MSMEs are still not ready to comply with CERT-In's cybersecurity rules

As the deadline for compliance with the Indian Computer Emergency Team’s (CERT-In) new cybersecurity guidelines near, micro, small and medium enterprises (MSMEs) are still struggling to comply with the rules. The new rules were issued on April 28, with an extension later till September 25, and require companies to report security incidents within six-hours or detection, among other things. They also require virtual private network (VPN) providers to track user-data and provide the same to the government when required.

According to industry trade groups, cybersecurity firms that provide CERT-In compliant tools, and other experts, the overall readiness among industry players remains low. In fact, on September 22, the India SME Forum wrote a letter to the government seeking a deadline extension. The India SME Forum is an industry body that represents MSMEs in the country.

The new cybersecurity rules were issued on April 28 under sub-section (6) of section 70B of the Information Technology Act, 2000, which is administered by MeitY. Cyberlaw expert and Supreme Court lawyer Pavan Duggal reminded that a low preparedness level won’t serve as an excuse for MSMEs and companies will eventually face criminal liability of imprisonment and fine under section 70B of the IT Act for non-compliance with these rules.

Low preparedness is among the chief concerns among industry experts, who said that MSMEs aren’t prepared to comply with such stringent rules since many of them never took security seriously in the first place. As a result, they will likely need another extension to build capacities and comply with CERT-In’s rules.

“MSMEs in India will need more time to follow the new rules. They lack the capacity to report incidents and lack time to build it,” said Vinod Kumar, president of India SME Forum. “They will have to implement agile solutions that can foresee threats, identify anomalies, and offer threat detection,” he added, and said that MeITY should help MSMEs by training them as well as providing the infrastructure support.

Further, the rules also require companies to maintain log files for 180 days and report any cyber incidents defined within the rules within 6 hours. This would require “significant investment” in security technologies and hiring of specialists, according to Aloke Kumar Dani, Partner, Deloitte India. 

For instance, a security expert who requested anonymity said that the smallest investment for a 10 person company to appoint an external security firm could cost anywhere between ₹2-15 lakh. He warned, however, that these costs can increase depending on the scope of work, length of contract etc. The co-founder of a security firm said he charged small businesses ₹20,000 per application, and the cost for a 30-40 person company would come to around ₹5 lakh or more. “A bank, which uses 200 or more applications at a time, would spend ₹40-50 lakh for a year-long contract. The cost also differs based on the type of contract, etc,” he said.

Mint reported last month that the average salaries of security professionals, too, have grown since August last year. An early stage security analyst with at least four-years of experience can cost around ₹7.5 lakhs per annum, while senior analysts with a decade’s experience earn around ₹22 lakh per annum.

“We cannot say whether the industry is fully ready. Some of the things, like validation — one of the requirements — take time to implement for global companies,” said Rama Vedashree, chief executive of the Data Security Council of India (DSCI). She also noted that the FAQ released by the agency provided a lot of clarification. “Now, when industry members are working on implementation, a set of revised directives is needed for final compliance,” she added.

Even for firms that already have a decent security posture in place, the new rules could lead to changes. “Re-architecting the systems under the new regulations takes a lot of planning and project management for which three or even four months always fall short,” said Prateek Bhajanka, cyber security expert and technology strategist at SentinelOne, a cybersecurity company. 

That said, not everyone agrees with the pleas. Amit Jaju, senior managing director at Ankura Consulting Group, said that the extension was “more than enough” to configure processes and systems for compliance.