Mandating a tight six-hour time window for (major) cyber-incident reporting could ‘punish’ innocent small- and medium- sized businesses more than cybercriminals!

Many developed nations have mandated that cybersecurity breach of any kind be reported within 48 to 72 hours. However, in April this year, the Indian Computer Emergency Response Team set a highly aggressive deadline of six hours with effect from 27 June 2022. 

Failure to follow the CERT-In deadline may result in up to a year in jail, a fine of up to INR 100,000, or both. It clearly states: “Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with the direction… shall be punishable with imprisonment for a term which may extend to one year, or with fine which may extend to one lakh rupees or with both.” 

The new directive means that organizations must set up a monitoring system to detect cybersecurity issues, besides employing an incident response strategy and team. Additionally, it is also helpful for organizations to keep records on attacks and later look at what kind of data has been breached or could be at risk. 

A barometer of severity

The radical new cyber guidelines in India are clear markers of their government’s resolve to curb the slew of cyberattacks plaguing both public and private sectors, said Naman Shah, CEO and founder, NowPurchase: “The short window of reporting, too, is indicative of the seriousness with which this rampant problem is being addressed and documented in the country. The new guidelines will act as a barometer for us to gauge our response and preparedness for any such eventuality, and ultimately fortify Indian cyber defenses as a whole.”

Reacting to the CERT-In directive, Swapnil Naik, Senior Director of Engineering, AFour Technologies understands that reporting security incidents in such a short time window can help stakeholders and impacted individuals to take suitable measures to minimize the impact, but while reporting is essential, organizations must set up a steering committee that drives the security and risk management programs to reduce the risk of security breaches to an acceptable level.” However, Swapnil felt that the directives are “not reasonable and would lead to more difficulty in doing business. Considering the sensitivity of the data and the prevailing privacy laws, analyzing these issues and identifying data that is permissible to share in such a short window is a tedious task. Given such complexity, it will adversely impact revenue and customer trust if legalities are violated.”

Government data showing a threefold increase in cyberattacks in the year 2021 compared to 2020, with many small- and medium- sized firms being wiped out, may have precipitated the stern directives, according to Sandip Kumar Panda, CEO and co-founder, InstaSafe Technologies. “Over the last couple of years, events like the pandemic, the China-India strained relationship, and various global crises have led to an increase in cross-border cyberattacks. Reporting may not be the only solution for such a large country to handle the cyber threats, but better visibility of cybersecurity incidents at a consolidated level does provide better information for a central body like CERT-In to act on.” 

Taking refuge in the exceptions   

Comparatively, in Europe, a security breach involving General Data Protection Regulations have to be reported within 72 hours, but need to include records of work done to prevent the breach; data supporting the estimated impact of the breach; forensics details; and a remediation plan. This is much more intensive reporting compared to India’s CERT-In reporting rules, which require just the reporting of incidents in a short time frame.

Furthermore, CERT-In has clarified that only cybersecurity incidents of a severe nature; data breaches; large scale and high impact incidents need to be reported within six hours. Once a breach is reported, the authorities can investigate further and then provide directives so that the affected organizations can take appropriate measures.   

Not surprisingly, many Indian organizations lack specialist cybersecurity tools and professionals to comply with CERT-In’s requirements and avoid the newly-imposed penalties.

(Editor’s note: Exacerbating the urgency is the increasing frequency of phishing campaigns, which may exhaust organizations’ resources if they are to comply with the directives. In fact, since even cyber incidents arising from outside of the country (but involving local entities) are expected to be reported, the smaller businesses will likely find compliance a major obstacle and instead band together to seek further clarity in the practicality and realistic scope of such directives.)