“In terms of the reporting time [for cybersecurity incidents], whether 6 hours is too less or too long, if you look at precedents all around the world […] there are countries that mandate immediate reporting. And I think we have been extremely generous because we have given 6 hours,” the Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said on May 18 while releasing the FAQs document on the new cybersecurity directive.
The cybersecurity directive mandates all companies to report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. But this timeline has been criticised by cybersecurity experts and tech companies for being unfeasible, burdensome, and not in line with global standards.
The Indian government, however, refused to budge on this requirement arguing that some countries have shorter timelines. Sanjay Bahl, Director General of CERT-In, even shared a list of countries that supposedly have more stringent timelines to report cybersecurity incidents and data breaches.
Dear reader, we urgently need to build capacity to cover the fast-moving tech policy space. For that, our independent newsroom is counting on you. Subscribe to MediaNama today, and help us report on the policies that govern the internet.
What does CERT claim and what are the actual reporting timelines?
France
- What does CERT claim? 4-hour reporting timeline in the financial sector
- What is the actual timeline:
- Financial sector: Payment service providers must report security incidents within four hours after they have been classified as major incidents. Classification can take up to 24 hours, which essentially gives companies a total of 28 hours to report major incidents. Furthermore, major incidents are classified based on the comprehensive criteria set in these guidelines.
- All other entities: For other companies, there is no mandatory cyber incident reporting, but there are rules for data breaches set by the GDPR. In case of a data breach, companies must notify the national regulator within 72 hours of becoming aware of the breach.
Italy
- What does CERT claim? 3 hours
- What is the actual timeline: Operators of essential service and digital service providers (DSPs) must notify the Computer Security Incident Response Team (CSIRT Italy) of cyber incidents without delay. For DSPs, the notification obligation arises only after they have access to the necessary information to assess the impact of the incident. In 2021, there was, however, another decree which classified incidents based on severity and gave anywhere between 1 to 6 hours to report based on the classification, but MediaNama was unable to access a copy of the decree to confirm this. Further, like other European nations, Italy also has a 72-hour timeline for reporting personal data breaches as mandated by GDPR.
Japan
- What does CERT claim? Immediate
- What is the actual timeline:
- Financial sector: Banks must report any cyber incidents immediately after becoming aware of it, to the Financial Services Agency. This is however a guideline and not legally binding.
- Telecommunications sector: If a cyberattack causes a serious incident as specified in the Telecommunications Business Act, then the telecom company must promptly report the same to the Ministry of Internal Affairs and Communication. No specific time frame is provided.
- Other entities: There is no mandatory requirement to report cyber security incidents, except in the case of certain personal data breaches. For these breaches, business operators must notify the Personal Information Protection Commission of the incident as soon as possible (3 to 5 days according to guidelines).
Singapore
- What does CERT claim? 1 hour
- What is the actual timeline:
- Financial sector: Financial institutions in Singapore must notify the Monetary Authority of Singapore (MAS) within one hour of discovering an incident that has a severe and widespread impact on its operations or materially impacts the institutions’ customers regardless of when the malfunction or incident occurs.
- Critical infrastructure: Companies designated as critical information infrastructure providers must notify the Commissioner of Cybersecurity within two hours of becoming aware of the occurrence of a prescribed cybersecurity incident.
- All entities: Data breaches that are likely to result in significant harm or of a significant scale need to be reported to Singapore’s Personal Data Protection Commission within 24 hours.
Spain
- What does CERT claim? 2 hours
- What is the actual timeline: Incidents that are classified as critical, very high, or high (based on criteria laid out here) must be mandatorily reported to the relevant authorities immediately while incidents classified as medium and low do not have to be mandatorily reported. Critical and very high incidents include attacks by APT, malware distribution, intrusion, etc. Personal data breaches must be reported within 72 hours.
UK
- What does CERT claim? Immediate in the financial sector
- What is the actual timeline:
- All entities: Relevant digital service providers such as online search engines, online marketplaces, and cloud computing services must report any cyber incident that has a substantial impact to the Information Commissioner’s Office (ICO) within 72 hours. This includes data breaches.
- Financial sector: Entities regulated by the Financial Conduct Authority (FCA) must report cyber incidents to the authority immediately after becoming aware of them, but only if it they are material cyber incident, which is determined based on certain criteria.
Indonesia
- What does CERT claim? 1 hour
- What is the actual timeline: As per a 2012 regulation, electronic system operators must report any failure or disruption of systems to concerned authorities immediately. Data breaches must also be reported in the first instance upon the company discovering such breach. There is no specific time mentioned.
Analysis: Do other countries really have more stringent reporting timelines?
As illustrated above, there are multiple cases where other countries have more stringent timelines to report cyber security incidents, but it applies only to companies in specific sectors (financial, telecom, critical infrastructure) or for cyber incidents of a specific criticality (high, very high). In contrast, India’s 6-hour reporting timeline applies to all companies and for a long list of incidents that range from less severe (and very common) phishing attacks to highly critical attacks on critical infrastructure. As such, it is an unfair and superficial comparison that CERT-In is making.
Why does India want cybersecurity incidents reported within 6 hours?
Defending the 6-hour timeline, Minister Rajeev Chandrasekhar provided the following rationale:
“Please understand, the actors are no longer amateurs. It used to be ten years ago when we talk about cyber breaches and cyber incidents, you think of one young person sitting behind a computer trying to hack a firewall to get some academic satisfaction. Today, it is not that. The criminality and the cyber incidents and the nature, type, form, shape of it are very complex. They have very sinister elements behind it. There are many state actors that are also using vulnerabilities in various countries’ internet space. And very importantly, why this logic of very rapid reporting is almost essential to the internet is those who commit these breaches can move on very quickly. […] With all of the tools that they have, the breach could be one place, can originate from one place and they can move on very rapidly to undertake the same type of breaches from multiple other locations. So immediate reporting, very quick reporting is fundamental to investigating forensic analysis and situational awareness of the nature of the incident and our conspiracy behind it.”
This post is released under a CC-BY-SA 4.0 license. Please feel free to republish on your site, with attribution and a link. Adaptation and rewriting, though allowed, should be true to the original.
Also Read:
- Why India’s New Cybersecurity Directive Is A Bad Joke
- FAQs On Cybersecurity Directive Adds Fresh Concerns
- India’s Cybersecurity Directive Goes Against Security, Tech Companies Argue
- VPN Providers Undeterred By Minister’s Ultimatum To Comply Or Leave India
Have something to add? Subscribe to MediaNama here and post your comment.