OPEN APP
Home / Industry / MSMEs seek more time to meet CERT-In’s cybersecurity rules
Listen to this article

MUMBAI/NEW DELHI: As the deadline to comply with the Indian Computer Emergency Team’s (CERT-In) new cybersecurity guidelines nears, micro, small and medium enterprises (MSMEs) are struggling to adhere to the rules.

The new rules were issued on 28 April and the deadline was later extended till 25 September.

The rules require companies to report security incidents within six hours of detection, among other issues. They also require virtual private network (VPN) providers to track user data and submit the same to the government when asked for.

According to industry trade groups, cybersecurity firms that provide CERT-In compliant tools, and industry experts, the overall readiness among industry players remains low. On Thursday, the India SME Forum wrote a letter to the government seeking a further extension of the deadline. The India SME Forum is an industry body that represents MSMEs.

The new cybersecurity rules were issued under sub-section (6) of Section 70B of the Information Technology Act, 2000, which is administered by the ministry of electronics and information technology (MeitY).

Cyberlaw expert and Supreme Court lawyer Pavan Duggal said low preparedness level cannot be an excuse for MSMEs and companies will eventually face criminal liability of imprisonment and fines under section 70B of the IT Act for non-compliance with the rules. Low preparedness is among the chief concerns among industry experts, who said that MSMEs aren’t prepared to comply with such stringent rules since many of them never took security seriously in the first place. As a result, they will likely need another extension to build capacities and comply with the new cyber security rules. “MSMEs in India will need more time to follow the new rules. They lack the capacity to report incidents and lack time to build it," said Vinod Kumar, president of India SME Forum. “They will have to implement agile solutions that can foresee threats, identify anomalies, and offer threat detection," he said, adding MeITY should help MSMEs by training them and providing infrastructure support.

The rules also require companies to maintain log files for 180 days and report any cyber incidents defined within the rules within six hours. This would require “significant investment" in security technologies and hiring of specialists, said Aloke Kumar Dani, partner, Deloitte India.

A cyber security expert, who requested anonymity, said the smallest investment for a company with 10 employees to appoint an external security firm could cost 2-15 lakh. He warned that the costs can rise depending on the scope of work, length of contract, etc.

Separately, the co-founder of a security firm said he charged small businesses 20,000 per application and that it would cost at least 5 lakhs for a 30-40 person company.

“A bank, which uses 200 or more applications at a time, would spend 40-50 lakh for a year-long contract. The cost also differs based on the type of contract, etc," he said.

Mint reported last month that the average salaries of security professionals, too, have grown since August 2021.

An early stage security analyst with at least four-years of experience can cost around 7.5 lakhs per annum, while senior analysts with a decade’s experience earn around 22 lakh per annum.

“We cannot say whether the industry is fully ready. Some of the things, like validation — one of the requirements — take time to implement for global companies," said Rama Vedashree, chief executive of the Data Security Council of India (DSCI). She also noted that the FAQ released by the agency provided a lot of clarification. “Now, when industry members are working on implementation, a set of revised directives is needed for final compliance," she added.

Even for firms that already have a decent security posture in place, the new rules could lead to changes. “Re-architecting the systems under the new regulations takes a lot of planning and project management for which three or even four months always fall short," said Prateek Bhajanka, cyber security expert and technology strategist at SentinelOne, a cybersecurity company.

That said, not everyone agrees with the pleas. Amit Jaju, senior managing director at Ankura Consulting Group, said the extension was “more than enough" to configure processes and systems for compliance.

Catch all the Industry News, Banking News and Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
More Less
Subscribe to Mint Newsletters
* Enter a valid email
* Thank you for subscribing to our newsletter.

Recommended For You

Trending Stocks

×
Get alerts on WhatsApp
Set Preferences My ReadsWatchlistFeedbackRedeem a Gift CardLogout