04 May 2022
On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new directions (2022 Directions) under Section 70B (6) of the Information Technology Act, 2000 (IT Act) incorporating a host of cyber-security, breach reporting, and record maintenance requirements. In India, the CERT-In is appointed as the national agency for performing various functions in the area of cyber security as per provisions of section 70B of the IT Act. The CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data centre, body corporate and Government organisation. The 2022 Directions have been issued to augment incident response measures. This update provides a brief overview of the new requirements imposed by the 2022 Directions
The Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (CERT-In Rules) had not prescribed a timeframe within which cyber-security incidents must be reported and only required reporting within a reasonable time frame. The 2022 Directions, on the other hand, make this requirement more stringent by requiring cyber security incidents to be reported within six hours of noticing or being brought to notice of such incident to the CERT-In. Given the short time frame, organisations would need to reassess their practices and procedures in relation to breach reporting, and ensure that appropriate organisational capabilities are deployed in order to identify and report cyber security incident in this time frame.
Further, under the CERT-In Rules only those cyber security incidents specified as mandatorily reportable were required to be reported. However, the 2022 Directions expand this list to include: (i) data breach; (ii) data leak; (iii) attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers; (iv) attacks or incidents affecting digital payment systems; (v) attacks through malicious mobile apps; (vii) unauthorised access to social media accounts; (viii) attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications; (ix) attacks or malicious/suspicious activities affecting systems/servers/networks/software/applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, drones; (x) attacks or malicious/suspicious activities affecting systems/servers/software/applications related to Artificial Intelligence and Machine Learning. There is no clarity on the specifics of what these incidents entail, and no impact threshold has been specified presently.
A Comparative Analysis of the New Criminal Bills and the Existing Codes
21 Nov 2023
Interplay of the Insolvency and Bankruptcy Code, 2016 with the provisions of the Income Tax Act, 1961
20 Nov 2023
Supreme Court ruling on the Most Favoured Nation clause likely to withhold benefits for taxpayers
17 Nov 2023
Electronic maintenance of accounts – Requirements under the amendment to the Companies (Accounts) Rules, 2014
30 Mar 2023
Draft Digital Personal Data Protection Bill, 2022
24 Nov 2022The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2022
07 Nov 2022If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form. This service is reserved for clients and eligible contacts.
Under the rules of the Bar Council of India, Trilegal is prohibited from soliciting work or advertising in any form or manner. By accessing this website, www.trilegal.com, you acknowledge that:
We prioritize your privacy. Before proceeding, we encourage you to read our privacy policy, which outlines the below, and terms of use to understand how we handle your data:
For more information, please read our terms of use and our privacy policy.
