Is India Inc. Ready for CERT-in Security Compliance? 

India’s data protection laws have made news for several wrong and a few right reasons. The country has long awaited tweaks to the rules and regulations governing cyber security, when they finally got announced last April, security experts heaved a collective sigh of relief. However, it remains to be seen how prepared the industry is to implement its extensive compliance needs. 

For context, the ministry of electronics and information technology issued directions relating to the information security practices, procedures, response and reporting for safe and trusted for Safe & Trusted internet on April 28. Though legislation to set up a Data Protection Authority is pending, these directives give extensive powers to CERT-In, otherwise known as the Indian Computer Emergency Response Team. 

Which now brings us to what exactly are the directives? The CERT-In says all service providers, intermediaries, data centers, enterprises, and government organizations need to mandatorily report specified cyber incidents within six hours of its occurrence. Seems plausible, until one juxtaposes it with the current obligation under the IT Act of reporting it “as early as possible.”

So, what’s wrong with this?

Cyber security experts are a happy lot as early reporting means a threat can be contained faster and hopefully also limit the damage. However, take this instance of CERT-In notification that came through just a day ago… The agency notified that Google’s Chrome and Mozilla products had vulnerabilities that could give user data on a platter to attackers. That’s not all, they could also provide a denial of service (DoS) across enterprise-wide systems. 

However, the agency also clarifies that the vulnerabilities have already been fixed by Google and Mozilla, which means all that users need to do is download their latest versions. Everything seems good thus far. Now, the problem starts when an SMB actually faces a DoS situation. In the absence of an IT department, it may take them over six hours to even figure out that they’re under attack. So, where does that leave them on the compliance front? 

Not to mention the fact that nobody in their organization would’ve paid adequate attention to Google or Mozilla notifications asking users to download the latest version of their browsers. Come to think of it, how many times have any of us actually acted on it amidst our busy work schedules? The tendency is to postpone, which means enhancing our vulnerability. 

There’s more that needs to be done

CERT-in compliance obligations also mandates that all those covered by the law should enable logs of their entire ICT systems and maintain them securely for a period of 180 days on a rolling format. We are assuming that every corporate entity will have to comply with this requirement, and once again this leaves the SMBs with an extra layer of compliance challenge. 

In fact, enterprises with 20 to 50 employees may find it tough to create and maintain such a log, given the lack of knowledge or skills required, not to mention the additional costs that it entails. The legislation process could’ve given more time for enterprises to comply, but with the CERT-In directives likely to flow in by end-June, we could witness a mad rush to ensure compliance. 

While enterprises with an extensive IT network may not face trouble, the small businesses and even the micro enterprises that the government is exhorting to go digital could be walking into a trap with their eyes open. Unless the authorities go back to the two-year compliance timeframe that the Data Protection Authority legislation had proposed. 

Meanwhile, all that SMBs can do is hope that the CERT-In directives do not come into force within sixty days as was proposed or that they’re given sufficient time to ensure compliance. Of course, the situation does open up a business opportunity of an outsourced service bearing the same contours as the audit and compliance initiatives from chartered accountancy firms.