News and developments

CERT-IN ISSUES DIRECTIONS AND CLARIFICATIONS RELATING TO CYBER SECURITY PRACTICES

Authored by – Mr. Rishi Anand, Partner; Mr. Nakul Batra, Associate Partner and Mr. Kunal Garg, Associate.

Indian Computer Emergency Response Team (“CERT-In”), the national agency appointed by the Central Government under Section 70B of the Information Technology Act, 2000, (“IT Act”) for performing various functions in the area of cyber security, has issued new directives on cybersecurity on April 28, 2022, under Section 70B(6) of IT Act (accessible here) (“Directions”). The Directions set forth the requirements in relation to the timeline for reporting cyber security incidents, maintenance of KYC and transaction information for intermediaries, crypto exchanges, wallet custodians, and data centres etc. Soon after the release of the Directions, the affected organizations submitted several queries in relation to the provisions covered under the Directions. Basis the receipt of the said queries, CERT-In also came up with various frequently asked questions on May 18, 2022 (“FAQs”) clarifying certain provisions of the Directions (accessible here).

These Directions will come into effect after 60 days from April 28, 2022, and will be applicable on service providers, intermediaries, data centres, body corporates and government organizations (“Stakeholders”). Further, Q. No. 27 of the FAQs clarifies that the Directions are also applicable to virtual asset service providers, virtual asset exchange providers and custodian wallet providers not located in India but catering to the Indian users. This is likely to extend the applicability of the Directions to crypto/NFT exchanges, and other platforms dealing in virtual digital assets (including gaming platforms, metaverses, etc.).

This note sets out the key compliances and requirements that are required to be met by the Stakeholders under the Directions:

Reporting of Cyber Incident within 6 Hours[1]

All Stakeholders are mandatorily required to report cyber incidents of specific nature within 6 hours of noticing such incidents or being brought to notice about such incidents (to the extent available at the time of reporting and the remaining details to be submitted subsequently, upon becoming available) [2]. The reporting of such incidents cannot be contractually obligated or transferred on a single party in case multiple Stakeholders are affected.[3] Further, the entities whose data is breached through third party systems are also bound to report the cyber incident to the CERT-In.[4]

The specific cyber incidents which are required to be reported have been annexed separately under the Directions and include incidents involving unauthorized access of IT systems/ data, phishing attacks, data breach, data leak, attacks or incident affecting digital payment system, attacks on IoT devices and associated systems, attacks on system related to artificial intelligence, machine learning, blockchain, virtual assets, virtual asset exchanges, big data, custodian wallets, drones etc.

Information Request and Assistance to CERT-In[5]

CERT-In is entitled to seek information/ assistance from the Stakeholders for formulation of cyber incident response, protective and preventive actions related to cyber incidents, cyber security mitigation actions and cyber security situational awareness. Considering the extra-territorial applicability of the IT Act in terms of the Section 1 and Section 75, CERT-In may also seek such information/ assistance from those Stakeholders operating outside India but providing services to the Indian users.

Further, as clarified under Q. No. 22 of the FAQs, contractually agreed non-disclosure obligations between the parties will be overridden by the mandatory disclosure requirement under the Directions as both Directions and IT Act will have an over-riding effect in terms of Section 81 of the IT Act.

Designating Point of Contact[6]

All Stakeholders must designate a point of contact to liaise with CERT-In, even if they do not have a physical presence in India. Such point of contact will also receive all communications from CERT-In for seeking any information and providing directions by CERT-In for compliance.

Data Localization[7]

All Stakeholders must enable logs of their ICT system and the same must also be maintained securely for a rolling period of 180 days. The Q. No. 35 of the FAQs further clarifies that a copy of such logs can be stored outside Indian jurisdiction, as long as they are provided to CERT-In in reasonable time. However, in relation to maintenance of logs and records of financial transactions, the same is required to be stored in India as clarified under Q. No. 36 of the FAQs.

Registration Requirements[8]

Data centres, virtual private server providers, cloud service providers and virtual private network service providers (“VPN Service Provider”) are required to register and maintain certain information pertaining to the customers/ users for a period of 5 years or longer duration as mandated under the law after cancellation or withdrawal of the user registration.

The Q. No. 34 of the FAQs further clarifies that enterprise/ corporate VPN Service Provider are not required to maintain such customer data because for the purpose of Directions, VPN Service Provider refers to any entity providing “internet proxy like services” through the use of VPN technologies, standard or proprietary, to general internet users/subscribers. Therefore, the corporates who use VPNs to enable access to employees and other stakeholders into their IT system will benefit from the said clarification. However, such exemption does not dissolve the obligation of the enterprise/ corporate VPN Service Provider to maintain the logs of their ICT system under the Directions.

Cyber Security in Payment and Financial Market[9]

In order to ensure cyber security in payment and financial market, all virtual asset service providers, virtual asset exchange providers and custodian wallet providers are required to maintain all information obtained as part of KYC process and records of financial transactions for a period of 5 years in Indian jurisdiction. With respect to transaction records, the information shall be maintained in such a way that individual transactions can be reconstructed along with the relevant elements. Additionally, as clarified under Q. No. 36 of the FAQs, even the foreign service providers offering services to the users in India also need to maintain logs and records of the financial transactions in the Indian jurisdiction.

Synchronization of ICT System Clocks[10]

All Stakeholders are required to connect to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with NTP servers traceable to these NTP servers, for synchronization of all their ICT systems clocks. This is directed as without an accurate time stamp, it is difficult for CERT-In to re-create sequence of events while incident handling.

Entities having their ICT infrastructure spanning multiple geographies may use accurate and standard time source other than NPL and NIC, however it is to be ensured that their time source shall not deviate from NPL and NIC. The entities relying on the native time services offered as part of cloud may continue to use the same, however, if any entity operates their own NTP service, the same shall be synchronized with the NTP Servers of NIC or NPL.

Non-compliance

Any deliberate non-compliance with the provisions of the Directions may attract punitive actions under Section 70B(7) of IT Act. Section 70B(7) of the IT Act provides for imprisonment for up to 1 year or with fine which may extend Rs. 1,00,000 or with both in case of any non-compliance.

DSK Comments:

  • The Directions require service providers, intermediaries, data centers, body corporates, and government organizations to enable logs of ICT system and to maintain the same over a rolling period of 180 days. Such storage of log may be practically hard to implement, given that data is an inter-related shared infrastructure which may be stored in computers/ nodes across the globe. In this regard, it is crucial to note that the Indian Parliament is also in the process of finalizing India’s first comprehensive data privacy bill and the mandate of data localization is expected to be among some of the key provisions likely to be codified under such law. Once promulgated, such data localization norm under the Directions must also need to be reviewed in consonance with the upcoming data protection legislation of India.
  • The Directions also require virtual asset service providers, virtual asset exchange providers and custodian wallet providers to mandatorily maintain all information obtained as part of KYC process and records of financial transactions for a period of 5 years. Currently, as per the KYC norms, only RBI and SEBI regulated entities are required to undertake KYC process as part of mandatory requirement. Presently, the terms virtual asset service providers, virtual asset exchange providers and custodian wallet providers are not defined, it appears from the provisions of Directions that these entities must undertake KYC process of their customers going forward. Given that India is expecting a codified law on regulation of cryptocurrencies, it is crucial to note how such legislation would deal with the aforementioned KYC provisions and which will be the regulatory body for regulating such virtual asset service providers, virtual asset exchange providers and custodian wallet providers.

Authors:

Rishi Anand

Nakul Batra

Kunal Garg

[1]               Direction No. (ii)

[2]               FAQ No. 30

[3]               FAQ No. 13

[4]               FAQ No. 31

[5]               Direction No. (iii)

[6]               Direction No. (iii) read with FAQ No. 29

[7]               Direction No. (iv)

[8]               Direction No. (v)

[9]               Direction No. (vi)

[10]             Direction No. (i) read with FAQ No. 39 and 40