CERT-In Cyber Security Direction 2022
On April 28, 2022, CERT-In, a government nodal agency for cybersecurity, issued a new set of directions/ guidelines to strengthen and augment the country’s cybersecurity, effective from June 27, 2022. The direction provided by CERT-In is about securing information security practices, procedures, prevention, response, and reporting of any cybersecurity incidents. Read the guidelines in detail at https://www.cert-in.org.in/.
CERT-In is also authorized to ask for information and cater guidance to service providers, data centers, intermediaries, government organizations, and body corporates. According to Section 70B (7), if any of the entities mentioned earlier fail to provide the information or non-compliance with the new directions during any cybersecurity incidents, they are punishable by the law. Their main objective is to prevent threatening cybersecurity incidents. They have also provided a list of questions and their answers (FAQs) to help people better understand the CERT-In Directions 2022.
After the new directions were issued, CERT-In received several request receipts from MSMEs (micro, small, and medium enterprises) for the timeline extension. Also, additional time has been requested by the VPS (Virtual Private Server) Service providers, data centers, VPN (Virtual Private Network) Service providers, and Cloud Service Providers for the validation process of customers and subscribers. So, on June 27, 2022, CERT-In decided to provide an extension till September 25, 2022, to adhere to the new cybersecurity directions completely. (As of date, July 12, 2022. Source)
Here is a list of cybersecurity incidents that must be reported to CERT-In by the service providers, data centers, intermediaries, government organizations, and body corporates.
- Sensitive information and critical systems getting compromised
- Threat actors or third-party getting access to the unauthorized IT systems and data
- Defacement or vandalism of the website and causing unauthorized changes like injecting malicious codes or adding a link to other external websites
- Attacking the servers like DNS and Mails, databases, and network devices like routers
- Phishing attacks, identity theft, and spoofing
- Attacks on IoT (Internet of Things) devices and associated systems, servers, networks, or software
- Cyber incidents or attacks affecting digital payment systems or applications
- Gaining unauthorized access to any social media account and more.
New CERT-In Directions 2022 Requirements
Here are the requirements that were proposed in the new CERT-In directions 2022.
Timeline of the Six (6) Hours for Reporting Any Cybersecurity Incident:
In 2022 directions, the CERT-In made it mandatory that any cybersecurity incident has to be reported within six hours of noticing. Therefore, organizations must reevaluate their practices and procedures associated with cybersecurity incidents like data breaches.
Request the Information:
Under section 14 of the CERT-In regulations, a high-ranked officer like Deputy Secretary or higher officer is entitled to seek information from entities in a specific format within the 6 hours of the incident.
Maintaining System Logs for 180 days:
Entities must maintain their logs for complete information and communication (ICT) systems for 180 days in India. These logs will be required while reporting the cyber incident.
Global entities have permission to use different time sources synchronizing with the NTP (National Time Protocol) and ensuring that their time source is not deviating from NIC (National Informatics Centre) and NPL (National Physical Laboratory).
Knowing the Customer’s Informational and Record Retention of the Financial Transaction:
It is stated that virtual asset service providers, virtual asset exchange providers, and custodian wallet providers will have to maintain KYC and records of the financial traction.
Data Collection from the Subscribers and Retention:
Specified entities like Data Centers (DCs), Cloud Service Providers (CSPs), Virtual Private Network providers (VPN), and Virtual Private Server (VPS) providers are required to maintain a proper record of subscribers’ information, including the KYC (Know Your Customer) for a minimum of 5 years after service cancellation of the user registration.
Penalty for Non-Compliance:
The entities will be punished under Section 70B (7) of the IT Act, which means they will be charged up to INR 1,00,000 (one lakh rupees) fine or imprisonment for up to one year.
The CERT-In directions 2022 has broadened the compliance mandates for entities like reporting any cybersecurity incident within 6 hours, syncing all the systems to Indian NTP, etc. Not complying with them will lead to invoking the penal provisions. CERT-In has extended the timeline for complying with the guidelines from June 28, 2022, to September 25, 2022, after receiving several request receipts from MSMEs, Cloud Service Providers, Data Centers, VPS, and VPS Service providers. For a better understanding of the guidelines, CERT-In has also published a set of FAQs to help better understand the latest cybersecurity directions. These guidelines will help strengthen and augment the country’s cybersecurity as they create a new framework for different entities to withstand various security breaches and threats. The new directions basically seek to discuss various security gaps and loopholes in the cybersecurity regulations.
Varutra Consulting Pvt. Ltd.