cybercrime. However, they come as a jolt to user privacy and industry players have expressed defiance in accepting these directives, even hinting a country exit.
What is CERT-In?
CERT-In is the nodal agency for regulating cyber security as per provisions of Section 70B of the Information Technology Act, 2000 (IT Act). The new directives, issued under Section 70B (6) of the IT Act, encompass various cyber-security, breach reporting, and record maintenance requirements.
The CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data center, body corporate, and government organization.
The major functionary responsibilities of CERT-In include:
- Collection, analysis, and dissemination of information on cyber incidents
- Forecast and alerts of cyber security incidents
- Emergency measures for handling cyber security incidents
- Coordination of cyber incidents response activities
- Issue guidelines, advisories, vulnerability notes, and whitepapers relating to information security practices, procedures, prevention, response, and reporting of cyber incidents
- Such other functions relating to cyber security as may be prescribed
What are India’s new cybersecurity directives?
Reduced timeline for reporting
The previous 2013 CERT-In rules had not prescribed a time frame within which cyber-security incidents must be reported – they only required reporting within a reasonable time frame. However, the 2022 CERT-In directives make this requirement more stringent by requiring cyber security incidents to be reported within six hours of being brought to notice.
Given the short time frame, organizations would need to re-examine their practices and procedures regarding breach reporting. They must also ensure deployment of appropriate organizational capabilities for the purpose of identification and reportage of cybersecurity incident in this short time frame.
How should cyberattack incidents be reported?
All entities operating in India must report any kind of cyber security incidents to CERT-In using the following:
- Email address: email@example.com
- Phone number 1800-11-4949
- Fax number: 1800-11-6969
Expanded list of reportable cybersecurity incidents
The 2022 directives have expanded the mandatorily reportable incident list to include the following:
- Data breach
- Data leak
- Attacks on the Internet of Things (IoT) devices and associated systems, networks, software, and servers
- Attacks or incidents affecting digital payment systems
- Attacks through malicious mobile apps
- Unauthorized access to social media accounts
- Attacks or malicious/suspicious activities affecting cloud computing systems/ servers/software/applications
- Attacks or malicious/suspicious activities affecting systems/servers/networks/software/applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, and drones
- Attacks or malicious/suspicious activities affecting systems/servers/software/applications related to artificial intelligence (AI) and machine learning (ML)
However, it must be noted that there is no clarity in terms of the consequences of such incidents, and no impact threshold has been specified as yet.
Synchronized system clocks
The 2022 directives require all service providers, intermediaries, data centers, body corporates, and government organizations to synchronize their information and communications technology (ICT) system clocks to the Network Time Protocol (NTP) of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with other NTP servers traceable to those maintained by NIC or NPL. While global entities are permitted to use a different time source that is in sync with the NTP, they need to ensure that their time source shall not deviate from NPL and NIC.
This may be difficult to practically implement due to limited servers.
Subscriber data collection and retention
According to the new rules, specified entities, namely data centers, VPS providers, CSPs and VPN providers, will be required to accurately record certain details of their subscribers, similar to the Know Your Customer (KYC) requirement imposed by other sectoral regulators.
The CERT-In is empowered to ask this information in case of any ‘cyber incidents’ or ‘cyber security incidents’. The information required to be maintained includes:
- Validated names of subscribers/customers
- Subscription period including dates
- IPs allotted to/being used by the members
- Email address, IP address and time stamps used at the time of registration
- Purpose for subscribing to the services
- Validated address and contact numbers
- Ownership pattern of the subscribers/customers using service
This information needs to be maintained for at least five years after the cancellation of the user registration, or a longer period as mandated by law.
CERT-In authority expanded for information requests
Earlier, under Rule 14 of the 2013 CERT-In Rules, the CERT-In had the authority to seek information from regulated entities in specified formats and time frames for responding to cyber incidents. But this authority could only be exercised by an officer of the rank of Deputy Secretary or higher.
However, the 2022 directives prescribe a broad ranging power to CERT-In to request information without any such safeguards. The order / directives issued by CERT-In may include the format of the information that is required (up to and including near real-time), and a specified time frame in which it is required, which should be provided to CERT-In, else will be treated as non-compliance.
KYC information and financial transaction record retention
The 2022 directives require all virtual asset service providers, virtual asset exchange providers, and custodian wallet providers to maintain KYC and financial transaction records. This implies that these entities will now have to comply with KYC function – which until now was only mandated for entities regulated by Indian financial service regulators, such as banking, securities etc.
Further, this information must be retained for five years. Also, the directives refer to the definitions by the Ministry of Finance (MoF) for these entities to determine scope of application. Yet, there is presently no defined guidelines issued by the MoF regarding this. Therefore, this requirement lacks clarity.
The CERT-In directives require the retention of financial records and identification information of the parties (including IP addresses, timestamps and time zones), transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred.
Maintenance of system logs within India
The 2022 directives require entities to maintain logs for all ICT systems for 180 days and to store these logs in India. These logs are also required to be provided to CERT- In while reporting a cyber incident, or when sought by CERT-In. Consequently, a wide range of service providers and intermediaries, such as cloud based/application layer service providers, would also need to maintain localized system logs in India, even if they do not otherwise have a physical presence in India.
Presently, there is no clarity with respect to what these logs are supposed to comprise.
What is the penalty for non-compliance with the CERT-In 2022 directives?
Non-compliance with the new CERT-In directives is deemed as an offence under Section 70-B(7) of the IT Act, which shall invite punishment that can extend to imprisonment for up to a year, and/or a fine up to INR 100,000. Other penal laws, where applicable, may also be invoked in cases of non-compliance.
How is the industry responding to the CERT-In 2022 directives?
Most industry players have expressed disappointment and dismay over the new directives, citing many loopholes in the practical application of the directives. Many firms like NordVPN, Surfshark, etc, have indicated that they might not be able to comply with the new rules, while some have gone to the extent of planning an India exit – citing privacy concerns of their users. Additionally, many other factors like limited server availability, staff capacity constraints, increased financial burden, etc. are being cited as reasons for the non-practicability of complying with these directives.
India Briefing is produced by Dezan Shira & Associates. The firm assists foreign investors throughout Asia from offices across the world, including in Delhi and Mumbai. Readers may write to firstname.lastname@example.org for more support on doing business in in India.
We also maintain offices or have alliance partners assisting foreign investors in Indonesia, Singapore, Vietnam, Philippines, Malaysia, Thailand, Italy, Germany, and the United States, in addition to practices in Bangladesh and Russia.