loader

Disclaimer

The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, www.khaitanco.com, you acknowledge and confirm that you are seeking information relating to Khaitan & Co of your own accord and that there has been no form of solicitation, advertisement or inducement by Khaitan & Co or its members. The content of this website is for informational purposes only and should not be interpreted as soliciting or advertisement. No material/information provided on this website should be construed as legal advice. Khaitan & Co shall not be liable for consequences of any action taken by relying on the material/information provided on this website. The contents of this website are the intellectual property of Khaitan & Co.

Please accept the above
Close

Search

See all results for ""

Indian Computer Emergency Response Team Direction: Paradigm Shift in Cyber Incident Reporting

30-Apr-2022

Introduction

The Indian Computer Emergency Response Team (CERT-In) has issued a direction on 28 April 2022 (Direction) under Section 70-B(6) of the Information Technology Act 2000 (IT Act) relating to information security practices, procedure, prevention, response and reporting of cyber incidents for safe and trusted internet. This is an ongoing effort on the part of CERT-In to further strengthen cyber incident reporting, internet security and allied topics.

CERT-In had earlier issued Advisory CIAD-2021-0004 dated 20 January 2021 (Advisory), which inter alia required affected entities to immediately notify users/customers who could be affected with details of information breached, actions being undertaken by such affected entities to address the problem and how they can reach out to CERT-In for any queries.

Key highlights of the Direction

Ø  

When does the Direction come into effect?

The Direction is to come into effect after 60 (sixty) days following the date of its issuance.

Ø  

Reporting of cyber incidents

Certain specified types of cyber incidents (such as targeted scanning/probing of critical networks/systems, compromise of critical systems/information, unauthorised access of IT systems/data etc) as identified under Annexure I of the Direction are to be mandatorily reported to CERT-In by service providers, intermediaries, data centres, body corporates and government organisations (Covered Entities), within 6 (six) hours of noticing such incidents or being brought to notice about such incident. Notably, some of the cyber incidents (such as data breach, data leak, attacks on internet of things (IoT) devices and associated systems etc) that are to be mandatorily reported, are in addition to those set out under the Information Technology (the Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (Rules) issued under the IT Act.

Ø  

Synchronisation of information and communication technology (ICT) system clocks

All Covered Entities are required to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks.

Entities having ICT infrastructure spanning across multiple geographies may also use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source shall not deviate from NPL and NIC.

Ø  

Enabling and retention of logs

All Covered Entities are to mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 (one hundred and eighty) days within Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered or directed by CERT-In.

Ø  

Retention of Information by data centres, virtual private server providers, cloud service providers and virtual private network service providers

Data centres, virtual private server providers, cloud service providers and virtual private network service providers are required to register the following information accurately: (i) validated names of subscribers/customers hiring the services; (ii) period of hire including dates; (iii) IPs allotted to/used by the members; (iv) email address and IP address and time stamp used at the time of registration/on-boarding; (v) purpose for hiring services; (vi) validated address and contact numbers; (vii) ownership pattern of the subscribers/customers hiring services.

The above-mentioned information is required to be maintained for a period of 5 (five) years or longer duration, as mandated by the law, after any cancellation or withdrawal of the registration (as the case maybe).

Ø  

Compliances for the virtual assets industry

Virtual asset service providers, virtual asset exchange providers and custodian wallet providers are to mandatorily maintain records of the following, for 5 (five) years:

 

§      

All information obtained during the process of conducting Know Your Customer (KYC) for users; and

 

§      

Records of financial transactions, including information relating to the identification of the relevant parties involved in the transactions such as IP addresses, along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transactions, and the amounts transferred.

Ø  

Information regarding appointment of Point of Contact

The format in which information about the appointment of a point of contact needs to be conveyed to the CERT-In by the Covered Entities has been provided through the Direction.

Ø  

Penalty for non-compliance

Any failure to furnish the information as required under the Direction or any non-compliance with the same may invite punitive action under Section 70-B(7) of the IT Act and other laws, as applicable. Section 70-B(7) of the IT Act provides for punishment with imprisonment for a term which may extend to 1 (one) year or with fine which may extend to INR 100,000 (Indian Rupees One Hundred Thousand) or with both.

Comment

While there have been a slew of developments in the cyber incident reporting space, this Direction is more comprehensive in its ambit and includes publication on several aspects of cyber incident reporting and cybersecurity. One of the new aspects of the Direction is inclusion of mandatory retention periods for certain records, as indicated above. The Direction enhances the legal obligations on cyber incident reporting than was originally envisaged under the IT Act and the Rules. This is a particularly interesting development and may also indicate a wider effort to overhaul the existing IT Act, given its limitations on regulating aspects such as internet and cybersecurity.

It will also have to be seen how the Direction will blend in with the data breach reporting obligations under the new data protection law, as and when it is enacted, as well as the revamp of the IT Act which is envisioned.

-     Harsh Walia (Partner), Supratim Chakraborty (Partner), Shobhit Chandra (Counsel), Sumantra Bose (Principal Associate), Tashi Gyanee (Associate), Sanjuktha A. Yermal (Associate), Shramana Dwibedi (Associate)

For any queries please contact: editors@khaitanco.com

Harsh Walia (partners) , Supratim Chakraborty (partners) , Shobhit Chandra (partners)

We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.

For private circulation only

The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

© 2021 Khaitan & Co. All rights reserved.

Mumbai

One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001

Chennai

119/65, First Floor
Dr Radhakrishnan Salai
Mylapore
Chennai 600 004,
India

Noida

Max Towers
7th & 8th Floors
Sector 16B, Noida
Gautam Buddh Nagar
201 301 India

Singapore

Ocean Financial Centre
#37-02 10 Collyer
37th Floor Quay
Raffles Place 049315,
Singapore