Current framework
New draft rules
Timebound cyber-security incident reporting
New record-keeping obligations
Point of contact
Expanding scope of cybersecurity regulation
Comment
The cyber incident reporting framework in India is poised for an overhaul, following the announcement of new (draft) reporting rules. While these new rules add some clarity and details to the existing reporting framework, there are some areas that arguably go beyond the scope of cybersecurity regulations.
The Indian Information Technology Act 2000 (IT Act) designates the Indian Computer Emergency Response Team (CERT-In) to serve as the national agency for safeguarding cyberspace in India. CERT-In was established in 2004 to deal with cybersecurity matters and is tasked, among other things, with:
- analysing cybersecurity incidents;
- coordinating responses; and
- issuing advisories for such incidents.
In 2014, a new set of rules established a 24-hour incident response desk at CERT-In for reporting security incidents.
Any individual, organisation or corporate entity may report cybersecurity incidents to CERT-In. For certain identified security incidents (eg, unauthorised access of IT systems, malicious code attacks, identity theft and denial of service) these rules require that service providers, intermediaries, data centres and other corporate bodies shall report such incident to CERT-In within a reasonable time since incident occurred or was noticed (rule 12 of the 2014 rules). Since there was no specific timeline prescribed, beyond "reasonable time", reporting under the 2014 rules has been sporadic.
With the stated aim to "augment and strengthen" cybersecurity, the new draft Rules propose a defined timeline for reporting cyber incidents. In addition, new requirements have been introduced around record keeping and local storage in India, for certain specified entities. The new directions will apply from 28 June 2022.
Timebound cyber-security incident reporting
All entities must now report cybersecurity incidents to CERT-In within six hours of noticing or upon being informed of them. The requirement was previously to issue a report "within a reasonable timeframe".
The cybersecurity incidents include:
- unauthorised access of IT systems or data;
- compromise of critical systems;
- data breach;
- data leak;
- identity theft and phishing;
- malicious malware affecting:
- cloud computing systems;
- software(s) related to big data;
- blockchain;
- virtual assets;
- drones;
- additive manufacturing; and
- artificial intelligence and machine learning; and
- cyberthreats or attacks to social media accounts, payment systems and internet of things devices.
In addition, CERT-In continues to have the power to direct intermediaries and data centres to take protective and preventive measures towards cybersecurity mitigation.
The consequences of not reporting the cybersecurity incident, and complying with CERT-In requests, continues to remain the same as under section 70(B) of the IT Act (ie, imprisonment – in egregious cases – and/or a fine up to 100,000 Indian rupees). However, while this has not been enforced in practice since 2014, the far-reaching new rules may indicate that the government now intends to proactively enforce these requirements.
New record-keeping obligations
The new rules also introduce some new record keeping requirements, noting that in the past the requisite information has not been available readily.
Store logs locally
All entities have been mandated to enable the logs of their information and communication technology systems and maintain them securely for a rolling period of 180 days in India. This information is to be submitted while reporting a cybersecurity incident, or when CERT-In required it.
Customer information
Data centers, virtual private service providers, cloud service providers and virtual private network service providers (VPN service) are now required to maintain for a period of five years certain information pertaining to customers, such as:
- names of subscribers or customers;
- purpose of hiring service;
- IP addresses allotted to members; and
- contact details and ownership pattern of the subscribers or customers.
KYC records for VPNs and crypto
Virtual asset service providers and exchange providers (eg, non-fungible token platforms and cryptocurrency exchanges) are mandated to keep a record, for a period of five years, of:
- all information obtained as a part of know-your-customer processes (KYC);
- transactions data (eg, IP addresses and account details); and
- records of financial transactions.
- The Rules mandate that for transaction records, information must be maintained so that individual transactions can be reconstructed, along with the relevant elements comprising:
- identification of relevant transaction IDs;
- addresses or accounts involved;
- the nature and date of the transaction; and
- the amounts transferred.
Entities must designate a point of contact to act as a liaison between the entity and CERT-In, and provide their details to CERT-In. A format has been provided for reporting such details, in Annexure II to the rules. There is not yet any indication that this point of contact has to reside in India. However, it does seem that such person must be an employee, as their designation must be disclosed. There is no separate timeline prescribed for reporting these details to CERT-In.
Expanding scope of cybersecurity regulation
The new draft rules arguably go beyond the remit of pure cybersecurity and may have implications for entities engaged in fields such as VPN or cryptocurrency, or the broad category of "cloud services". It must be noted that CERT-In is not a data or financial sector regulator, and its role relates only to cybersecurity and technical aspects of cyber incidents. However, by virtue of these new rules, CERT-In has wide powers to require entities to provide data to it, including in some cases the confidential information of customers.
In summary, these new rules place more regulatory burdens on businesses, which will now be tasked with the responsibility to report cybersecurity incidents within six hours and store specific information to be made available when required. Entities will need to formulate standard operating procedures in response to a cybersecurity incident or threat and formulate record retention policies. As a knock-on effect, contractual confidentiality obligations towards customers or end-users may have to be revised in light of the data disclosure duties under these directions.
It remains to be seen whether these directions will be implemented in their current form in two months' time, or whether stakeholders will push back. No significant relaxations or rollbacks were evident in a set of FAQs released in May 2022.
For further information on this topic please contact Vikram Jeet Singh at BTG Legal by telephone (+91 22 6177 2900) or email ([email protected]). The BTG Legal website can be accessed at www.btg-legal.com.