The Indian Computer Emergency Response Team (“CERT-In”) issued some directions related to cyber security on April 28, 2022 (“CERT Directions”). These directions apply to service providers, intermediaries, body corporate and government organisations (“Entities”, and individually “Entity”). CERT-In also published ‘Frequently Asked Questions on Cyber Security Directions of 28.04.22’ (“FAQs”) to address various queries and representations received from stakeholders.
These directions have introduced certain compliances which the Entities have to follow from 27 June, 2022.
This playbook will discuss the CERT Directions from the viewpoint of compliances – what needs to be done, how and when.
For any discussions, please e-mail srishtiojha@veristlaw.com or sudha.muddaiah@veristlaw.com. And remember this is not formal legal advice!
Key Terms
Let's play
1. Applicability
1.1 The CERT Directions are applicable to all service providers, intermediaries, data centres, body corporates, virtual private server (VPS) providers, cloud service providers, virtual private network (VPN) service providers, virtual asset service providers, virtual asset exchange providers, custodian wallet providers and government organizations.
1.2 Individual citizens are not covered under the CERT Directions.
1.3 Extra-territorial application:
1.3.1. In relation to the entities which do not have presence in India but serve Indian customers (i.e., do not have servers located in India), Section 1 of the Information Technology Act, 2000 (“IT Act”) provides that the IT Act is applicable to the whole of India and also to any offence or contravention thereunder committed outside India by any person.
1.3.2. Section 75(2) of the IT Act further provides:
“an offence or contravention committed outside India by any person if the act or conduct constituting the offence or contravention involves a computer, computer system or computer network located in India.”
1.3.3. Therefore, even if a entity is foreign, if the offence or contravention involves a computer, computer network or computer system located in India, the IT Act along with the rules and directions under it are applicable on it.
2. Compliances required
The CERT Directions require any service provider, intermediary, data centre, body corporate and government organization to adhere to the following:
2.1. Mandatory Reporting
2.1.1. A service provider, intermediary, data centre, body corporate and government organization is required to report cyber incidents, as mentioned in Annexure I of the CERT Directions, within six (6) hours of noticing such incidents or being brought to notice about such incidents. The requirement of mandatory reporting of cyber incidents was already there under Rule 12(1)(a) of the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 (“CERT Rules”).
2.1.2. The CERT Directions have made the requirement more stringent in following ways:
a. Under the CERT Rules, the Entity had to report prescribed cyber incidents “within a reasonable time of occurrence or noticing the incident to have scope for timely action”. However, under CERT Directions, this period has been mentioned to be six (6) hours.
b. The prescribed cyber incidents which have to be reported to CERT-In have been increased in the Directions.
2.1.3. As per Rule 3(1)(l) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (“Intermediary Rules”), an intermediary should report cyber security incidents and share related information with CERT-In in accordance with CERT Rules. Since the requirement of mandatory reporting is mentioned in the Intermediary Rules, CERT Rules and CERT Directions, there was some confusion among the stakeholders. To clear this conflict, FAQs say that the cyber incidents which are mentioned in annexure of CERT Rules and Annexure I of the CERT Directions should be mandatorily reported by the Entity to CERT-In.[1]
2.1.4. Where to report?
a. Email – incident@cert-in.org.in
b. Phone – 1800-11-4949
c. Fax – 1800-11-6969
2.1.5. How to report?
a. The system administrator of the affected Entity should fill the incident reporting form available here.
b. Post verification of the information received and confirmation about happening of an incident, CERT-In will assign a tracking number and designate a team to assist the system administrator in handling the incident.
c. It should be noted that CERT-In will provide support to the system administrator in identifying the incident, containing it, eradicating the source of incident and recovering from the incident. The support is only in the form of advice. CERT-In does not send any person for attending the response activity at the site of occurrence.[2]
2.2. Point of contact
2.2.1. The service providers, intermediaries, data centres, body corporate and Government organisations should designate a Point of Contact (“PoC”) to interface with CERT-In. Each Entity should send the information pertaining to the PoC to CERT-In in the format prescribed in Annexure II of the CERT Directions via email to info@cert-in.org.in.
2.2.2. Even if the Entity does not have a physical presence in India offering services to the users in India, it has to designate the PoC.
2.3. Data localization
2.3.1. The VPN service providers, along with entities like data centres, virtual private server (VPS) providers, cloud service providers, are required to register the following accurate information which must be maintained by them for a period of five (5) years or longer duration as mandated by the law after any cancellation or withdrawal of the registration as the case may be[3]:
a. validated names of subscribers/customers hiring the services;
b. Period of hire including dates;
c. IPs allotted to / being used by the members;
d. email address and IP address and time stamp used at the time of registration / on-boarding;
e. purpose for hiring services;
f. validated address and contact numbers; and
g. ownership pattern of the subscribers / customers hiring services.
2.3.2. The term ‘VPN service provider’ refers to an Entity that provide “Internet proxy like services” through the use of VPN technologies, standard or proprietary, to general Internet subscribers/users.[4] Therefore, this requirement is not applicable to enterprise/corporate VPNs.
2.3.3. ‘ownership patter of the subscribers/customers hiring services’ means basic information about customers/subscribers of the VPN service provider which will include details like whether the customer/subscriber is an individual, company, partnership, association etc., and brief particulars of key management.[5]
2.4. Mandatory Logging
2.4.1. The service providers, intermediaries, data centres, body corporate and Government organisations should mandatorily enable and maintain logs of all their ICT (Information Communications Technology) systems and maintaining them securely for a rolling period of one hundred and eighty (180) days.
2.4.2. As per FAQs[6], the logs which have to be maintained are ‘firewall logs, Intrusion Prevention Systems logs, SIEM logs, web / database/ mail / FTP / Proxy server logs, Event logs of critical systems, Application logs, ATM switch logs, SSH logs, VPN logs etc.’
2.4.3. The FAQs clarify that there is no obligation on the Entity to store copy of logs in India only as long as the Entity can produce the logs to CERT-In whenever required within a reasonable time.[7]
2.4.4. An officer of CERT-In not below the rank of Deputy Secretary to the Government of India can require the Entity to submit the information about logs.[8]
2.5. Synchronization of ICT systems clock
2.5.1. All service providers, intermediaries, data centres, body corporate and government organisations should connect to the network time protocol (“NTP”) server of the National Informatics Centre (“NIC”) or National Physical Laboratory (“NPL”) to synchronise their ICT system clocks with that of NTP server.
2.5.2. If an organization having ICT systems has infrastructure spanning across different territories, it can use different source than NPL or NIC, however it has to ensure that such time source is accurate and conforms to the time provided by NTP servers of NIC or NPL.
2.5.3. The CERT-In has clarified in the FAQs that, generally also, organisations may use different source than NPL or NIC, however they have to ensure that such time source is accurate and conforms to the time provided by NTP servers of NIC or NPL[9].
2.5.4.Thus, this condition is not very steadfast. Organisations can use different time source other than NPL or NIC provided such time source is accurate and conforms to the time provided by NTP servers of NIC or NPL.
2.5.5. How to synchronise?
As per FAQs:
‘System clocks can be synchronised by configuring NTP Servers of the NIC or NPL as a time source in the enterprise NTP Server (or on the device being used as NTP Server/s for the enterprise).
The details of NTP Servers of NIC and NPL are currently as follows:
National Informatics Centre (NIC)
samay1.nic.in
samay2.nic.in
National Physical Laboratory:
time.nplindia.org’[10]
3. KYC
Certain Entities which deal with virtual assets like virtual asset service providers, virtual asset exchange providers and custodian wallet providers should maintain information as part of Know Your Customer (KYC) norms. This KYC process should be aligned with existing procedures provided by Reserve Bank of India, Department of Telecom or Securities and Exchange Board of India. Further, the records of financial transactions should be kept for a period of five (5) years.
4. Deadline to comply
The CERT Directions will become effective after sixty (60) days from the date on which the directions were issued. Thus, the directions will become effective from 27 June, 2022.
5. Penalty/punishment for non-compliance with directions
Any service provider, intermediary, data centre, body corporate or person who fails to provide the information called for or comply with the direction issued by CERT-In under Section 70B (6) can be punished with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.[11]
Footnotes:
[1] Answer to Que 10, Frequently Asked Question, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf [2]https://www.cert-in.org.in/ [3] Indian Computer Emergency Response Team, ‘Directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet’ April 28, 2022 available at https://www.cert-in.org.in/PDF/CERT-In_Directions_70B_28.04.2022.pdf [4] Answer to Q. 34, Frequently Asked Questions, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf [5] Answer to Q. 33, Frequently Asked Questions, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf [6] Answer to Que. 37, Frequently Asked Questions, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf [7] Answer to Q. 35, Frequently Asked Questions, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf [8] Answer to Que 38, Frequently Asked Questions, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf [9] Answer to Que 40, Frequently Asked Questions, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf [10] Answer to Que 43, Frequently Asked Questions, https://www.cert-in.org.in/PDF/FAQs_on_CyberSecurityDirections_May2022.pdf [11] Section 70B (7), Information Technology Act, 2000.