India relaxes cyber security incidents reporting rules and says new rules apply to MNCs

Cybersecurity agencies in India are slightly relaxing their controversial and complex requirements for reporting on information security incidents, although they reaffirm that the final version of these rules should apply to any multinational company operating on their territory.

These rules were announced overnight in late April, receiving criticism from major players in the industry because system administrators were required to report 22 types of cybersecurity incidents just six hours after their detection, in addition to establishing as a requirement the registration of VPN users and other controversial measures.

The Government of India published an FAQ document related to these new rules and specifying that improvements and revisions will continue to apply. For example, India has clarified that minor security incidents, such as social media account takeover, will not have to be reported within six hours; on the other hand, only the most severe incidents, capable of disrupting operations in the affected organization, will have to be reported within this period.

Authorities also reversed the restriction of using only a couple of Indian Network Time Protocol (NTP) servers, specifying that the use of other NTP servers synchronized with local operators is also allowed.

The document also more clearly lists the requirements for entities that can operate in India without having a physical presence in the nation. As it reads, these companies must designate a point of contact to communicate with CERT-India, which administers the new rules. Non-Indian organizations can store certain data abroad, but must make it available to the CERT-In.

Indian officials avoided making any mention of the criticism the first version of this project received. The FAQ does not address objections to measures such as VPN user retention, in addition to frequently referencing that some of these measures were implemented for national security purposes, making it difficult to change specific aspects.

This document also does not offer any explanation as to how CERT-In will use the documents it collects to analyze security incidents, a matter of interest as organizations can submit reports in formats such as PDFs or faxes that do not lend themselves to automated ingestion or analysis.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.