CERT-IN new directives and its expectations

Kavitha Srinivasulu

The new cybersecurity directives, issued by the Indian government’s Computer Emergency Response Team (CERT-In) on April 28, 2022, cover facets related to the timeframe for reporting cybersecurity incidents, data breaches, storage and maintenance of logs, management of system clocks, maintenance of KYC, storage of customer information, data retention, and managing transaction records. These are currently in the enormous pace of discussion on implementing across organisations. The readiness across organisations in implementing the new directives is in the phase of understanding the expectations and enabling the required controls.

Under the directions, all service providers, exchange providers, custodian wallets, data centres, private/public organisations and government organisations are mandated to report all cybersecurity-related incidents within 6 hours of noticing the occurrence to handle the situations in a more effective manner with appropriate industry standard guidelines. Reportable cybersecurity incidents are outlined in Annexure I of the CERT-IN Directions which include malware, data losses, data breaches, data leaks, and business-critical losses. The details, form, and format of reporting the cybersecurity incidents will be issued by the CERT-In and may be updated/amended from time to time for adherence.

Also Read | Is CERT-In being too strict in enforcing regulations?

On April 28, 2022, the Indian Computer Emergency Response Team (CERT-In), a functional organisation under the Ministry of Electronics and Information Technology (MeitY), Government of India issued a set of new directives to strengthen and control the information security practices, procedures, prevention, detection, and the response of cyber incidents for safe & reliable Internet. The directives are effective from June 27, 2022 (60 days from the date of issue). CERT-In has caused quite a stir with the announcement of its new cyber security guidelines to enable organisations with the right level of security controls to enable the detection and response to critical cyber incidents that are significantly growing day by day.

CERT-In has been permitting organisations and service industries to notify the cybersecurity incidents within a reasonable time to ensure the organisations are able to take timely actions without delay, however, there were open gaps identified in the latency or insufficient response levels available within an organisation to handle the incidents effectively. Due to this, a new set of guidelines have been issued to strengthen the response levels.

CERT-IN New Directives –

It is also important to pass on such obligations to vendors, clients, and stakeholders who are handling/storing critical data to ensure that they can follow the guidelines in case of a cyber-attack, data loss, or a data breach to comply with the directives. While storing the logs of any device, application, database, server, cloud, etc. is mandated to maintain and store till the expected timelines defined to ensure that the organisations are protecting their data and providing CERT-IN as and when needed.

Reporting Cyber Incidents in 6 hours to CERT-In may be an aggressive timeline compared to other countries’ response times, however, organisations need to have a monitoring mechanism in place to identify cyber security incidents and a well-equipped incident response team along with an incident response plan to manage within the expected timelines during an incident. The relevant stakeholders should get immediate intimation in case of a suspected security incident, and they must be able to triage and avoid further damage to the organisation.

Also Read | How Cyber Risk Quantification helps in taking better decisions in Cyberspace

As per the new directives, if any cyber incident has occurred, over which the CERT-In has jurisdiction, the organisations outlined in the Directions shall be required to furnish all details as requested by the CERT-In within expected timelines to avoid non-compliance or penalties. The failure to provide any such information, or in case of any non-compliance with the Directions, it may result in punishment of imprisonment for up to 1 year or a fine which may extend to Rs. 1,00,000, or with both. The new directives require companies to report cyber security incidents within 6 hours of detection, among other issues. According to industry trade groups, cybersecurity companies that provide CERT-In compliant tools, and industry experts, the overall readiness among industry players remains low. However, the main objective of CERT-In directions is to adhere to the functions prescribed in section 70B of the Acts to assist cyber users in India in implementing measures to reduce the probability of cyber security incidents and data breaches to enable organisation’s data protection controls and reduce risks.

Views expressed by Kavitha Srinivasulu, Global Head, Cyber Risk & Data Privacy – BFSI – TCS

Elets The Banking and Finance Post Magazine has carved out a niche for itself in the crowded market with exclusive & unique content. Get in-depth insights on trend-setting innovations & transformation in the BFSI sector. Best offers for Print + Digital issues! Subscribe here➔ www.eletsonline.com/subscription/

Get a chance to meet the Who's who of the NBFCs and Insurance industry. Join Us for Upcoming Events and explore business opportunities. Like us on Facebook, connect with us on LinkedIn and follow us on Twitter, Instagram & Pinterest.