While the intention behind new rules is to be appreciated, many of them need more clarity
By Mohammed Roshan
The ever-evolving Indian crypto ecosystem has been a matter of interest for many NRIs looking at India as a feasible crypto start-up destination. Here’s an expert look on how the new directives will affect it.
The Indian Computer Emergency Response Team (CERT-In), the nodal agency for cybersecurity, released a circular with new directives around tracking and reporting of cybersecurity incidents in the country.
The new directives are in place starting this month and have a bearing not just on crypto startups, but pretty much all internet companies in India.
What do the new directives mandate?
- Reduced timeline for reporting cybersecurity incidents to six hours
- Expanded list of reportable cybersecurity incidents
- Synchronized system clocks
- Subscriber data collection and retention
- CERT-In authority expanded for information requests
- KYC information and financial transaction record retention
- Maintenance of system logs within India
How will these rules affect Indian companies?
In many ways, this circular is a welcome move, as a proper framework around reporting of cyber incidents leads to a much safer ecosystem.
This is the first time a mechanism is being put into place regarding reporting of cybersecurity incidents, and this should ideally help in sharing of information quicker and preventing systemic risks in an effective manner.
This is obviously much needed in the Indian crypto space. To facilitate the adoption of crypto, it is important to prevent such cyber-security-related risks as well as have mechanisms that can fix issues or catch the culprits in case something goes wrong.
However, on close inspection, there are also several issues with these new directives. Some of the facets seem to be misguided, while others are simply impractical – and may make it difficult to do business in India.
Firstly, it has been made mandatory that all cyber-security incidents must be reported within six hours of being brought to notice. This timeline is extremely steep for multiple reasons.
Neither the companies nor the CERT-In is likely to have staff working around the clock. And even if this is the case, it does require sufficient time to understand the nuances involved in a particular issue and compile a report.
Read: After crypto crash, NFTs face litmus test (June 29, 2022)
In fact, a 6-hour timeline is not seen in other large economies. Countries like Singapore have data protection laws that have a 3-day window for reporting such incidents.
In an extremely short time, organizations have had to re-examine their practices and ensure the deployment of additional resources towards this.
The new directives have also included more incidents in the mandatorily reportable incident list. This is a welcome move, but what is more importantly needed is more clarity on the consequences of these instances and defining the different impact thresholds associated with each incident.
The new directives also require the synchronization of system clocks to that of the National Informatics Centre (NIC) or National Physical Laboratory (NPL).
This will most likely lead to latency issues due to having limited servers. At the same time, the NIC servers would likely be overwhelmed if all the data is routed to the same set of servers.
In the directives, the point relating to crypto startups specifically was of the mandatory recording of KYC and financial transactions and records of all subscribers.
This was earlier mandated only for regulated entities in banking, but now all virtual asset service providers, virtual asset exchange providers, and custodian wallet providers will have to do this.
In India, crypto exchanges were already self-regulating for years. For wallet providers and other companies in this space, this isn’t really ideal as it increases customer friction and compliance costs.
The crypto industry in India is still in a nascent stage, and such measures shouldn’t affect the adoption of crypto in the country.
At various points, the circular talks about system logs that are to be shared with the authorities. However, there isn’t much clarity on what these logs must comprise, which devices, and the scope of services that fall under logs to be reported.
Logs also contain personally identifiable information, and hence the authorities need to ensure that user privacy is given utmost value.
While the intentions behind these directives are to be appreciated, several of these rules need more clarity. What is needed is an open dialogue between the officials and industry stakeholders.
This would help result in an improved set of directives that can help reduce cybercrime, create an improved framework and enable the growth of the Indian startups and the Indian crypto ecosystem.
(Mohammed Roshan is the CEO & co-founder of GoStats, India’s first Bitcoin Rewards company)