India proposes a new (and more onerous) framework for reporting of cyber incidents and other related compliances

1 Indian Computer Emergency Response Team

1.1 India does not have a general personal data law and a large part of the current regulatory framework relating to protection of personal data is derived from the Information Technology Act, 2000 (IT Act) and associated rules, regulations and directions issued under the IT Act. Under section 70B of the IT Act, Indian Computer Emergency Response Team (CERT-IN) has been appointed as the nodal agency for addressing various matters relating to cyber security incidents including collection, analysis and dissemination of information relating to cybersecurity incidents.

1.2 The Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (CERT-In Rules)issued under Section 70B(5) further describes CERT-IN’s role including the current requirements relating to reporting of cyber security incidents to CERT-IN, which are described in rule 12 of the CERT -In Rules.

2 The Directions (as clarified by the FAQs)

2.1 CERT-IN 27 June 2022 (60 days from the date of its issuance). The Directions had been criticized for several reasons, including their significant onerous requirements, implications on privacy rights and ambiguity. The Government had issued statements clarifying that the purpose of the Directions was only to develop a framework to enable a coordinated response and emergency measures in case of cybersecurity incidents and the purpose was not to violate the privacy or undertake broad-based surveillance and that it would issue clarifications to further explain the obligations under the Directions. It was hoped that these clarifications to be issued by the Government would take into account the above concerns and would effectively be of a nature that the obligations under the Directions would be diluted or modified to address the above.

2.2 The Government, on 18 May 2022 issued a 28 page FAQ to ‘explain the nuances’ of the Directions ‘with a view for enabling a better understanding of the various stakeholders in order to seek compliance to promote Open, Safe & Trusted and Accountable Internet in the country’ (FAQs). While the FAQs clarify some aspects of the Directions, the clarifications do make clear that the Government expects organizations to comply with the Directions in their current form and as things stand, they are unlikely to be diluted further.

2.3 There hasn’t been much press around the lead up to the issue of these Directions though the FAQs state that consultations were held with relevant stakeholders on the draft of the directions in March 2022 before the Directions were issued. The recitals to the Directions identify the lack of information or information not being readily available as a challenge to coordinating response and emergency measures when cybersecurity incidents are reported. The FAQs also clarify that the Directions form part of the overall framework for ensuring online safety and trust for users. The FAQs also have a number of responses that appear to allay fears of breach of privacy rights and surveillance that the requirements under the Directions have raised.

3 Applicability

3.1 The Directions apply almost universally to all service providers, intermediaries, data centres, body corporates and government organisations, who must comply with its requirements (Regulated Entities). The FAQs have also clarified that Regulated Entities include body corporates outside India, in the respect of the matter of cyber incidents and cyber security incidents1, if they provide services to Indian customers, clarifying the question on whether the Directions are applicable to entities outside India.

3.2 Additional compliances have been prescribed for specific categories of Regulated Entities such as data centres, virtual private server providers, cloud service providers and virtual private network services providers and virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by the Ministry of Finance from time to time).

4 Mandatory reporting of cyber incidents to CERT-IN

One of the most significant obligation imposed by the Directions is the obligation to mandatorily report identified cyber incidents to CERT-IN within 6 hours. This is a major shift from the current more relaxed reporting obligations as set out in the CERT-In Rules. The reporting requirements under the Directions are described below:

4.1 What has to be reported? – Cyber incidents as listed in Annexure I of the Directions have to be reported to CERT-IN. Annexure 1 lists 20 such incidents (when compared to the 11 incidents listed in the CERT-In Rules) and annexure 1 of the FAQs further describes and illustrates each type of cyber incident listed in Annexure 1 of the Directions. The FAQs seem to provide an additional qualitative threshold while considering the cyber incidents that have to be reported and provide that any incident as mentioned in Annexure 1 of the Directions and meeting the following criteria should be reported within 6 hours:

There hasn’t been much press around the lead up to the issue of these Directions though the FAQs state that consultations were held with relevant stakeholders on the draft of the directions in March 2022 before the Directions were issued. The recitals to the Directions identify the lack of information or information not being readily available as a challenge to coordinating response and emergency measures when cybersecurity incidents are reported. The FAQs also clarify that the Directions form part of the overall framework for ensuring online safety and trust for users. The FAQs also have a number of responses that appear to allay fears of breach of privacy rights and surveillance that the requirements under the Directions have raised. The Directions apply almost universally to all service providers, intermediaries, data centres, body corporates and government organisations, who must comply with its requirements (Regulated Entities). The FAQs have also clarified that Regulated Entities include body corporates outside India, in the respect of the matter of cyber incidents and cyber security incidents1, if they provide services to Indian customers, clarifying the question on whether the Directions are applicable to entities outside India. Additional compliances have been prescribed for specific categories of Regulated Entities such as data centres, virtual private server providers, cloud service providers and virtual private network services providers and virtual asset service providers, virtual asset exchange providers and custodian wallet providers (as defined by the Ministry of Finance from time to time).

4.1.1 cyber incidents and cybersecurity incidents which are of a severe nature on any part of the public information infrastructure including backbone network infrastructure (e.g., denial of service, distributed denial of service, intrusion, spread of computer contaminant including ransomware);

4.1.2 data breaches or data leaks;

4.1.3 large scale or most frequent incidents such as intrusion into computer resources,
website etc.;

4.1.4 cyber incidents impacting safety of human beings.

4.2 Who has to report? – All Regulated Entities have an obligation to report cyber incidents including those outside India. The FAQs have specifically clarified that ‘any entity which notices a cyber security incident’ (for e.g. in a situation where multiple parties are affected or where an entity’s data stored in a third party’s system is affected) must report the same to CERT-IN and the obligation to report cannot be transferred, indemnified or dispensed with.3 Since any cyber incident is likely to involve more than one Regulated Entity, multiple reporting of the same incidents seems to be very likely (and maybe even desired by CERT-IN).

4.3 By when? – The Directions specified that all cyber incidents must be reported within 6 hours of ‘noticing such incidents or being brought to notice about such incidents’. This is a very onerous requirement and is likely to be frequently breached. The FAQs seem to have diluted the obligation by providing the following:

4.3.1 Regulated Entity has to only provide the information to the extent available at the time of reporting (i.e., within the 6 hour timeframe) and additional information can be reported later within ‘reasonable time’;4 The term ‘reasonable time’ is ambiguous and it is hoped that it will be interpreted in a practical manner as reporting within such time as possible for the Regulated Entity after obtaining necessary and/or relevant information relating to the cyber incident;

4.3.2 Even in case of incidents that have not been reported for a long time, the obligation to report will be triggered within 6 hours of noticing the incident or the incident being brought to the attention of the Regulated Entity. The FAQs then clarify that based on an analysis of the reported incidents, the gaps in security processes can be analysed to enhance the ability of the organization to detect and mitigate the incidents in a timely manner.

4.4 Format of reporting – Cyber incidents must be reported in the format provided on the CERT-IN website at www.cert-in.org.in and which will be updated from time to time.

5. Obligation to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) –

5.1 All Regulated Entities must connect either connect to NTP server of NIC or NPL or servers which are traceable to the above servers for synchronization of all their information communication technology (ICT) system clocks. The FAQs have clarified that Regulated Entities can also use other accurate and standard time sources if they conform to the abovementioned servers.5 This is also consistent with the requirement in the Directions that Regulated Entities having ICT infrastructure spanning different geographies, can use accurate and standard time source other than NPL and NIC, provided that their time source does not deviate from NPL and NIC.

5.2 The FAQs have also clarified that Regulated Entities do not mandatorily have to set up their system clocks in IST and the requirement is only to ensure uniform time synchronization across ICT systems irrespective of timezone. In fact, the time zone information must also be recorded along with time to facilitate accurate conversion when needed.

5.3 Cloud ICT infrastructure usually sets up its own time server to ensure conformity across its entire framework. FAQs clarify that customer in cloud environments, have the option to either use native time services offered by the cloud to synchronise their clock or set up their own NTP servers within the cloud framework, for which time sources other than NTP server can be used, if they are accurate and standard and if they do not deviate from NPL and NIC.

5.4 The FAQs also stipulate the process of synchronizing system clocks with NTP server of NIC or NPL, which can be done by configuring the NTP server as a time source on the Regulated Entity’s enterprise NTP servers. The details of the NTP servers of NIC and NPL are as follows: NIC – samay1.nic.in and samay2.nic.in; and NPL – time.nplindia.org.

6. Provision of information to CERT-IN

6.1 The Directions have further reinforced CERT-IN’s right to obtain information from Regulated Entities. Under the Directions, when required by order or direction of CERT-IN for the purpose of cyber incident response, protective and preventive actions, the Regulated Entity must take action or provide information or assist CERT -IN in a manner, which may contribute towards cyber security mitigation actions and enhanced cybersecurity awareness. The said order or direction by CERT- IN may include the format of the information that is required and the timeframe within which it is required and failure to provide this information would be a non-compliance.

6.2 While the FAQs clarify that CERT-IN will only seek information in case of cybersecurity incidents on a case to case basis, concerns have been raised that this provision does not set any quantity or qualitative threshold for the type of information that CERT-IN can seek, which could enable CERT-IN to seek a wide range of unrelated information as well, considering its wide statutory functions.

7. Designation of Point of Contact – Further each Regulated Entity must designate a point of contact to interface with CERT-IN, whose details must be reported in the format prescribed in Annexure-II of the Directions. CERT-IN has also clarified that this obligation applies to foreign service providing offering services to Indian users as well.

8. Maintenance of Data Logs in India

8.1 All Regulated Entities must enable logs of all their ICT systems and maintain them securely in India for a rolling period of 180 days. This information is required to be provided to CERT-IN while reporting a cyber security incident or when ordered/directed by CERT-IN. The logs to be maintained will depend on the sector in which the organization is and the FAQs name the following logs as illustrative logs – firewall logs, intrusion prevention system logs, SIEM logs, web/database/mail/FTP/proxy server logs, event logs of critical systems, application logs, ATM switch logs, SSH logs, VPN logs.9 The FAQs however specifically clarify that this is list of logs is not exhaustive.

8.2 The FAQs are unclear on the obligation to store logs within India – FAQ 35 states that the logs may also be stored outside India as long as such logs are made available to CERT-IN reasonable time that could be interpreted as a relaxation to the data localization requirement in the Directions,10 however FAQ 36 states that logs of foreign service providers and foreign part of financial transactions also have to be stored in India itself. Given the general trend towards data localization being insisted by the Government it seems unlikely that there is any intent to dilute the data localization obligation imposed through the Directions.

8.3 The obligation of maintaining logs and records of financial transactions in Indian jurisdiction, on even foreign service provider offering services to the users in India is quite onerous. It will mean significant costs for foreign companies as these companies will have to hire data centres or cloud service providers with Indian servers to maintain such logs; and storage in India is typically more expensive than in other parts of the world.

9. Additional compliance on virtual financial services providers – Virtual asset providers, virtual asset exchange providers and custodian wallets have additional compliances and are required to record all information gathered as a part of Know Your Customer (KYC) updates as well as financial transaction for a period of five years. For the purposes of KYC, these virtual financial service providers are required to refer to directions issued by Reserve Bank of India (RBI), Securities and Exchange Board of India (SEBI) and Department of Telecommunications and follow the procedures prescribed by them in this regard. Information pertaining to transaction records must be accurate and kept in such a way that individual transactions can be reconstructed and for this purpose the information to be recorded include parties to the transactions, the IP addresses, nature, amount, and date of transaction.

10. Recording of Data – Data centres, virtual private server providers, cloud service providers, and virtual private network (VPN) service providers have been mandated to record the following information ‘accurately’ for a period of five years or longer as required, after any cancellation or withdrawal of the registration:

10.1 Names of customers hiring the services

10.2 Hiring Period

10.3 IP addresses assigned to members

10.4 The email address, IP address, and time stamps used at the time of registration

10.5 Hiring Purpose

10.6 Contact information and Addresses (validated)

10.7 Ownership pattern of customers i.e., basic information about the customers and brief particulars of key management.

For the purpose of the above, VPN service provider means any entity that provide “Internet proxy like services” through the use of VPN technologies to general internet subscribers/user. This restricted definition relieves the corporates or enterprises using VPNs who are as per the definition, now not required to maintain their customer data.

11. Sanctions – Failure to furnish information to CERT-IN or failure to comply with the Directions, may be punishable with up to one year in prison and/or a fine of up to one lakh rupees, as per Section 70B(7) of the IT Act. Enforcement under the IT Act has generally been quite lax and we are not aware of any instance of action having been taken for a failure to report a cybersecurity incident under the CERT-In Rules. Therefore, while section 70B(7) of the IT Act contemplates punishment in the form of imprisonment as well, there is nothing to suggest that it will actually be enforced in practice. The Government has tried to relieve concerns about sanctions by stating in the FAQs that the power to impose penal sanctions will be exercised reasonably and when the non-compliance is deliberate.

12. Conclusion

12.1 India is in dire need of a more robust framework for identifying, reporting, and addressing incidents of cyber security breaches including a clear legal framework for the same and it is heartening to see that the Government is focusing on this issue. However, the way this is being achieved appears to be quite disorganized and runs the risk of not really meeting the ultimate goal i.e., open, safe, trusted and accountable internet, as stated in the FAQs. In addition to sectoral reporting requirements (i.e. to SEBI, RBI and IRDAI, where relevant), reporting will have to be made under the CERT-In Rules and the Directions (as clarified by the FAQs). Some of the clarifications given through the FAQs have the impact of diluting the regulatory obligations under the Directions even though the FAQs expressly clarify that it is not a legal document, it will be interesting to see how this interplay between the Directions and FAQs will play out in practice.

12.2 The cyber incident reporting obligation as currently specified in the Directions could result in huge volume of reports (multiple reporting of the same incident) and several which may be incomplete without any classification based on severity. The Government will need to consider whether beyond increasing the compliance cost and obligations of the Regulated Entity and the Government (to review and act based on the reports submitted to it), it will achieve the ultimate objective of ensuring a open, safe, trusted and accountable internet.

12.3 Several organizations have indicated their inability to comply with these requirements especially those relating to retention and disclosure of personal data and have even indicated that they may need to reconsider conducting business in India if these requirements are mandatory. Based on the FAQs and subsequent public comments from the Government (the Union Minister of State for Electronics and Informationhas stated that those who cannot comply with the Directions can pull their services out of India), it does not appear that the Government intends to backdown or dilute these obligations significantly in the short term. Accordingly, since the Directions are intended to be effective from 27 June 2022, from an organizational perspective and to avoid any actions for non-compliance, a Regulated Entity would do well to focus on and develop a framework (including changes to technology) for reporting cyber incidents as required under the Directions. There are several other considerations that will need to be taken into account while complying with the obligations under the Directions, especially for multinational companies, that have obligations of confidentiality and privacy under other laws.