04 May 2022
On 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued new directions (2022 Directions) under Section 70B (6) of the Information Technology Act, 2000 (IT Act) incorporating a host of cyber-security, breach reporting, and record maintenance requirements. In India, the CERT-In is appointed as the national agency for performing various functions in the area of cyber security as per provisions of section 70B of the IT Act. The CERT-In is also empowered to call for information and give directions to any service provider, intermediary, data centre, body corporate and Government organisation. The 2022 Directions have been issued to augment incident response measures. This update provides a brief overview of the new requirements imposed by the 2022 Directions
The Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013 (CERT-In Rules) had not prescribed a timeframe within which cyber-security incidents must be reported and only required reporting within a reasonable time frame. The 2022 Directions, on the other hand, make this requirement more stringent by requiring cyber security incidents to be reported within six hours of noticing or being brought to notice of such incident to the CERT-In. Given the short time frame, organisations would need to reassess their practices and procedures in relation to breach reporting, and ensure that appropriate organisational capabilities are deployed in order to identify and report cyber security incident in this time frame.
Further, under the CERT-In Rules only those cyber security incidents specified as mandatorily reportable were required to be reported. However, the 2022 Directions expand this list to include: (i) data breach; (ii) data leak; (iii) attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers; (iv) attacks or incidents affecting digital payment systems; (v) attacks through malicious mobile apps; (vii) unauthorised access to social media accounts; (viii) attacks or malicious/ suspicious activities affecting cloud computing systems/servers/software/applications; (ix) attacks or malicious/suspicious activities affecting systems/servers/networks/software/applications related to big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, drones; (x) attacks or malicious/suspicious activities affecting systems/servers/software/applications related to Artificial Intelligence and Machine Learning. There is no clarity on the specifics of what these incidents entail, and no impact threshold has been specified presently.
Supreme Court on the enforceability of an unstamped or insufficiently stamped arbitration agreement
05 May 2023
Supreme Court finally settles issues related to Change in Law provisions
24 Apr 2023
Supreme Court makes ITC availment more onerous for taxpayers
17 Apr 2023
Electronic maintenance of accounts – Requirements under the amendment to the Companies (Accounts) Rules, 2014
30 Mar 2023Draft Digital Personal Data Protection Bill, 2022
24 Nov 2022The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Amendment Rules, 2022
07 Nov 2022If you would like to receive content directly in your inbox from our knowledge repository, please complete this subscription form. This service is reserved for clients and eligible contacts.
This page contains general information regarding Trilegal and is not intended as a solicitation or an advertisement of its services or any invitation or inducement of any sort. Nothing contained in this website constitutes legal advice or creation of a lawyer-client relationship. If you have any issues, you must seek legal advice. Trilegal is not liable for the consequences of any action taken by relying on the material/information provided on this website. For more information, please read our terms of use and our privacy policy.
