The country’s cybersecurity agency is expected to come out with a new set of clarifications on its recent cybersecurity directive soon, people familiar with the matter said. During a meeting with a select group of stakeholders on Friday, the Computer Emergency Response Team of India (CERT-In) is known to have secured clarifications on the six-hour timeline for reporting cyber security incidents, your customer and customer information storage. records, among others.
The rules will take effect from June 27.
The meeting came after CERT-In’s cybersecurity standards were met with widespread pushback from a variety of industry stakeholders. It was attended by the Minister of State for Electronics and IT, Rajeev Chandrashekhar, the head of CERT, Sanjay Bahl, and representatives of industry bodies such as the Mobile and Internet Association of India, the Confederation of Indian Industry, the US Business Council, and others. US-India, the US-India Strategic Partnership. Forum, American Chamber of Commerce, FICCI, BSA|The Software Alliance, ITI Council and Cellular Operators Association of India. Digital rights groups such as Access Now also participated.
One of the most contentious issues between the government and stakeholders was the requirement to report cybersecurity incidents within six hours, which the industry believes is too short and strict. During Friday’s meeting, it emerged that stakeholders were told that MeitY or CERT-In will not offer any relaxation in terms of required reporting deadlines. Instead, the agency may submit a prescribed format for reporting cybersecurity incidents. “CERT-In can also create a specific portal for reporting such incidents so that entities are clear on how much information they need to share with the agency,” a source said.
The best of Express Premium
🚨 Limited time offer | Express Premium with ad-lite for just Rs 2/day 👉🏽 Click here for subscribe 🚨
Clarifying the six-hour reporting schedule to make it appear less onerous, Bahl told interested parties that they only need to report to the agency within six hours of discovering such an incident. “CERT-In just expects you to send an email within six hours to alert us of a cybersecurity incident,” he is known to have said. A formal clarification on this is expected soon, the sources said.
While a large part of the meeting focused on reporting deadlines, which also led to CERT-In’s assurance to issue clarifications, the issue of any virtual private network (VPN) exit from India was not generated such guarantees, the sources said. The rules require VPNs to store a large amount of user information for five years. “We want VPNs to store data for five years because it sometimes takes a long time to investigate cyber incidents,” Bahl is known to have clarified at the meeting. VPN providers like Surfshark and ExpressVPN have shut down their India servers in response to the regulations. Inquiries sent to the IT Ministry remained unanswered at the time of publication.
It is known that CERT-In may also soon issue a clarification on how entities can present an effective KYC process. The rules require cryptocurrency exchanges and wallets to keep KYC details and records of financial transactions for five years. Industry stakeholders at the meeting noted that it was difficult to validate the identity of users in current processes, the sources said. “During the meeting a discussion arose about Aadhaar as a KYC document and the ministry will reflect on some KYC models that can be effective,” one person said.
During the meeting, which lasted more than an hour, the cybersecurity agency also sought to allay privacy concerns arising from the rules, telling stakeholders that it will not request user records that contain personally identifiable information from individuals, but it will only need incidents. specific records. The rules oblige entities to keep records of all their ICT systems for 180 days, which must be provided to the agency through a warrant.
Small businesses and startups could have some wiggle room, as they may need more time than larger corporations to adapt to the rules, it is known. “MSMEs and start-ups can write to CERT-In requesting a relaxation in compliance with the rules explaining why they need an extension and the agency can consider it on a case-by-case basis,” a source said.