May 5, 2022
The Indian Computer Emergency Response Team (“CERT-In”) has issued key directives dated April 28, 2022 (“Directions”) under the Information Technology Act, 2000 (“IT Act”) relating to “information security practices, procedure, prevention, response and reporting of cyber incidents”, which aim to strengthen cyber security practices in India.
CERT-In is the national nodal agency (under the Ministry of Electronics and Information Technology, Government of India) in charge of analyzing, investigating and handling threats in cyber-space, including cyber incidents which are reported to it. CERT-In has noted (in the Directions) that often times, however, the primary information it requires to carry out its functions is non-available or not readily available.
As a result, under the Directions, CERT-In has set out various requirements to be followed by “service providers, intermediaries, data centres, body corporate and Government organisations”inter-alia relating to: synchronization of ICT systems clocks; reporting of cyber incidents within six hours of noticing (or being brought to notice of) such incidents; requirement to take action or provide information or assistance (in the format and within the timeframe) as may be required by CERT-In; and in relation, the designation of a Point of Contact (“PoC”) to communicate with CERT-In.
Notably, CERT-In has specified the cyber incidents required to be reported to it (as well as the method and format of their reporting) under the Directions. Interestingly these include: Malicious code attacks such as spreading of virus/worm/trojan/bots/ spyware/ransomware/cryptominers; Attacks or incident affecting digital payment systems; and Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3d and 4d printing, additive manufacturing, drones.
CERT-In has also specified the format in which the updated information of the PoC is to be provided to it from time to time. Importantly, the Directions are required to be followed by, and specifically set out requirements for, entities dealing in cryptocurrency and service providers such as Virtual Private Server (“VPS”) providers, Virtual Private Network (“VPN”) providers. The following specific requirements (pertaining to data storage) are to be followed under the Directions:
CERT-In has broadly specified the KYC procedures to be referenced by the relevant entities under the Directions. In view of the above, it may be readily inferred that the Directions will not just impact the relevant entities but also Indian citizens and any users or persons dealing with or availing services from such entities, particularly in terms of privacy and security of users and possibility of data breaches. The Directions will come in effect within sixty days (from the date of issue) leaving a short window of time for all relevant entities to ensure they are compliant with all requirements thereunder. It is also pertinent to note that non-compliance with the Directions could lead to punitive action under the IT Act.
The Ministry of Electronics and Information Technology have notified three Grievance Appellate Committees under the InformationView More
The state of Chhattisgarh has notified the Chhattisgarh Gambling (Prohibition) Act, 2022, replacing the erstwhile statute -View More
Delhi (Head Office)
Plot No. 66, LGF, #TheHub, Okhla Phase III, Okhla Industrial Estate, New Delhi 110020, India.