The Indian Computer Emergency Response Team (“CERT-In”) issued Directions on April 28, 2022 “to strengthen the cybersecurity in the country” and that has significant implications for the cybersecurity landscape. Effective June 27, 2022, the Directions, among other requirements, impose a strict 6-hour timeline for notice of a cybersecurity incident and expands the types of cybersecurity incidents that must be reported on. These Directions effectively amend the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT-In Rules”) issued under Section 70B(5) of the IT Act.
The broadly worded Directions apply to most businesses operating in India, with the notification provision applying to any “service provider, intermediary, data centre, body corporate and Government organization.” All such entities must report “cyber incidents” to CERT-In within 6 hours of “noticing such incidents or being brought to notice about such incident.” This effectively amends the CERT-In Rules, which required reporting of certain cyber incidents to CERT-In “as early as possible to leave scope for action.” While CERT-In created a standard form that entities may use for notice, the Directions state that notice to CERT-In can be made via email, phone, or fax. Further, the Directions note that the details regarding method and format of how an entity may report cyber incidents are posted on the CERT-In website and may be updated from time to time.
What constitutes a “cyber incident” is also expanded by the Directions. While the 2013 CERT-In Rules listed 10 types of incidents on which reporting was mandatory for any affected entity, the Directions have doubled the types of incidents that trigger mandatory reporting. Annexure I of the Directions includes a list of 20 types of incidents for which reporting is mandatory within the 6-hour window (the first two bullets of which were required reporting under the previous rules). This list includes:
- Targeted scanning or probing of critical networks or systems
- Defacement of a website or intrusion into a website and making unauthorized changes
- Fake mobile Apps
- Unauthorized access to social media accounts
- “Suspicious activities” affecting cloud computing systems or servers, networks and systems related to block chain and virtual assets, systems and servers related to machine learning, among other various systems, servers, software, networks, and applications.
Reporting on these incidents does not trigger on severity or actual impact to data, networks, or systems. Rather, an entity must only “notice” or be “brought to notice” the incident for reporting to CERT-In to be required. For example, under this new requirement, an entity that notices a fake mobile app imitating its real mobile app may have to report the incident to CERT-In within 6 hours, regardless of any indication as to whether a consumer or the entity has suffered harm.
When providing notice to CERT-In, entities are expected to provide basic information on the incident. The form includes sections where the entity can identify the type of incident, provide information on the affected system, and briefly describe the incident. Notably, the form has a check box option to indicate whether the individual is reporting on behalf of the affected entity or is reporting an incident that affected a different entity. CERT-In further clarified in the FAQs that supplemental information may be required if the entity is able to provide only limited information in the initial report.
The Directions further allow CERT-In to seek information and issue orders to an entity both in the context of an incident, and to take “protective and preventative actions.” Non-compliance with such an order or request is treated as noncompliance with the Directions, which is criminally punishable pursuant to sub-section 7 of section 70B of the IT Act, 2000. The consequences of noncompliance by any service provider, intermediary, data centre, body corporate or person can include fines of up to one lakh of rupees, or up to one year of imprisonment. The Directions do not indicate which corporate officers or employees could be imprisoned for noncompliance. However, the FAQs state that CERT-In will exercise its enforcement power reasonably and only when noncompliance is deliberate.
In addition to the expanded reporting requirements, the Directions include requirements on maintenance and disclosure of logs and, for certain entities such as VPN and cloud service providers, maintaining and registering certain information on their customers and customer use of services.