Cybersecurity norms may make it ‘difficult’ to do business in India: 11 industry bodies to CERT-In

In particular, they have flagged the six hour timeline to report cybersecurity incidents, requirements that companies furnish sensitive logs to, an “overbroad” definition of reportable incidents, and that virtual private networks (VPNs) will have to store data on its users for five years. “If left unaddressed, these provisions will have a significant adverse impact on organisations that operate in India with no commensurate benefit to cybersecurity,” the letter said.

Buy Now | Our best subscription plan now has a special price

The signatories to the letter count big tech companies like Facebook, Google, Apple, Amazon and Microsoft along with other tech firms as members. The signatories include: Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA, Coalition to Reduce Cyber Risk, Cybersecurity Coalition, Digital Europe, Information Technology Industry Council (ITI), techUK, US Chamber of Commerce, US-India Business Council (USIBC), and US-India Strategic Partnership Forum (USISPF). They join a wide range of stakeholders, including VPN providers and the civil society, who have previously criticised CERT-In’s norms.

CERT-In’s cybersecurity directive requires entities to report cybersecurity incidents to the agency within six hours. They also mandate VPN providers to store information such as names, email IDs, contact numbers, and IP addresses (among other things) of their customers for a period of five years. The letter comes a week after CERT-In released a set of clarifications on its rules after compliance burden-related concerns were raised by industry stakeholders. The rules were announced on April 28 and are to go into effect after 60 days.

The industry groupings have called for increasing the reporting timeline from the currently prescribed six hours to 72 hours, saying the latter timeline is “in alignment with global best practices”.

“A 6-hour timeline is too short. CERT-In has not provided any rationale as to why the 6-hour timeline is necessary, nor is it proportionate or aligned with global standards. Such a timeline is unnecessarily brief and injects additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to, and remediating a cyber incident,” they said in the letter.

“Our companies operate advanced security infrastructures with high-quality internal incident management procedures, which will yield more efficient and agile responses than a government- directed instruction regarding a third-party system that CERT-In is not familiar with. CERT-In should revise the Directive to remove this provision,” it added. “A more appropriate approach might be asking that providers demonstrate that their incident and risk management procedures meet international standards, such as those contained in ISO 27000 certifications”.

However, Minister of State for Electronics and IT, Rajeev Chandrashekhar had earlier said that the government was being “too generous” with the six hour reporting timeline. CERT-In’s Bahl, meanwhile, has previously said that countries like France, Japan, Indonesia and Singapore have even shorter timelines for reporting cybersecurity incidents. Despite the prior concerns, the government has decided to press ahead with the rules. Chandrashekhar has also warned VPN companies that if they do not adhere to the norms, they are free to exit the country.