In April, the Indian Computer Emergency Response Team (CERT-In), the nodal agency responsible to deal with cyber security threats, released a circular containing a new set of cybersecurity directives mandating a change in the reporting of cybersecurity incidents. The directives will come into effect from June 2022 and will have a bearing on all internet-based companies in the country, including crypto-startups.
What do the new directives mandate?
Reduced timeline for reporting
The new directives from CERT-IN require cyber-security incidents to be reported within six hours of being brought to notice. Earlier, there were no such stringent timelines imposed.
Expanded list of reportable cybersecurity incidents
The new directives have also expanded upon the incidents included in the mandatorily reportable incident list. This includes the likes of data breach and leaks, along with attacks or incidents affecting a broad range of devices and technology like big data, block chain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, and drones.
Synchronized system clocks
The new directives require all service providers, intermediaries, data centres, body corporates, and government organizations to synchronize their system clocks to that of the National Informatics Centre (NIC) or National Physical Laboratory (NPL) or with other servers traceable to those maintained by NIC or NPL.Entities outside India are permitted to use a different time source that is in sync with the NTP, but they would have to ensure that their time source shall not deviate.
Subscriber data collection and retention
According to the new rules, specified entities, namely data centres and VPN providers, will be required to accurately record certain details of their users, similar to the Know Your Customer (KYC) requirement imposed by other sectoral regulators.
This information would also have to be maintained for a period of atleast five years after the user cancels their registration, or a longer period as mandated by law.
CERT-In authority expanded for information requests
Previously, CERT-In had the authority to seek information from regulated entities in specified formats for responding to cyber incidents, and this authority could only be exercised by an officer of the rank of Deputy Secretary or higher. However, the new directives prescribe a broad ranging power to request information without any such limitations. The order / directives issued by CERT-In may include the format of the required information within a specified time frame, which should be provided to CERT-In, or else this will be treated as non-compliance.
KYC information and financial transaction record retention
All virtual asset service providers, virtual asset exchange providers, and custodian wallet providers would need to maintain KYC and financial transaction records. KYC function which was only mandated for entities regulated by Indian financial service regulators, such as banking, securities, would need to be followed by these entities.
The CERT-In directives require the retention of financial records and identification information of the parties (including IP addresses, timestamps and time zones), transaction ID, the public keys, addresses or accounts involved, the nature and date of the transaction, and the amount transferred.
Maintenance of system logs within India
The new directives also require entities to maintain logs for all ICT systems for 180 days and to store these logs in India. Companies would have to provide these logs to CERT-In when reporting a cyber incident, or as an when they are sought by CERT-In. This would mean that a wide range of service providers and intermediaries, such as cloud based/application layer service providers, would also need to maintain localised system logs in India, even if they aren’t located in India.
How will these rules affect Indian companies?
This is the first time a mechanism is being put in place to make cyber incidents mandatory. Reporting incidents on time and having a proper structure for the same can lead to the sharing of information, preventing the rise of systemic risks and leading to a stronger ecosystem. This is much needed - both in the Indian crypto space and among other Indian enterprises too.
While the intention behind these new directions is to be appreciated, at the same time, several facets of the law seem to be misguided and severely lack clarity on implementation.
The issues with the above-mentioned directives are several. First and foremost, CERT-In’s timeline of 6 hours is extremely steep. A 6-hour timeline is not seen in other large economies. The GDPR and countries like Singapore have personal data protection laws that provide a 3-day window for reporting.
Neither companies nor the CERT-In is most likely to have staff working around the clock. In most cases, it requires at least 24 hours to understand the issue and compile a report. Also, even if the rules mandate 6 hours, this could be segregated based on severity, with the top vulnerabilities to be reported within 6 hours, and others within a period of 3-7 days.
Given the short time frame, organisations would need to re-examine their practices and procedures regarding breach reporting. In an extremely short time frame, they would also have to ensure deployment of appropriate organizational capabilities for the purpose of identification and reportage of cybersecurity incidents.
Adding more incidents to the mandatory report list is also a welcome move, but what is urgently needed is more clarity on the terms of the consequences of such instances, including a definition on the impact threshold.
Regarding syncing of the time clock, this may be difficult to practically implement. There will most likely be latency issues and due to limited servers, the NIC servers are likely to be a bit overwhelmed if everyone starts hitting the same set of servers.
For crypto startups specifically, the specific point was to maintain KYC and financial transaction records for all virtual asset service providers, virtual asset exchange providers, and custodian wallet providers. Now, these entities will now have to comply with KYC function – which up until now was mandated only for entities regulated by Indian financial service regulators, such as banking, securities etc.
Although this will create a more safer and secure space, it does increase customer friction and compliance costs. Cryptocurrency exchanges in India have already been self-regulating with KYC for years. However for wallet providers and other similar companies, this isn’t ideal as the crypto industry in India is still at a nascent stage.
In terms of log sharing, presently, there is no clarity with respect to what these logs are supposed to comprise. What needs to be defined is which devices and services fall under the scope of log reporting and which don’t. There are also legitimate privacy concerns with sharing logs, as logs generally contain personally identifiable information.
While having a new set of directives is a good step towards improved data and customer protection, several of these directives need changes and more clarity. In the present form, these rules if implemented hastily would likely cause more harm than good.
It would also be best if the officials could engage in dialogue with industry stakeholders to come up with an improved set of directives that can help curb cybercrime and enable the growth of Indian enterprises and the crypto ecosystem in the country.
(Mohammed Roshan is CEO & Co-Founder of GoSats--a bitcoin stacking app.)