New Delhi: The Micro, Small, and Medium Enterprises (MSMEs) sector has welcomed the news that the Union government is considering extending the deadline by which companies have to comply with its new cyber security directives. MSMEs have been lobbying the government for more time for compliance, citing the additional burden adhering to the new rules would entail.
The cyber security guidelines, released by the Ministry of Electronics and Information Technology’s Indian Computer Emergency Response Team (CERT-In) on 28 April, were aimed at addressing the increasing number of data breaches taking place across the country, jeopardising the safety of consumer data.
The rules lay out a framework wherein companies are expected to share data breach details within six hours and retain security logs for 180 days. The initial deadline for compliance was 26 June.
Following pushback from the industry, CERT-In on 27 June issued a notification extending the deadline for compliance to 25 September, noting that MSMEs had sought “reasonable time for generating capacity-building required for implementation of these directions”.
However, the new deadline has also passed and the industry still seems to require more time.
Several industry bodies representing MSMEs in the cyber security space have made appeals to the IT ministry to extend the deadline once again.
Over the last few weeks, representatives from the Data Security Council of India (DSCI), a body set up by the National Association of Software and Service Companies (NASSCOM) — the apex trade association of the IT industry in India for data protection — have met with ministry officials to discuss the readiness of the industry.
“Compliance with the CERT-In guidelines would demand significant efforts from MSMEs,” Atul Kumar, lead (government Initiatives), DSCI, told ThePrint. “They will have to factor in requirements specified for time synchronisation, reporting of cyber incidents, furnishing the information, and enabling and maintaining security logs for 180 days.”
What are the concerns?
According to the new rules, all service providers, data centres, corporate bodies and government organisations are required to report a cyber security threat within “six hours of noticing such incidents or being brought to notice about such incidents”.
They also have to “enable logs of all their ICT (information and communications technology) systems and maintain them securely for a rolling period of 180 days and the same shall be maintained within the Indian jurisdiction”. These logs are to be provided to CERT-In when any incident is reported or when directed by CERT-In.
Most industry bodies agree that there is need for a framework of rules, but at the same time are concerned about tight compliance timelines, newer technological investments and the data privacy of their consumers.
According to DSCI’s Kumar, companies have several options before them to comply with the new rules. They could build internal capabilities and invest in relevant technologies, rely on service providers, or make use of new models such as virtual chief information security officers.
One major contentious rule mandates that “data centres, virtual private server (VPS) providers, cloud service providers and virtual private network (VPN) service providers shall be required to register… (user) information which must be maintained by them for a period of 5 years or longer duration as mandated by the law after any cancellation or withdrawal of registration as the case may be”.
While most VPN service providers (offering encrypted web services) operating in India have disagreed outright with the directives, some have even withdrawn their services from India entirely, citing data privacy concerns.
‘Allow MSMEs to focus on cybersecurity’
Extending the deadline for compliance once again will give MSMEs time to re-focus their attention on cybersecurity — a relatively neglected area so far, Col Sunil Kapila (retd), senior advisor at the India Future Foundation, who had also approached the government for a deadline extension, told ThePrint.
“MSMEs today focus on building business but they also need to be made aware about the nuances of cyber security which could impact their businesses,” he explained. “Today we have 65-plus start-ups turning into ‘unicorns’ in India. Hence, such guidelines especially for MSMEs give them time to look at the security of their data more seriously.”
Apart from single-minded focus on growth, the other reason cyber security has taken somewhat of a backseat among MSMEs is the lack of adequate human resources to perform these tasks.
“Today, most MSMEs don’t have people dedicated in-house to look at cyber security risk and the related regulations in India,” Kapila said, adding: “The additional time (for compliance) will give MSMEs a window to build cyber security capabilities and hire talent to manage adherence with the new IT rules and CERT-In guidelines.”
‘Overreach’ by govt
Some experts are also of the view that the CERT-In rules constitute overreach and that they are actually designed to encourage companies to share data with the government.
“Instead of being a fire-fighter, which is the CERT’s job, they are using the rules as an opportunity to bring businesses to ‘cooperate’ with data-sharing and data collection that is extra-judicial,” senior technology lawyer Mishi Choudhary told ThePrint.
“CERT-In should follow what all other CERTs in the world do: be a firefighter and coordinator to control and manage cyber security incidents, not become a legislative body,” Choudhary added.
(Edited by Nida Fatima Siddiqui)