BACKGROUND
The Indian Computer Emergency Response Team (“CERT-In”), established under the Information Technology Act, 2000 (“IT Act”), is the national nodal agency which deals with cyber security incidents and responding to such incidents. It is tasked with performing certain functions including – collection, analysis and dissemination of information on cyber incidents, handling cyber security incidents, issuing guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, response and reporting of cyber incidents.
To perform these functions, CERT-In is empowered to call for information and issue directions to service providers, intermediaries, data centres, body corporates and any other person. Exercising such powers, CERT-In had issued the directions dated April 28, 2022 (“Directions”) for strengthening cyber security in India. Clarifications to the Directions were issued by CERT-In by way of frequently asked questions on May 18, 2022 (“FAQs”).
Note that the composition and functioning of CERT-In is regulated by the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“Rules”). While the Rules, amongst other things, provide an option to individuals, organizations or corporate entities affected by cyber security incidents to report such incidents to CERT-In, only certain types of cyber security incidents are to be reported mandatorily.[1]
The Directions appear to be issued in the backdrop of CERT-In not getting requisite information to carry out its functions including analysis, investigation, and coordination in context of cyber security incidents.
APPLICABILITY
The scope of the Directions is quite wide and depending upon the condition of the Directions, they are applicable to service providers, intermediaries, data centres, body corporate, virtual private server providers, cloud service providers, VPN service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organizations (individually and collectively, “Entities”).
(a) The Directions do not apply to individual citizens. The FAQs additionally clarify that the Directions do not apply to enterprise / corporate VPNs.
(b) The Directions have extra-territorial applicability, i.e., they apply to overseas Entities, though there is ambiguity regarding which overseas Entities need to comply with the Directions. The FAQs seems to suggest that the Directions will apply to overseas entities if they cater to users in India. It may be possible to argue that the Directions cannot be more expansive than Section 75 of the IT Act which says the IT Act will only apply to overseas entities in certain circumstances. Further clarity on the extent of extra-territorial activity is yet to emerge.
The Directions came into effect on June 27, 2022, however, timeline for compliance for Micro, Small & Medium Enterprises has been extended until September 25, 2022.
COMPLIANCE REQUIREMENTS
(a) Reporting requirement –
- Specified cyber incidents, in the prescribed format (as available on the CERT-In website), are required to be reported to CERT-In within 6 hours of noticing such incidents or of being notified of such incidents. If all information regarding the cyber incident is not available, Entities may provide information to the extent available within 6 hours and provide additional information to CERT-In within reasonable time.
- If multiple parties are affected by a cyber security incident, any party that notices such incident is required to report it to CERT-In.
- This reporting obligation to CERT-In is mandatory and overrides any confidentiality related obligations under contract.
- Note that the reporting requirement was already present under Rules (as mentioned above). The Directions have – added the timeline within which these incidents need to be reported and expanded the list of incidents which need to be mandatorily reported.[2]
(b) Comply with orders issued by CERT-In – Take action, provide information or assistance (within the timeframe prescribed by CERT-In), as may be directed by CERT-In, for the purpose of contributing to cyber security mitigation and enhancing cyber security situational awareness.
(c) Appoint POC – Appoint a point of contact (POC) to engage with CERT-In in relation to the Directions. Details of the POC need to be provided to CERT-In and should be kept updated.
(d) Maintain logs in India – Maintain logs of Information and Communication Technology (ICT) systems for a rolling period of 180 days.[3] The FAQs suggest that these logs can be stored outside India as long as a copy is retained within India. Relevant logs need to be provided to CERT-In when cyber incidents are reported or when so ordered by CERT-In.
(e) ICT clock synchronization – Connect to Network Time Protocol (NTP) server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronization of the ICT systems clocks of Entities. Entities having ICT infrastructure spanning multiple geographies can also use accurate and standard time source other than NPL and NIC, however, it is to be ensured that their time source does not deviate from NPL and NIC.
(f) Data retention requirements – Certain data retention requirements have been imposed on: –
- Data centres, cloud service providers, virtual private server providers and virtual private network service providers – such as names of subscribers, email address and IP address, address and contact numbers, ownership pattern, etc. The prescribed data needs to be maintained for 5 years from termination of the underlying arrangement. The timeline for compliance to maintain accurate information regarding the names of subscribers and address and contact numbers has been extended until September 25, 2022; and
- Virtual asset service providers, virtual asset exchange providers and custodian wallet providers – such as information obtained as part of know-your-customer (KYC) process[4] and records of financial transactions[5]. The records of financial transactions need to be maintained for 5 years.
CONSEQUENCES OF NON-COMPLIANCE
(a) Non-compliance with the Directions is punishable with imprisonment up to 1 year and/or fine up to INR 1 lakh (USD 1,500 approx.).
(b) Other penal provisions under the IT Act may also apply to contravention of the Directions, including – confiscation of underlying computer or computer system.
(c) If the offence is committed by a company, then every person who at the time of contravention, was responsible to the company for the conduct of its business will also be guilty of the contravention and will be liable to be proceeded against. Additionally, if it is proved that the contravention has taken place with the consent / connivance / neglect on part of a director / manager / secretary / other officer of the company, then such person will be deemed to be guilty of the offence and will be liable to be proceeded against.
The Directions are very wide and cut across sectors. Considering the wide implications and the compliance requirements (as indicated above), all impacted entities should take note of the Directions and take suitable steps to ensure compliance.
Footnotes:
[1] Cyber security incidents which need to be mandatorily reported under the Rules include – compromise of critical systems, unauthorized access of IT systems, identify theft, spoofing or phishing attacks, etc.
[2] Additional incidents that need to be reported include – fake mobile apps, unauthorized access to social media accounts, attacks through malicious mobile apps, data breach, data leak, attacks affecting cloud computing systems, etc.
[3] The logs that need to be maintained will depend on the sector in which an Entity is operating and may include – firewall logs, event logs of critical systems, application logs, VPN logs, etc.
[4] For the purpose of KYC, applicable directions of the Reserve Bank of India / circular issued by Securities and Exchange Board of India / notice issued by Department of Telecom may be referred to.
[5] The intent behind this record retention requirement seems to be to enable reconstruction of individual transactions.