SUMMARY
Under the new guidelines, the Centre has made it compulsory for firms to report all cybercrimes within 6 hours of noticing any such incidents
The new orders also mandate companies to designate a Point of Contact to to interface with CERT-In
The new directions will enhance overall cyber security and ensure safe and trusted internet in the country: CERT-In
India’s cyber security agency Indian Computer Emergency Response (CERT-In) on Thursday (April 28) directed organisations to mandatorily report cybercrime incidents to it within six hours.
“Any service provider, intermediary, data centre, body corporate and government organisation shall mandatorily report cyber incidents… to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents,” CERT-In said.
The new directions also mandate companies to designate a ‘Point of Contact’ to interface with CERT-In. Besides, they have also been asked to take action or provide information or assistance to CERT-In for cyber incident response, and protective and preventive actions related to cyber incidents which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness.
The new directions will come into effect after 60 days.CERT-In said the new directions were issued in the wake of various instances of cyber security incidents taking place from time to time and in order to coordinate response activities as well as emergency measures with respect to such incidents. “These directions shall enhance overall cyber security and ensure safe and trusted internet in the country.”
As per the latest order, all government bodies and service providers such as data centres will now be required to maintain a log of all Information Communication Technology (ICT) systems. The companies and organisations will also have to store the data securely for a rolling period of 180 days within the Indian jurisdiction.
On the other hand, service providers such as data centres, cloud services and Virtual Private Networks (VPNs) will have to store data regarding their clients for a minimum period of five years. Besides, online services companies will have to maintain data related to IP addresses, validated addresses, contact numbers and even ownership patterns of companies hiring these services.
The order also mandates crypto exchanges to maintain all information related to Know Your Customer (KYC) and financial transactions of its users for five years.
The entities will have to furnish the details when asked by CERT-In. The failure to furnish the information or non-compliance with directions may invite punitive action under subsection (7) of the section 70B of the IT Act, 2000 and other laws as applicable, the order said.
CERT-In is an arm of the Ministry of Electronics and Information Technology (MeitY) which deals with cyber security threats and is tasked with security-related defence of the Indian internet.
CERT-In reported more than 2.12 Lakh cybersecurity incidents in the first two months of 2022. In comparison, 14.02 Lakh cyber security related incidents were reported across the country in total last year.
There has been an uptick in cyber attacks targeting key critical infrastructure in the country in recent times. In February 2021, it was reported that hackers stole the personal data of 4.5 Mn Air India passengers. In November last year, a cybersecurity firm alleged that personal and financial information of nearly 180 Mn PNB customers was left exposed for 7 months.
A Cisco report last year found that some Indian SMEs lost up to INR 7 Cr in cyber attacks between September 2020-September 2021.
