NEW DELHI – June 6, 2022 – BSA | The Software Alliance submitted its concerns to the Ministry of Electronics and Information Technology (MeitY) on Computer Emergency Response Team’s (CERT-In) “Directions … relating to information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet” (Directions).

The Directions aims to augment and strengthen cybersecurity in India. BSA supports this aim of CERT-In and the need to build an effective cyber incident reporting regime. While we appreciate MeitY’s efforts to clarify the Directions through Frequently Asked Questions (FAQs), a few provisions are incompatible with risk-based, technology neutral, and flexible approaches to ensure robust cyber security mechanisms.

“We are concerned about the broad scope of notifiable cyber incidents, the lack of a risk-based threshold, and the short timeline for reporting in the Directions. These provisions will undermine incident investigation and response, including the deployment of defensive measures”, said Venkatesh Krishnamoorthy, Country Manager – India, BSA | The Software Alliance. “We urge the CERT-In to adopt an impact-based and risk-based approach to incident reporting. We recommend that the Directions ask to provide an initial report of high-impact or severe cyber incidents as soon as practicable or within 72 hours of the confirmation of an incident, whichever is faster. We also seek greater flexibility on log-keeping requirements and more time to implement user validation requirements. BSA looks forward to working with MeitY and CERT-In to contribute to an effective approach towards a secure digital economy for India.”