Global bodies raise concerns over new cybersecurity norms
Various business and industry associations with global links have raised concerns about the recent directive of the Indian Computer Emergency Response Team (CERT-In) on cybersecurity issues, mainly the readiness to report these incidents within six hours. storage of subscriber data for five years and registration requirements.
Although the Ministry of Electronics and Information Technology (MeitY) has published a list of frequently asked questions (FAQs) about the directive, companies consider that, as frequently asked questions are not in force, they do not offer sufficient guarantees to companies. operating in India.
“We continue to be concerned with the mandatory reporting of cybersecurity incidents within six hours, the over-definition of reportable incidents, the requirement for companies to provide CERT-In-sensitive records, the requirement that companies take action to respond to an incident as required by CERT-In, the requirement for virtual service providers (VSPs), cloud service providers (CSPs), and the requirement for virtual private network providers (VPNs) to register certain information from subscribers for at least five years after the cancellation of the service, “a multi-association letter to the government said.
The 11 partnerships include the US-India Business Council, the US Chamber of Commerce, ITI, Tech UK, the US-India Strategic Partnership Forum, Digital Europe, BSA and the Cybersecurity Coalition, among others.
The letter adds that if left unaddressed, these provisions will have a significant negative impact on organizations operating in India without any proportionate benefit to cybersecurity. The directive was issued on April 28 and will enter into force 60 days later. Failure to comply with the new rules may result in criminal provisions under the Information Technology (IT) Act.
Basically, companies are looking for a delay in implementing the directive to allow for stakeholder consultation to address technical and other concerns. “Review the policy to address concerns regarding NTP server connection requirements, incident notification deadlines, the requirement for companies to take response or repair action as directed by CERT-In, the definition and “Scope of covered incidents, registration requirements and information requirements for subscribers of VSP, CSP and VPN providers”, the letter adds.
The firms have requested that the deadline for reporting incidents be at least 72 hours. In addition, with respect to the storage of customer data for five years, it has been noted that Internet Service Providers (ISPs) routinely collect customer information, which extends these obligations to VSP providers. , CSP and VPN is onerous and onerous. “Local storage of data during the customer’s lifecycle and then for five years will require storage and security resources whose costs must be passed on to customers, who in particular have not requested that this data be stored. after the end of the service. . And, most importantly, this requirement creates a security threat to the sensitive data stored, “the letter added.
As the government has clarified that records should not be stored in India, companies are asking CERT-In to revise the directive to reflect this. “However, even if this change is made, we have concerns about some of the types of registration data that the Government of India requires to be provided upon request, as some of them are sensitive and, if accessed, they could create a new security risk by providing information in an organization’s security position, “he said.