CERT-In Says Organisations Must Report Cybersecurity Breaches With 6 Hours

CERT-In has asked all government and private agencies, including Internet service providers, social media platforms, and data centres, to mandatorily report cybersecurity breach incidents to it within six hours of noticing them.

The new circular, issued by the Indian Computer Emergency Response Team (CERT-In), mandates all service providers, intermediaries, data centres, corporates, and government organisations to mandatorily enable logs of all their ICT (Information and Communication Technology) systems and maintain them securely for a rolling period of 180 days, and the same shall be maintained within the Indian jurisdiction.

The log should be provided to CERT-In along with reporting of any incident or when directed by the computer emergency response team.

The move will help in fighting cybercrime more effectively, minister of state for electronics and IT Rajeev Chandrasekhar said in a tweet, asking all companies and enterprises “must mandatorily report cyber incidents to IndianCERT”.

CERT-In is empowered under section 70B of the Information Technology Act to collect, analyse, and disseminate information on cybersecurity incidents.

CERT-In said that during the course of handling cyber incidents and interactions with the constituency, it has identified certain gaps causing hindrance in the analysis of breach incidents.

“To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response, and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000. These directions will become effective after 60 days,” Cert-In said.

According to the latest order, data centres, virtual private server (VPS) providers, cloud service providers, and virtual private network service (VPN Service) providers need to register the accurate information related to subscriber names, customer hiring the services, ownership pattern of the subscribers etc, and maintain them for five years or longer duration as mandated by the law.

“Many times during LEA (Law Enforcement Agency) requests and investigations, we have seen cases of non-storage or availability of data and proper records with intermediaries and service providers. These guidelines will streamline the date records to be maintained and proper reporting of security incidents to CERT-In,” said Jiten Jain, Voyager Infosec director of digital lab.

There have been several incidents of data breach in Indian entities that have led to leak of personal data of crores of individuals.

Some companies continued to ignore alerts by cybersecurity researchers and acted only after the data was made public.

“End-user has the right to know if their data is loaded so that an individual can protect himself from fraud transactions, fake loans, ID misuse etc. Government should also force companies to inform their users within 24 hours of the incident. Neither CERT-In nor companies inform users. We saw a lot of data breaches last year. None of them informed their users. As a result, cybercrime, financial frauds and ID misuse have spiked,” cybersecurity researcher Rajshekhar Rajaharia said.

He said that users are still unaware if their KYC (Know Your Customer) and financial data is safe or not.