Skip to content
Global tech bodies write to government, say new cybersecurity rule will make it difficult to do business in India

India’s new directive that requires reporting cyberattack incidents within six hours and storing user logs for 5 years will make it difficult for companies to do business in the country, with 11 international bodies having tech giants like Google , Facebook and HP, as the members said in a joint letter to the government.

The joint letter written by 11 organizations mostly representing tech companies based in the US, Europe and Asia was sent to the Managing Director of India’s Computer Emergency Response Team (CERT-In), Sanjay Bahl, May 26.

International bodies have expressed concern that the directive, as drafted, will have a detrimental impact on the cybersecurity of organizations operating in India and create a disjointed approach to cybersecurity in all jurisdictions, undermining the posture security of India and its allies in the Quad countries, Europe and beyond.

“The onerous nature of the requirements may also make it more difficult for companies to do business in India,” the letter said.

Read also :

Global bodies that have jointly expressed concern include the Information Technology Industry Council (ITI), Asia Securities Industry & Financial Markets Association (ASIFMA), Bank Policy Institute, BSA – The Software Alliance, Coalition to Reduce Cyber -risque (CR2), the Cybersecurity Coalition, Digital Europe, techUK, US Chamber of Commerce, US-India Business Council and US-India Strategic Partnership Forum.

The new directive issued on April 28 requires companies to report any cyber breach to CERT-In within six hours of noticing it.
It requires data centers, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) service providers to validate the names of subscribers and customers who hire the services, the period hiring, subscriber ownership model, etc. and to maintain the records for a period of 5 years or more, as required by law.
According to the directive, IT companies must retain all information obtained in the context of Know-Your-Customer (KYC) and financial transaction records for a period of five years in order to ensure cybersecurity in the field of payments and financial markets for citizens.

International bodies have expressed concern over the 6-hour deadline for reporting cyber incidents and demanded that it be extended to 72 hours.

“CERT-In has not provided any justification as to why the 6-hour delay is necessary, neither proportionate nor aligned with global standards. Such a delay is unnecessarily short and adds additional complexity at a time when entities are more appropriately focused on the difficult task of understanding, responding to, and remediating a cyber incident,” the letter reads.

He said that in the case of the six-hour warrant, entities are unlikely to have enough information to reasonably determine whether a cyber incident has in fact occurred and would warrant triggering the notification.

The international bodies have declared that their member companies operate advanced security infrastructures with high quality internal incident management procedures, which will give more efficient and agile responses than a government instruction regarding a third-party system that CERT-In does not know. not.

The joint letter says the current definition of reportable incidents, to include activities such as polling and analysis, is far too broad given that polling and analysis are everyday occurrences. He said that the clarification made by CERT-In to the directive mentions that logs should not be stored in India, but the directive does not mention this.

“Even if this change is made, however, we have concerns about some of the types of log data that the Indian government requires to be provided upon request, as some of it is sensitive and, if accessed, could create a new security risk by providing insight into an organization’s security posture,” the letter states.

The joint letter says ISPs typically collect customer information, but extending those obligations to VSPs, CSPs, and VPN providers is cumbersome and onerous.

“A data center provider does not assign IP addresses. It will be an onerous task for the data center provider to collect and record all IP addresses assigned to their customers by ISPs. nearly impossible task when IP addresses are dynamically assigned,” the letter said.

The global authorities specify that the local storage of data during the customer’s life cycle and then for five years will require storage and security means, the costs of which will have to be passed on to the customer, who in particular has not requested the storage of these data. after their separation from service.

“We share the government’s goal of improving cybersecurity. However, we remain concerned about the CERT-In directive, despite the publication of the recent FAQ document intended to clarify the directive, as the FAQ is not a legal document, it does not provide businesses with the legal certainty needed to conduct their day-to-day business,” said Courtney Lang, ITI’s senior policy director.

Lang added that the FAQ published by CERT-In does not address problematic provisions, including the six-hour reporting deadline.

“We continue to urge CERT-In to suspend implementation of the directive and open a stakeholder consultation to fully address the concerns expressed in the letter,” Lang said.

cnbctv18-forexlive-benzinga -Sp

Not all news on the site expresses the point of view of the site, but we transmit this news automatically and translate it through programmatic technology on the site and not from a human editor.