On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new directions (2022 Directions) under Section 70B (6) of the Information Technology Act, 2000 (IT Act) incorporating a host of cyber-security, breach reporting, and record maintenance requirements. In India, the CERT-In is appointed as the national agency for performing various functions in the area of cyber security as per provisions of section 70B of the IT Act. The CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data centre, body corporate and Government organisation. The 2022 Directions have been issued to augment incident response measures. This update provides a brief overview of the new requirements imposed by the 2022 Directions
The Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (CERT-In Rules) had not prescribed a timeframe within which cyber-security incidents must be reported and only required reporting within a reasonable time frame. The 2022 Directions, on the other hand, make this requirement more stringent by requiring cyber security incidents to be reported within six hours of noticing or being brought to notice of such incident to the CERT-In. Given the short time frame, organisations would need to reassess their practices and procedures in relation to breach reporting, and ensure that appropriate organisational capabilities are deployed in order to identify and report cyber security incident in this time frame.
Further, under the CERT-In Rules only those cyber security incidents specified as mandatorily reportable were required to be reported. However, the 2022 Directions expand this list to include: (i) data breach; (ii) data leak; (iii) attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers; (iv) attacks or incidents affecting digital payment systems; (v) attacks through malicious mobile apps; (vii) unauthorised access to social media accounts; (viii) attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications; (ix) attacks or malicious/suspicious activities affecting systems/servers/networks/software/applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, drones; (x) attacks or malicious/suspicious activities affecting systems/servers/software/applications related to Artificial Intelligence and Machine Learning. There is no clarity on the specifics of what these incidents entail, and no impact threshold has been specified presently.
If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form.