The New CERT-IN Way

Under the Information Technology Act of 2000, the Indian Computer Emergency Response Team (CERT-In) recently published a set of new directions (CERT-IN Directions) regarding information security practices, procedure prevention, response, and reporting of cyber incidents for a safe and trusted internet. The FAQs, published by CERT-IN on May 19, 2022, further explained the requirements under the directions.

Service providers, intermediaries, data centers, and corporate entities (collectively, “Applicable Entities”) are required by CERT-IN Directions to report cyber incidents, as defined by the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules 2013 (the “CERT-IN Rules”),

• Either within six hours of becoming aware of the incident or within two business days of the incident being brought to the attention of the applicable entity. CERT-In had previously required reporting cyber security incidents as soon as practicable and within a reasonable amount of time.

In addition to being required to report cyber incidents within the specified timeframe and in a specified way, applicable entities must also report cyber security events when they reach the following threshold:

• Data leaks or breaches;
• Large-scale or often occurring events, such as unauthorized access to computer resources, websites, etc.;
• Cyber events are impacting human safety.

The new recommendations were released against rising cybercrime in India; from January to February 2022, CERT-In reported more than 2.12 lakh cyber security cases, compared to 14.02 lakh overall the previous year and the stats show that there has been an increase of 571% in cyber crimes as compared to pre-pandemic times.

Although the new regulations are intended to combat cybercrime successfully, they are likely to  present difficulties for businesses in upholding the six-hour norm as the compliance for the same will be a task for technological giants.

Some of the challenges faced by the companies and corporations include:

1. Small businesses will not be able to develop capacities for large-scale data collecting, storage, and administration of customer data to report cases within six hours because of inadequate infrastructure, resources and manpower.
2. In comparison to other international standards, guidelines are strict and rigid.
3. Detecting cybercrime is becoming increasingly complex; it might take businesses days or months to find a cyber security breach. Many businesses lack in terms of integrated technology and device frameworks that can monitor breaches across platforms and devices, making it more tedious and challenging to identify and trace occurrences in a short span of 6 hours. The list of incidents that must be reported has also been increased under the new standards from 10 to 20, expanding the scope of assaults on IoT devices.

Consequences of Non-Adherence of CERT-IN Directions

1. Failure to follow the CERT-In Directions may result in up to a year in jail, a fine of up to INR 1,00,000, or both. On the other hand, prison is typically not used as a first resort or for first time offenders.
2. Businesses need to manage and support their decision-making by taking a comprehensive strategy for cyber risk in light of consumers’ growing preference for online transactions. Given the new guidelines from CERT-In, integrating cybersecurity and legal compliance with corporate strategy can be advantageous as it will lead to use of the latest technology thus strengthening cyber security.

Some suggestions for business owners

• Re-evaluate methods and procedures:

Using CERT-IN Reassessment of current directives, practices, and protocols relating to breach reporting is necessary. These procedures could entail assessing the severity of the breach, choosing who is responsible for filing a report when a cyber incident or a cyber security incident affects numerous parties, and planning the next steps if a regulatory requirement is not followed thus establishing SoPs for smooth compliance of the guidelines. Such characteristics might avoid delays in reporting cyber crimes if they are re-evaluated and appropriately handled.

 

• Boost organizational capacity:

Applicable Entities must create or improve the necessary methods to quickly recognize and disclose a cyber breach. These abilities include educating staff members who handle confidential and proprietary information, carrying out regular testing and security audits, taking personal information, and allowing staff members to use their own devices and establish cyber security guidelines for the employees as well. These cyber security requirements are essential for established companies, small firms, and start-ups, who are equally susceptible to cyber-attacks because of weak security architecture.

 

• Enable logs:

According to CERT-CERT-IN In’s Directions, all applicable entities must enable logs for all of their IT systems to analyze cyber incidents. Furthermore, these logs must be kept for a rolling 180-day period. According to the industry it is in, the FAQs offer some advice on the types of records to be enabled, and the logs maintained to be finalized by the Applicable Entities thus increasing the accountability on part of the businesses.

 

In respect of the vague provisions, the Direction does come as a surprise. The Direction’s goals are admirable, however its provisions may not be the best ways to combat cybersecurity threats since they are too broad. Businesses urgently need to evaluate their internal procedures to identify where and how adjustments need to be made in light of the Direction’s numerous technology requirements. Continuous manual intervention can also be necessary for some circumstances.

Given that the Direction has broad implications and legal repercussions, it would be beneficial if CERT-In could offer a window for questions from stakeholders and industry members, after which the Direction might be clarified or amended as needed as the directions leave the businesses in aloop of queries and question as the guideline are not exhaustive and hence clarity on SoPs for the companies need to provided. Nonetheless such guidelines will be a  strong pillar of nations and its citizens’ cybersecurity in times to come.

 

Author – Mr. Shrey Madaan, Research Associate, CyberPeace Foundation