CERT-IN has today released some advertisements in news papers reiterating the rules that require mandatory reporting of cyber incidents. The circular makes a reference to the notification dated 16th January, 2014 titled “Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules ,2013” (Copy available here) in which under Section 12(1)(a), it is stated that “Any individual, organization or corporate entity affected by cyber security incident may report the incident to CERT-IN” .
Types of cyber security incidents that need to be reported to CERT-In are
- Targeted scanning/robing of critical networks/systems
- Compromise of critical systems/information
- Unauthorized access of IT systems/data
- Defacement of website or intrusion into a wbsite and unauthorized changes such as insertion of malicious code,links to external websites etc.
- Malicious code attacks such as spreading of cirus/Trojan/Botnets/Spyware
- Attacks on servers such as Database, Mail and DNS and network devices such as Routers
- Identiy Theft, Spoofing and Phishing Attacks
- Denial of Service (DOS) and Distributed Denial of Service (DDOS) attacks
- Attacks on Critical infrastructure, SCADA Systems and Wireless networks
- Attacks on Applications such as E Governance, E Commerce etc.
To facilitate such reporting CERT-In was to maintain an Incident Response Help Desk on 24 hour basis on all days including holidays .
The system incident reporting form can be downloaded from here.
Incidents may be reported by the victims. But for Service providers, Data Centers and Body Corporates, reporting of Cyber Incidents as per list provided under this rule is Mandatory”. Reporting should be done within a “reasonable period”.
If one peruses the reporting format, it is clear that it is drafted with a trained CISO in mind Small Companies Ordinary individuals may not be either capable of identifying “Cyber Incidents” nor reporting properly in the form in which it is indicated.
The report may be sent to the helpdesk whose contact details are given below.
Ph: +91 1800 11 4949
Fax: +91 1800 11 6969
Now that CERT-In has issued a public advertisement, it is essential for them to exempt “Individuals” and “Non Corporate entities” as well as “Corporate entities with a turnover less than a reasonable amount” from this mandatory reporting system.
Though this rule was in existence since 2014 and CERT-In has the quasi judicial powers to start prosecution proceedings leading to imprisonment of upto 1 year for non submission of information, neither CERT-In nor the public had taken this rule seriously. They therefore were mostly non-compliant.
However, now there may be an increased attention of the industry on correcting the situation….thanks to de-monetization and consequent promotion of digital payments followed by a realization of the increased risks…