India to Set 6-Hour Breach Reporting RequirementNew Mandate Will Take Effect on June 28
In what is likely the shortest breach reporting timeline globally, the Indian Computer Emergency Response Team, CERT-In, has mandated that starting June 28, both government and private organizations in the country must inform the agency within six hours of discovering a cybersecurity incident.
The mandate applies to service providers, intermediaries, data centers and corporate and government organizations, who will all have to designate a point of contact to interface with CERT-In.
"CERT-In has identified certain gaps causing hindrance in incident analysis. To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents," the directive says.
CERT-In is a national agency that performs various cybersecurity functions in the country under the provisions of section 70B of the Information Technology Act, 2000.
The Information Technology Act 2000 already mandates data breach reporting, and a company that does not comply is liable to pay a maximum penalty of 100,000 rupees, or about $1,324,
In 2017, CERT-In published a notification, reiterating that any corporate entity that suffers a cybersecurity breach is mandated to report the incident. Not reporting, it says, qualifies as a criminal offense, but there was no deadline for reporting.
CERT-In did not immediately respond to Information Security Media Group's request for comment.
Organizations that discover a data breach must "maintain securely" all their information communication technology - or ICT - system logs for a rolling period of 180 days, and these records must be stored in the country, the new directive says.
Tim Erlin, vice president of strategy at Tripwire, compares the mandate to the United States' breach reporting requirements.
"While the U.S. is hand-wringing over 36-, 48- and 72-hour reporting requirements, India's guidelines are much more stringent. Such a short time frame for reporting on cybersecurity incidents sends a clear signal that the purpose here isn't to gather comprehensive information, but to enable rapid dissemination of incident data. Whether that strategy will meaningfully reduce further incidents from similar attackers depends on the ability of organizations to effectively make use of the information," he says.
Data centers, as well as virtual private servers and cloud service and virtual private network service providers are directed to register the following information and maintain it for five years.
- Validated names of subscribers/customers hiring their services;
- Period of hire, including dates;
- IPs allotted to or being used by the members;
- Email address, IP address and time stamp used at the time of registration or onboarding;
- Purpose for hiring services;
- Validated address and contact numbers;
- Ownership pattern of the subscribers/customers hiring services.
"The virtual asset service providers, virtual asset exchange providers and custodian wallet providers shall mandatorily maintain all information obtained as part of Know Your Customer and records of financial transactions for a period of five years so as to ensure cybersecurity in the area of payments and financial markets for citizens while protecting their data, fundamental rights and economic freedom in view of the growth of virtual assets," the directive says.
At a recent event in Bengaluru, southern India, Rajeev Chandrasekhar, the union minister of state for electronics and IT, reportedly said the government is likely to take a tougher stand on companies, "announcing laws that will put an end to companies not disclosing data breach incidents."
If every affected organization reports every instance of being scanned, there is definitely the potential for an overwhelming number of reports, Erlin says.
US Incident Reporting
In February, the U.S. Securities and Exchange Commission voted 3-1 to advance new, mandatory cybersecurity rules for registered investment advisers, companies and funds. The rules that opened for at least a 30-day public comment period required related entities to adopt and implement written cybersecurity policies and would issue a 48-hour incident reporting mandate to the commission via a new confidential form.
The proposal would also require covered entities to publicly disclose cybersecurity risks and "significant incidents" detected over the past two fiscal years, set forth new record-keeping requirements for advisers and funds and facilitate the SEC's inspection and enforcement capabilities. Its public comment period runs for at least 30 days (see: US SEC Proposes 48-Hour Incident Reporting Requirement).
In March, however, after months of political infighting, a landmark cybersecurity provision requiring critical infrastructure providers to report security incidents and ransom payments passed both chambers of Congress and now heads to U.S. President Joe Biden's desk.
The provision, originally authored by leaders of the Senate Homeland Security and Governmental Affairs Committee - Sens. Gary Peters, D-Mich., and Rob Portman, R-Ohio - will require critical infrastructure owners and operators to report to the Cybersecurity and Infrastructure Security Agency within 72 hours if they experience a substantial cyberattack or within 24 hours of the payment if they make a ransomware payment (see: US Congress Passes Cyber Incident Reporting Mandate).