The Indian Computer Emergency Response Team (CERT-In) on Thursday made it mandatory for firms to report all incidents of cybersecurity vulnerabilities within six hours of noticing. Internet researchers and cybersecurity experts call it a welcome move, protecting consumers and ensuring companies become more alert of cybersecurity. However, some raise concerns over whether end consumers will benefit.
According to cyber security firm Kaspersky, India has witnessed a staggering 5X growth in its cybercrime rate over the past three years, with 14 lakh cases registered in 2021 alone. Such a rise threatens the healthy growth of the industry, as well as the efficacy of e-governance solutions over the long term.
“We see a sense of urgency being created around the issues of cybersecurity as a result of the new rules. Rightly so, since India needs to further strengthen its cybersecurity law. It will certainly push enterprises to address their cybersecurity requirements on a priority basis. It will also increase compliance costs for businesses, but I see cybersecurity costs as a long-term investment in the growth of a business,” Dipesh Kaura, General Manager, Kaspersky (South Asia), told BusinessLine.
He added, “In my experience, consumers reward enterprises deemed as safe for digital engagement with bigger and better opportunities for growth. The decision might leave companies scrambling to align their infrastructure and resources to comply with the new rules within 60 days, but it does bode well for the future.”
Internet Freedom Foundation (IFF) found the directions to be well-placed, especially since they expand the range of what needs to be reported.
“Since this is applied to all government and private sector companies, this is a great policy. Even Aadhaar leaks or other data breaches related to government bodies will now have to be reported within six hours. They have also asked to maintain logs of ICT servers over a period of 180 days. In the next set of guidelines, we’ll hopefully find the mechanism of how CERT-In would report any personal data breach to consumers. The only caveat that remains is whether they will ask for more information than needed,“ Rohin Garg, Policy Counsel – Regulation and Social Welfare, IFF, told BusinessLine.
The logs of company ICT servers will be aligned with the network time protocol (NTP) servers of India’s National Informatics Centre (NIC).
Cost of compliance
Kaura of Kaspersky added, “Most enterprises operating at a scale that requires the collection, management, and storing of customer data must proactively invest in cybersecurity infrastructure and resources. This requires robust solutioning and partnership with a reliable provider.”
He added, “Authorities have also increased the number of categories under which to report these incidents to 20, thus broadening the scope for compliance efforts. Companies will need to allocate dedicated resources for the task of interfacing with the central authority.”
More jobs for sector
Sunny Nehra, Admin of Hacks and Security cybersecurity firm, told BusinessLine, “The window for reporting within six hours is after you notice it. It’s a sufficient window. This is a great thing as companies will now take cybersecurity more seriously. Because these directions have been included in IT Act, 2000, it will be more powerful. This is a precursor and starting point to data protection law. Security Operation Centre (SOC) analyst jobs and data complaints will also see a boom.”
Independent internet security researcher Rajshekhar Rajaharia said, “We have to see how these rules are implemented. No company wants to reveal cases of cybercrime. But now, companies will need to be more alert, which will require them to strengthen their systems. These guidelines will lead to more job creation for cybersecurity sector for sure, but I don’t know whether crimes will reduce.”
“I don’t see how end consumers will benefit as the directions don’t mention how CERT-In will report the incidents to them. Majority of the cases reported over the last couple of years have been around identity theft and financial crimes due to leak of customer data-bases,” he added.