India’s cybersecurity agency has no information on how many entities have complied with the cybersecurity directions it issued last year, a Right to Information (RTI) response received by MediaNama on March 6 revealed.
“The [cybersecurity] directions do not envisage explicit submission of compliance of these directions by entities per se except information on Point of Contact and reporting of incidents as and when occurred as prescribed. CERT-In, in general, has not sought status of compliance from all the entities,” the Indian Computer Emergency Response Team (CERT-In) stated.
The cybersecurity directions issued by CERT-In in April 2022 require companies to report cybersecurity incidents within 6 hours, maintain system logs for 180 days, maintain KYC and transaction information of customers if they are crypto exchanges, maintain detailed customer information if they are VPN, cloud service, or data centre providers, synchronise their system clocks with government time servers, and share a point of contact with CERT-In.
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
With regards to these directions, MediaNama filed an RTI request with CERT-In asking the following questions:
- Has CERT-In sought compliance status with regard to the directions from service providers, intermediaries, and body corporates? If yes:
- How many MSMEs [Micro, Small & Medium Enterprises] have complied with all the directions outlined in the rules? How many entities in total have complied with the directions?
- Please share a copy of the notices sent to the applicable entities.
- Please share any non-confidential versions of responses received from the entities.
- How many entities have submitted point of contact information to CERT-In? How many of these are MSMEs?
For the first question, CERT-In responded (as above) stating that it has no information on compliance status. As for the second question, CERT-In responded by saying that 1227 entities registered or updated their point of contact with CERT-In between 28.06.2022 and 31.01.2023. However, “CERT-In has not made any categorisation in respect of Point of Contact information in respect of MSME, hence, no such information is available,” the agency replied in response to the second part of the question.
When compared to the total number of entities that are required to submit a point of contact information to CERT-In, which is basically any entity with a computer and an internet connection, the 1227 figure is minuscule. For context, there are over 14 lakh registered active companies in India and it’s not unreasonable to assume that most of them have computer systems.
Why does this matter: When the cybersecurity directions were issued last year, we criticised them for being onerous to companies and also infeasible for a lot of companies to comply with. We also pointed out that CERT-In will have a hard time tracking compliance as it might not have enough resources to do so (links to our past coverage are below). The fact that only 1000-odd entities have updated their point of contact information with CERT-In, which is probably the easiest requirement under the directions, raises questions about where entities really stand in terms of compliance with the cybersecurity directions. Or are these directions a futile exercise?
Only 15 entities reported cybersecurity incidents within 6 hours: CERT-In also revealed that only 15 entities reported cybersecurity incidents within the stipulated 6-hour timeline. We have covered this in more detail here.
What’s wrong with the cybersecurity directions: For more on why we think the cybersecurity directions are misguided, find our past coverage under the tag Cybersecurity Directions 2022, or here are a few selected criticisms of the directions:
- Why India’s New Cybersecurity Directive Is A Bad Joke [read]
- India’s Cybersecurity Directive Goes Against Security, Tech Companies Argue [read]
- Global Coalition Criticises India’s Cybersecurity Directive [read]
- How India Can Improve Its Cybersecurity Directions #NAMA [read]
- Why India Should Not (Yet) Mandate Companies To Adopt A Specific Time Source [read]
- Deep Dive: The Legality Of India’s New Cybersecurity Directive [read]
- “You Don’t Need To Have A Blanket Law That Treats Everyone As A Criminal”, Says Dr Joe Hall Of Internet Society On India’s Cybersecurity Directions [read]
- Impact Of India’s Cybersecurity Directions On The Global Internet [read]
- Why An Indian VPN Provider Is Suing The Government Over The New Cybersecurity Rules [read]
- VPN Providers Call India’s New Rules Worse Than China, Russia [read]
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
