icon-angleicon-facebookicon-hatebuicon-instagramicon-lineicon-linked_inicon-pinteresticon-twittericon-youtubelogo-not
SCROLL
TOP
Publications
Newsletters

OVERHAUL OF CYBER-INCIDENT REPORTING REQUIREMENTS (India)

NO&T Asia Legal Review

*Please note that this newsletter is for informational purposes only and does not constitute legal advice. In addition, it is based on information as of its date of publication and does not reflect information after such date. In particular, please also note that preliminary reports in this newsletter may differ from current interpretations and practice depending on the nature of the report.

Introduction

On 28 April 2022, the Indian Computer Emergency Response Team (“CERT-In”), the national agency monitoring and supervising various functions in relation to cyber-security, has issued new directions relating to ‘Information Security Practices, Procedures, Prevention, Response, and Reporting of Cyber Incidents for Safe & Trusted Internet’ (“New Directions”), under the Information Technology Act, 2000.

The New Directions are an extension of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“Rules”) and significantly widen the types of cyber security incidents that must be mandatorily reported to CERT-In, while also introducing a swathe of changes to the compliance requirements applicable to entities operating within India. The New Directions will come into effect on 28 June 2022. Subsequent to the issuance of the New Directions, the CERT-In has also published Frequently Asked Questions (FAQs) on its website, which provide further clarity on the applicability of the New Directions.

Summary of Key Provisions

1.   Reporting: The key change that has been introduced by the New Directions is in relation to mandatory reporting requirements. Under the Rules, only certain identified cyber security incidents were mandatorily reportable and the rest could be reported voluntarily, within a reasonable time. Under the New Directions, however, almost all kinds of cyber security incidents, including but not limited to (i) data breach; (ii) data leak; (iii) attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers; (iv) attacks or incidents affecting digital payment systems; (v) attacks through malicious mobile apps; (vi) unauthorised access to social media accounts; (vii) attacks or malicious/suspicious activities affecting systems / servers / networks / software / applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, drones etc., have to be mandatorily reported to the CERT-In within 6 (six) hours of noticing such incidents or being brought to notice about such incident. This essentially means that, any and all types of cyber breaches are now mandatorily reportable, irrespective of the severity of the breach. The obligation to report is on every entity operating in India such as service providers, intermediaries, data centres, body corporates and government organisations (collectively referred to as the “Covered Entities”). The details regarding methods and formats of reporting cyber security incidents have been published on the website of CERT-In. Through the FAQs, the CERT-In has clarified that Covered Entities can provide all such information that is readily available to the entity within 6 (six) hours of noticing a cyber-security incident and the remainder of the information can be provided within a reasonable time.

2.   Extra-Territorial Applicability: The FAQs clarify that the New Directions will have extra-territorial application. The New Directions will also apply to foreign Covered Entities in all matters concerning cyber incidents and cyber security incidents. Further the FAQs also state that all Covered Entities offering services to Indian users are required to designate a Point of Contact (to interact with CERT-In concerning the compliance of the Directions) even if such Entities do not have a physical presence in India. Such Covered Entities are also required to maintain logs and records of financial transactions conducted in India, in the manner set out below.

3.   Maintenance and disclosure of logs: Covered Entities must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days. All logs have to be maintained within India. These should be provided to CERT-In along with reporting of any incident or when ordered / directed by CERT-In. While the New Directions provide that the logs have to be maintained in India, the CERT-In has, via the FAQs clarified that the logs may be stored outside India also as long as the obligation to produce logs to CERT-In is adhered to by the entities in a reasonable time. CERT-In has also specified a non-exhaustive list of logs that are required to be maintained which include Firewall logs, Intrusion Prevention Systems logs, SIEM logs, web / database/ mail / FTP / Proxy server logs, Event logs of critical systems, Application logs, ATM switch logs, SSH logs, VPN logs etc.

4.   Synchronisation with NTP Server: Covered Entities are required to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks. Entities having ICT infrastructure spanning multiple geographies are permitted to use accurate and standard time source other than NPL and NIC, however, they must ensure that their time source does not deviate from NPL and NIC.

5.   Disclosure of Information: The Rules empower CERT-In to seek information from regulated entities from time to time, subject to certain conditions. The New Directions have widened these powers and pursuant thereof, if the CERT-In issues any order/directions to a Covered Entity, such entity must mandatorily take action or provide information or any assistance to CERT-In, as directed. This provision of information is not just applicable in the case of a cyber-security incident but rather allows CERT-In to seek information to take protective and preventive actions. The FAQs however clarify that the CERT-In will exercise these powers not on a continuous basis but rather only at the time of cyber-security incidents.

6.   Recordal of data: Data centres, virtual private server (VPS) providers, cloud service providers and virtual private network service (VPN Service) providers are required to register the following accurate information which must be maintained by them for a period of 5 years or longer as mandated by law: (i) validated names of subscribers/customers hiring the services; (ii) period of hire including dates; (iii) IPs allotted to / being used by the members; (iv) email address and IP address and time stamp used at the time of registration / on-boarding; (v) purpose for hiring services; (vi) validated address and contact numbers; (vii) ownership pattern of the subscribers / customers hiring services.

7.   Requirements for virtual assets industry: The New Directions also apply to virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by Ministry of Finance from time to time). Such entities are required to maintain the following information for a period of 5 years: (i) all information obtained as part of KYC from users; and (ii) records of financial transactions including information relating to the identification of the relevant parties involved in the transactions such as IP addresses, along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), nature of transactions, addresses or accounts (or equivalent identifiers), date and amounts involved. Records of all financial transactions must be maintained only in India.

8.   Penalty: Any failure to furnish the information as required under the New Directions or any non-compliance with the same may invite punitive action under Section 70-B (7) of the Information Technology Act which stipulates imprisonment for a term which may extend to 1 (one) year or with fine which may extend to INR 100,000 (Indian Rupees One Hundred Thousand) or both. Penalty provisions under other laws may also be applicable.

Conclusion

The New Directions have far-reaching implications and require entities operating in India to undertake several technological changes including ensuring that appropriate mechanisms are in place to comply with the short timeline of 6 hours to report cyber security incidents. Foreign entities not having a physical presence in India but providing services to Indian users would also be required to appoint personnel as points of contact within India to liaise with the CERT-In. Several infrastructure changes would also be required to synchronize the ICT systems with the NPT servers, to maintain full and accurate logs and record all relevant information. Businesses will have to internally assess their practices and may be required to overhaul their cyber security practices and processes to ensure compliance with the New Directions.

This newsletter is given as general information for reference purposes only and therefore does not constitute our firm’s legal advice. Any opinion stated in this newsletter is a personal view of the author(s) and not our firm’s official view. For any specific matter or legal issue, please do not rely on this newsletter but make sure to consult a legal adviser. We would be delighted to answer your questions, if any.

Download full text(PDF)

Lawyers

Technology Related Publications

Cyber Security Related Publications

Data Protection and Privacy Related Publications

Global Practice Related Publications

Asia and Oceania Related Publications

India Related Publications

Apply Select Practice Areas
Apply