CERT-In Issues Directions on IT Practices, Response and Reporting of Cyber Incidents

2 May 2022

– Team Reina Legal

On 28th April 2022, Indian Computer Emergency Response Team (CERT-In)* issued the following directions relating to information security practices, procedures, prevention, response, and reporting of cyber incidents for safe & trusted internet:

On Reporting Cyber Incidents

CERT-In directed all service providers, intermediaries, data centres, body corporate, and government organisations to report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. Cyber security incidents that need to be mandatorily reported to CERT-In include:

  • Unauthorised access of IT systems/data
  • Malicious code attacks such as spreading of virus/Trojan/Bots/ Spyware
  • Fake mobile apps
  • Unauthorised access to social media accounts

The incidents can be reported to CERT-In via email, phone, and fax.

On Maintaining ICT System Logs

CERT-In directed all service providers, intermediaries, data centres, body corporate, and government organizations to enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days within the Indian jurisdiction.

On Connecting to the Network Time Protocol (NTP) Server of National Informatics Centre (NIC)

CERT-In directed all service providers, intermediaries, data centres, body corporate, and government organizations to connect to the NTP Server of NIC or National Physical Laboratory or with NTP servers traceable to these NTP servers, for synchronisation of all their ICT systems clocks.

On Assisting CERT-In

When required by CERT-IN for cyber incident response, service providers, intermediaries, data centres, and body corporates must take action and provide assistance to CERT-In for cyber security mitigation actions and enhanced cyber security situational awareness. The organizations must also designate a Point of Contact to interface with CERT-In and send the information of the Point of Contact to CERT-In in the format prescribed in the directions.

On Registration of Data Centres, Cloud Service Providers and Virtual Private Network (VPN) Service Providers

Data centres, Virtual Private Server providers, cloud service providers, and VPN service providers shall register accurate information on their IP address, names of subscribers/ customers, period, and purpose of hiring the service, etc. and maintain it for a period of 5 years or longer after cancellation or withdrawal of their registration.

On Maintaining Information Obtained as part of Know Your Customer (KYC)

Virtual asset service providers, virtual asset exchange providers and custodian wallet providers shall maintain all information obtained as part of KYC and records of financial transactions for a period of 5 years.

Effective Date

The directions will be effective after 60 days from the date of issuance.

In case any clarification is required in this regard, we would be happy to provide you the same.

*As per Section 70B of the IT Act, 2000, CERT-In serves as the national agency for the collection, analysis, and dissemination of information on cyber incidents and undertaking emergency measures for handling cyber security incidents.

Disclaimer: This legal update is the copyright of Reina Legal LLP. The update is not intended to be a form of solicitation or advertising. The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate thereafter. No person should act on such information without appropriate professional advice based on the circumstances of a particular situation.