Only 15 entities reported cybersecurity incidents to India’s cybersecurity agency within the 6-hour timeline stipulated by the cybersecurity rules that went into effect last year, a Right to Information (RTI) response received by MediaNama on March 6 revealed.
As per the cybersecurity rules issued by the Indian Computer Emergency Response Team (CERT-In) in April 2022, all entities must mandatorily report cyber incidents to CERT-In “within 6 hours of noticing such incidents or being brought to notice about such incidents.” The rules went into effect last year on June 28 for larger businesses, and September 25 for Micro, Small & Medium Enterprises (MSMEs).
STAY ON TOP OF TECH POLICY: Our daily newsletter with top stories from MediaNama and around the world, delivered to your inbox before 9 AM. Click here to sign up today!
“How many entities have reported cybersecurity incidents to CERT-In within 6 hours since the [cybersecurity] directions went into effect?” MediaNama had asked CERT-In in its RTI request filed in February.
Nearly 14 lakh cybersecurity incidents reported in total in 2022: In a separate response filed in the parliament, the IT Ministry revealed that a total of 13,91,457 cybersecurity incidents were reported to CERT-In in 2022. When compared to this staggering number, only a negligible amount of incidents appear to have been reported within 6 hours.
Why does this matter: As we highlighted when the cybersecurity directions were announced, a 6-hour window is extremely short for most entities to report cybersecurity incidents for various reasons (covered in articles shared below). It is also shorter than global standards. For these reasons, we had reported that most entities will be unable to comply with the 6-hour mandate. The number of reported incidents revealed by CERT-In confirms this to be true.
Why a 6-hour window is unrealistic: Here’s our past coverage on the various concerns with the cybersecurity rules, including why the 6-hour window is unrealistic and needs to be changed:
- Why India’s New Cybersecurity Directive Is A Bad Joke
- How India Can Improve Its Cybersecurity Directions #NAMA
- India’s Cybersecurity Directive Goes Against Security, Tech Companies Argue
- Fact Check: Do Other Countries Have Lesser Than 6 Hours To Report Cybersecurity Incidents?
- Global Coalition Criticises India’s Cybersecurity Directive
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.