wordpress blog stats
Connect with us

Hi, what are you looking for?

Fact check: Do other countries have lesser than 6 hours to report cybersecurity incidents?

The reporting timelines cited by the government are factually inaccurate.

cybersecurity

“In terms of the reporting time [for cybersecurity incidents], whether 6 hours is too less or too long, if you look at precedents all around the world […] there are countries that mandate immediate reporting. And I think we have been extremely generous because we have given 6 hours,” the Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said on May 18 while releasing the FAQs document on the new cybersecurity directive.

The cybersecurity directive mandates all companies to report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. But this timeline has been criticised by cybersecurity experts and tech companies for being unfeasible, burdensome, and not in line with global standards.

The Indian government, however, refused to budge on this requirement arguing that some countries have shorter timelines. Sanjay Bahl, Director General of CERT-In, even shared a list of countries that supposedly have more stringent timelines to report cybersecurity incidents and data breaches.


Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.


What does CERT claim and what are the actual reporting timelines?

France

  • What does CERT claim? 4-hour reporting timeline in the financial sector
  • What is the actual timeline: 
    • Financial sector: Payment service providers must report security incidents within four hours after they have been classified as major incidents. Classification can take up to 24 hours, which essentially gives companies a total of 28 hours to report major incidents. Furthermore, major incidents are classified based on the comprehensive criteria set in these guidelines.
    • All other entities: For other companies, there is no mandatory cyber incident reporting, but there are rules for data breaches set by the GDPR. In case of a data breach, companies must notify the national regulator within 72 hours of becoming aware of the breach.

Italy

  • What does CERT claim? 3 hours
  • What is the actual timeline: Operators of essential service and digital service providers (DSPs) must notify the Computer Security Incident Response Team (CSIRT Italy) of cyber incidents without delay. For DSPs, the notification obligation arises only after they have access to the necessary information to assess the impact of the incident. In 2021, there was, however, another decree which classified incidents based on severity and gave anywhere between 1 to 6 hours to report based on the classification, but MediaNama was unable to access a copy of the decree to confirm this. Further, like other European nations, Italy also has a 72-hour timeline for reporting personal data breaches as mandated by GDPR.

Japan

  • What does CERT claim? Immediate
  • What is the actual timeline:
    • Financial sector: Banks must report any cyber incidents immediately after becoming aware of it, to the Financial Services Agency. This is however a guideline and not legally binding.
    • Telecommunications sector: If a cyberattack causes a serious incident as specified in the Telecommunications Business Act, then the telecom company must promptly report the same to the Ministry of Internal Affairs and Communication. No specific time frame is provided.
    • Other entities: There is no mandatory requirement to report cyber security incidents, except in the case of certain personal data breaches. For these breaches, business operators must notify the Personal Information Protection Commission of the incident as soon as possible (3 to 5 days according to guidelines).

Singapore

  • What does CERT claim? 1 hour
  • What is the actual timeline:
    • Financial sector: Financial institutions in Singapore must notify the Monetary Authority of Singapore (MAS) within one hour of discovering an incident that has a severe and widespread impact on its operations or materially impacts the institutions’ customers regardless of when the malfunction or incident occurs.
    • Critical infrastructure: Companies designated as critical information infrastructure providers must notify the Commissioner of Cybersecurity within two hours of becoming aware of the occurrence of a prescribed cybersecurity incident.
    • All entities: Data breaches that are likely to result in significant harm or of a significant scale need to be reported to Singapore’s Personal Data Protection Commission within 24 hours.

Spain

  • What does CERT claim? 2 hours
  • What is the actual timeline: Incidents that are classified as critical, very high, or high (based on criteria laid out here) must be mandatorily reported to the relevant authorities immediately while incidents classified as medium and low do not have to be mandatorily reported. Critical and very high incidents include attacks by APT, malware distribution, intrusion, etc. Personal data breaches must be reported within 72 hours.

UK

  • What does CERT claim? Immediate in the financial sector
  • What is the actual timeline:
    • All entities: Relevant digital service providers such as online search engines, online marketplaces, and cloud computing services must report any cyber incident that has a substantial impact to the Information Commissioner’s Office (ICO) within 72 hours. This includes data breaches.
    • Financial sector: Entities regulated by the Financial Conduct Authority (FCA) must report cyber incidents to the authority immediately after becoming aware of them, but only if it they are material cyber incident, which is determined based on certain criteria.

Indonesia

  • What does CERT claim? 1 hour
  • What is the actual timeline: As per a 2012 regulation, electronic system operators must report any failure or disruption of systems to concerned authorities immediately. Data breaches must also be reported in the first instance upon the company discovering such breach. There is no specific time mentioned.

Analysis: Do other countries really have more stringent reporting timelines?

As illustrated above, there are multiple cases where other countries have more stringent timelines to report cyber security incidents, but it applies only to companies in specific sectors (financial, telecom, critical infrastructure) or for cyber incidents of a specific criticality (high, very high). In contrast, India’s 6-hour reporting timeline applies to all companies and for a long list of incidents that range from less severe (and very common) phishing attacks to highly critical attacks on critical infrastructure. As such, it is an unfair and superficial comparison that CERT-In is making. 

Why does India want cybersecurity incidents reported within 6 hours?

Defending the 6-hour timeline, Minister Rajeev Chandrasekhar provided the following rationale:

Advertisement. Scroll to continue reading.

“Please understand, the actors are no longer amateurs. It used to be ten years ago when we talk about cyber breaches and cyber incidents, you think of one young person sitting behind a computer trying to hack a firewall to get some academic satisfaction. Today, it is not that. The criminality and the cyber incidents and the nature, type, form, shape of it are very complex. They have very sinister elements behind it. There are many state actors that are also using vulnerabilities in various countries’ internet space. And very importantly, why this logic of very rapid reporting is almost essential to the internet is those who commit these breaches can move on very quickly. […] With all of the tools that they have, the breach could be one place, can originate from one place and they can move on very rapidly to undertake the same type of breaches from multiple other locations. So immediate reporting, very quick reporting is fundamental to investigating forensic analysis and situational awareness of the nature of the incident and our conspiracy behind it.”

This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.

Also Read:

Have something to add? Subscribe to MediaNama here and post your comment. 

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.

Views

News

The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...

News

Releasing the policy is akin to putting the proverbial 'cart before the horse'.

News

The industry's growth is being weighed down by taxation and legal uncertainty.

News

Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.

News

Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like

News

Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...

Advert

135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...

News

Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

News

By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Name:*
Your email address:*
*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ