If you want support or consultancy to implement CERT-In Directions, please visit Mayakshi.com
In India people suffer from ‘Helmet Syndrome’. What is Helmet Syndrome? A person wears helmet while driving or pillion on two-wheeler vehicle not because it is lifesaving but because police may catch him. It fears of punishment which drives people to wear helmet, not the fear of their life. Sounds ridiculous but true. It is only through such threats which later get converted into lifesaving habits. The same is true for the cybersecurity.
A company or organisation may become a victim of ransomware attack but will not take measures to protect its networks and systems. Unlike the Federal Information Security Modernization Act of the US, where there are consequences for non-compliance, there is no legal provision for non-compliance with any cyber security best practices.
According to a report published by CERT-In the threat from ransomware for Indian companies have increased by 51 % for first half year of 2022 when compared with similar period of 2021. That is huge jump. Understand from sources that ransomware demand per victim is jumped by 100%. This means in monetary terms the ransomware turnover increased by 300% in just one year. Russia-Ukraine war is also being fought at cyber warfare level too. These are two major factors, which forced the government to issue directives. Any non-compliance with the CERT-In directions dated 28th April 2022 attracts penal action of ONE year of imprisonment or ONE lakhs Rupees fine or both. Please read section 70B of the Information Technology Act in Box 1. Body Corporate is a legal entity, therefore persons who can be imprisoned are given in section 85 of the Information Technology Act (refer Box 2), which in real terms include the Broad Members, CEO, CRO, CIO and CISO.
The CERT-In directions attract penal action therefore its compliance is no more a technical issue but a techno-legal issue. CERT-In can only complaint about non-compliance, the matter will be decided by a criminal court. Because punishment is less than 7 years, there is no immediate threat of jail to the CXOs of the company, but battles will be fought in the courts. It is therefore necessary that it is not only important to comply with the directions of CERT-In but should be able to prove in court to do so. If same can be done at the prima-facia level, no courts will allow unnecessary prosecution.
The technologist of the company can align with the direction but in most of the cases they will avoid taking any responsibility of legal action and similarly the legal team may not be comfortable with the actions of technologists. The reason of such ambiguity is not because of mistrust between legal and IT teams but the CERT-In orders have many gaps and drafted in catch all format.
The date of compliance for large companies is 27th June 2022 while relaxation is given to SMEs and below Body Corporates till 25th September 2022. Additionally, the certifying bodies of ISO/IEC 27001, PCI-DSS and similar certification will not be able to grant or reissue certificate in case of non-compliance with the directions of CERT-In. Financial auditors will also find difficult to clear audit because non-compliance has criminal liabilities towards the Board of Directors and CXOs.
Therefore, the directions are unavoidable. One may not comply due to helmet syndrome but comply only for visibility and not really may be in for sock at the time of their compliance audits.
It is therefore not only in the interest of nation but also for own, it better that all companies should LEGALLY comply with directions of CERT-In.
Are You CERT-In Directions Compliant???
If you want support or consultancy to implementCERT-In Directions, please visit Mayakshi.com
BOX - 1
Section 70 B: Indian Computer Emergency Response Team to serve as national agency for incident response
(1) The Central Government shall, by notification in the Official Gazette, appoint an agency of the government to be called the Indian Computer Emergency Response Team. (2) The Central Government shall provide the agency referred to in sub-section (1) with a Director General and such other officers and employees as may be prescribed. (3) The salary and allowances and terms and conditions of the Director General and other officers and employees shall be such as may be prescribed. (4) The Indian Computer Emergency Response Team shall serve as the national agency for performing the following functions in the area of Cyber Security,- (a) collection, analysis and dissemination of information on cyber incidents (b) forecast and alerts of cyber security incidents (c) emergency measures for handling cyber security incidents (d) Coordination of cyber incidents response activities (e) issue guidelines, advisories, vulnerability notes and white papers relating to information security practices, procedures, prevention, response and reporting of cyber incidents (f) such other functions relating to cyber security as may be prescribed (5) The manner of performing functions and duties of the agency referred to in sub-section (1) shall be such as may be prescribed. (6) For carrying out the provisions of sub-section (4), the agency referred to in sub-section (1) may call for information and give direction to the service providers, intermediaries, data centers, body corporate and any other person (7) Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6) , shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both. (8) No Court shall take cognizance of any offence under this section, except on a complaint made by an officer authorised in this behalf by the agency referred to in sub-section (1). |
If you want support or consultancy to implementCERT-In Directions, please visit Mayakshi.com
BOX - 2
Section 85: Offences by Companies
(1) Where a person committing a contravention of any of the provisions of this Act or of any rule, direction or order made there under is a Company, every person who, at the time the contravention was committed, was in charge of, and was responsible to, the company for the conduct of business of the company as well as the company, shall be guilty of the contravention and shall be liable to be proceeded against and punished accordingly: Provided that: nothing contained in this sub-section shall render any such person liable to punishment if he proves that the contravention took place without his knowledge or that he exercised all due diligence to prevent such contravention. (2) Notwithstanding anything contained in sub-section (1), where a contravention of any of the provisions of this Act or of any rule, direction or order made there under has been committed by a company and it is proved that the contravention has taken place with the consent or connivance of, or is attributable to any neglect on the part of, any director, manager, secretary or other officer of the company, such director, manager, secretary or other officer shall also be deemed to be guilty of the contravention and shall be liable to be proceeded against and punished accordingly. Explanation- For the purposes of this section (i) “Company” means any Body Corporate and includes a Firm or other Association of individuals; and (ii) “Director”, in relation to a firm, means a partner in the firm |
If you want support or consultancy to implement CERT-In Directions, please visit Mayakshi.com
If you want support or consultancy to implement CERT-In Directions, please visit Mayakshi.com
Comentários