DSCI communication on clarification of reporting onus of Cybersecurity Incidents to Cert-In/ICERT

DSCI issued a communication to its members clarifying the reporting responsibility of cybersecurity incidents to Computer Emergency Response Team of India (CERT-In or ICERT). Cert-In’s communication reiterated the notice of 2013, and rules issued under section 70B of IT Amendment Act 2008, issued on January16, 2014 focusing on entities such as ‘Service Providers’, ‘Intermediaries’, ‘Data Centers’ and ‘Body Corporates’, and qualifying cyber security incidents to be reported by them to CERT-In.

DSCI in its communication to its members, seeking clarification on the role and obligation for service providers serving government departments and agencies under contractual agreements and otherwise stated that under the standard terms of contract signed between a government department and service providers for services, it is the responsibility of the primary owners to formally notify on the security incidents to government agencies and departments, and not the service providers who provide services under contractual agreement. Cert-In has acknowledged the concern (for services providers under contractual agreement) and replied that the service providers are not required to notify the qualified incidents directly to Cert-In.