India’s New CERT-In Directive Represents the Most Strict and Broad Cybersecurity Regulation to Date

Click here to listen to this article via the BreachRx Blogcast

India is one of the latest countries to introduce comprehensive cybersecurity guidelines, with the goal of combating growing cybersecurity challenges in the country, which experienced 1.4 million incidents in 2021 and 212,000 incidents in the first two months of 2022 alone.

In response to these mounting cyber crimes, the Indian Computer Emergency Response Team (CERT-In) issued a new directive around cybersecurity initiatives and incident notification requirements on April 28, 2022. The directive included a compliance deadline of June 27, 2022 for most government and private agencies, with an extended deadline of September 25, 2022 for micro, small, and medium enterprises as well as data centers, cloud service providers, and VPN service providers.

With the directive now in full-force for all organizations, it’s important for companies with a presence in India to understand what’s required. This is especially the case since many of the new directive’s requirements are among the strictest worldwide, such as a six hour timeline for reporting incidents.

Who Must Comply with the CERT-In Directive?

All organizations with a presence in India, including government agencies, must adhere to the CERT-In directive. This includes: Service providers, intermediaries, data centers, corporate agencies (including firms, sole proprietorships, or any other group engaging in commercial or professional activities), VPS and VPN service providers, cloud service providers, custodian wallet providers, and government organizations.

Citizens acting as individuals do not need to adhere to the directive.

Importantly, the directive applies to any companies that serve customers in India, not just those with a physical presence in the country.

How Will India Enforce the CERT-In Directive?

CERT-In was established by India’s central government in 2009 to oversee cybersecurity and incident response, with authority to introduce proactive measures for prevention. Specifically, CERT-In has the authority to:

• Collect, analyze, and disseminate information about cyber incidents
• Issue forecasts and alerts about cyber incidents
• Coordinate cyber incident response activities, including any emergency measures
• Issue guidelines, advisories, vulnerabilities, and white papers related to security practices, incident prevention, and incident response and reporting

Under this authority, CERT-In issued the new directive and has the power to enforce the guidelines included in the directive. In terms of enforcement, CERT-In will review and analyze all incident reports and can ask for more information or give additional direction in response – and organizations are required to comply with those asks and/or directions.

Any instance of non-compliance, either with the directive itself or with additional orders from CERT-In, is punishable with imprisonment of up to one year, a fine of up to one lakh rupees, or both, per section 70B(7) of the Information Technology Act, 2000. This penalty will be decided by a court following a complaint from a CERT-In officer. To issue a complaint, CERT-In officers must submit a report with details of non-compliance to the body’s Director General. A review committee will then review the report and, pending their decision, the Director General can then authorize the CERT-In officer to file a complaint with the court.

What are the Incident Notification Requirements Under the New CERT-In Directive?

The new CERT-In directive includes the shortest notification timeline for cyber incidents among global laws yet, with a timeline of just six hours.

What incidents require a report?

The CERT-In directive includes a comprehensive list of incidents that require reporting. These include:

• Targeted scanning or probing of critical networks/systems
• Compromise of critical systems/information
• Unauthorized access of IT systems or data
• Unauthorized access or changes made to a website, such as inserting malicious code or links to external websites
• Malicious code attacks
• Attacks on servers and network devices
• Identity theft, spoofing, and phishing attacks
• Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
• Attacks on critical infrastructure, operational technology systems, and wireless networks
• Attacks on eCommerce and eGovernance applications
• Instances of data breach or data leaks
• Attacks on Internet of Things (IoT) devices or associated systems and networks
• Attacks on digital payment systems
• Attacks through malicious mobile apps
• Fake mobile apps
• Unauthorized access to social media accounts
• Attacks on or malicious activities affecting cloud computing services or services related to blockchain, virtual assets, Machine Learning, or Artificial Intelligence

Organizations must report incidents even if they have a confidentiality clause in place with customers, as the CERT-In directive overrides those protections.

When and to whom do organizations need to issue a report?

Organizations must report cyber incidents to CERT-In within six hours of becoming aware of the incident. They should provide as much information as available at that time and can provide additional information as needed within a “reasonable timeframe.”

What does an incident report need to include?

Organizations can submit an incident report to CERT-In via email or fax, with contact details provided on the CERT-In website. This report should include:

• A summary of the incident
• Date and time the incident was detected
• Details about how the incident was detected
• Information about the systems, networks, and devices affected, including location and details about any previous security audits
• Details about any investigations into the incident
• Details about the impact of the incident
• Description of how the incident occurred and any vulnerabilities that might have enabled it
• Information about any mitigation actions taken or planned
• All IT logs from the past 180 days
• Name, phone number, and email address for the person reporting the incident and (if different) an ongoing point of contact
• Any other relevant information

What are additional requirements to consider?

All organizations will need to synchronize their information and communication technology system clocks for proper reporting by connecting to the NTP server of the National Informatics Center (NIC) or the National Physical Laboratory (NPL). Global organizations can use a different time source, but that source must be in sync with the NTP.

Additionally, VPS and VPN service providers must retain a record of users for at least five years. This record should include:

• Validated names of subscribers hiring the services
• Period of hire, including dates
• IPs allotted to the subscribers
• Email address, IP address, and time stamp used at the time of registration
• Purpose for engaging the services
• Validated address and contact numbers
• Ownership pattern of the subscribers leasing services 

What are Examples of Incidents That Can Trigger the Reporting Requirement Under the CERT-IN Directive?

The expanded list of reportable incidents under the new CERT-In directive means that a variety of attacks of varying severity can trigger the reporting requirement. Some of the most common examples of attacks to consider include:

Phishing Attack

In a phishing attack, hackers trick users into exposing information by sharing a malicious link or pretending to be a legitimate user and asking for certain details. If an organization’s employees fall for the phishing attack and information gets exposed, that information can fall into the wrong hands and provide further unauthorized access to systems (e.g. in the case of sharing login details).

Distributed Denial of Service (DDoS) Attack

In a DDoS attack, hackers create a “traffic jam” on a server, service, or network by flooding it with fake visitors that ultimately overwhelm it and cause it to shut down. This type of attack can prevent access to the server, service, or network, causing disruptions to the normal flow of operations. While a DDoS attack may be the goal in and of itself, it can also be used for extortion purposes or as a distraction for a different, larger attack being executed at the same time.

Trojan Attack

In a trojan attack, hackers hide malicious software or code inside a legitimate program. Once installed, the malicious software allows hackers to enter the organization’s systems to monitor user behavior and view, steal, or alter information. This type of attack not only leads to unauthorized access of systems, but can also compromise or change critical information.

How Can Organizations Prepare to Comply with the New CERT-In Directive?

The six hour reporting timeline for incidents under India’s new CERT-In directive requires advanced preparation from organizations to remain compliant. This is especially the case given the expanded list of reportable incidents and additional compliance requirements around log attainment and clock synchronization.

Taking a proactive approach to compliance requires organizations to assign responsibility over incident response activities, introduce clear security procedures to monitor and protect data, and confirm visibility into data collection, storage, and retention practices.

Beyond these baseline best practices, organizations should also prepare for three essential phases of incident response:

Readiness

Readiness requires preparing regulatory and incident response plans in advance of needing them so that the organization can move into response mode immediately once an incident does occur. This type of immediate response is especially important in light of India’s six hour reporting requirement, and it can also help reduce costs associated with a breach.

Key readiness activities include:

• Reviewing requirements in applicable regulations, like the new CERT-In directive, as well as those in customer and partner contracts
• Outlining ready-to-go response plans for each regulation, including clear assignments of responsibility
• Running simulations and tabletop exercises to prepare team members

Response

Response is all about what organizations do when an incident happens, such as determining what happened, remediating the issue, and reporting the event. A complete and effective response is a must for remaining compliant with regulations, which can help avoid or reduce penalties, and for maintaining customer trust.

Key response activities include:

• Identifying what happened, how, and when
• Determining what systems were affected
• Outlining the potential impact and taking steps to remediate the issue
• Collaborating with key stakeholders to report the issue to agencies and customers according to regulatory requirements
• Introducing a safe haven for team communications about the response

Ongoing Management

Ongoing management focuses on regularly evaluating incident response plans to ensure they stay up to date as regulations, contracts, and threats evolve. These efforts also involve reviewing metrics like frequency and types of incidents, efficiency of response, and potential areas of weakness to further strengthen response efforts going forward. 

Key ongoing management efforts include:

• Establishing a centralized dashboard for reporting on and monitoring incident response plans and updates to regulations and contracts
• Aligning relevant stakeholders on changes to response plans
• Confirming stakeholders’ awareness of responsibilities in the case of an incident

Inside the Initial Response to India’s New CERT-In Directive

Cybersecurity has proven a big challenge in India in recent years: Major companies like Air India, Domino’s, and even the Indian government itself reported cybersecurity incidents in 2021. And not only did India experience well over a million incidents in 2021, but the costs were high. According to Ponemon, the average cost of a data breach in India reached 165 million rupees in 2021 (up nearly 18% over 2020), with the mean time to identify a breach 239 days and the time to contain it 81 days.

But the response to India’s new CERT-In directive has not been overwhelmingly positive. Instead, many argue the directive goes too far. Key areas of concern among critics include:

• Six hour reporting timeline: Six hours is the shortest timeline worldwide for reporting an incident, and critics believe it will be unrealistic for most companies in India to meet this requirement.
• Expanded list of reportable incidents: The new list of reportable incidents is extremely extensive, meaning situations that require a report to CERT-In will inevitably arise more often. However, some of the guidance around this list is vague, with no information around impact thresholds.
• Synchronization of clocks: Synchronizing system clocks to the Network Time Protocol may be difficult for organizations to achieve due to limited servers.
• Maintenance of logs within India: Companies must maintain logs on all information and communications technology systems for 180 days and store those logs in India. The latter part of this requirement represents a new challenge for companies that don’t already have a physical presence in the country.

Overall, the new directive will require companies to make significant investments in cybersecurity in India. And while strengthening regulations and requiring certain investments is widely viewed as a positive step, many believe the new directive will prove too burdensome.

Making Cybersecurity and Proactive Incident Response a Priority in India

The new CERT-In directive represents a new era of cybersecurity in India: One that prioritizes a more proactive approach to securing systems and responding to incidents. Given the particularly onerous requirements under the new directive, organizations must act quickly to shore up their efforts.

In general, proactive incident response requires developing a detailed understanding of applicable regulations and introducing a response plan with clear responsibilities to act quickly and confidently when an incident occurs. The broad list of reportable incidents in India and the six hour reporting timeline makes these activities all the more important for companies with a presence in the country.

To achieve this level of proactivity, organizations must stay on top of new regulations (and any changes that might arise over time), develop clear response plans, align on responsibilities, and then continue to revisit these efforts over time to maintain readiness and improve any areas of vulnerability.