The department of telecommunications (DoT) has mandated telecom companies to report cybersecurity incidents to the government within six hours of becoming aware and additional details on the impact of the incident within 24 hours, according to the Telecom Cyber Security Rules, 2024, under the Telecom Act.
The norms are in line with the CERT-IN guidelines in 2022, which already require the companies to report such incidents within six hours of identification or notification.
According to the rules, within 24 hours of becoming aware of such an incident, telcos are required to furnish information such as the number of users affected by the security incident, the duration of the security incident, the geographical area affected by the security incident, the remedial measures taken, and the extent to which the functioning of the telecommunication network or telecommunication service is affected.
The rules also give the government power to ask for traffic data and any other data, other than the content of messages from the telecom company for the purposes of protecting and ensuring telecom cybersecurity.
The government can direct a telecom entity to establish necessary infrastructure and equipment for collection and provision of such data from designated points to enable its processing and storage, according to the rules.
The government has also asked telecom companies to appoint a chief telecommunications security officer, who is a citizen and resident of India. The officer will be responsible for coordinating with the Central government on behalf of the telecommunication entity for the implementation of the rules, including compliance with any reporting requirements or reporting of security incidents, according to the rules.
The telecom operators are also required to adopt a telecom cybersecurity policy, which includes security safeguards, risk management approaches, actions, training, best practices and technologies, to enhance telecom cybersecurity. The policy must also ensure testing of the telecommunication networks, periodic audits, risk assessment, identification and prevention of security incidents, the government said in the norms.
Besides, the companies need to have a rapid action system to deal with security incidents, including mitigation measures to limit the impact of such incidents and conduct forensic analysis of security incidents.
As per the rules, a manufacturer of equipment that has an International Mobile Equipment Identity (IMEI) number is required to register the number of such equipment manufactured in India with the government before the sale of first such equipment.
An importer of equipment that has an IMEI number has to register the IMEI number of such equipment imported into India for sale or testing or research or for any other purpose with the government prior to the import of such equipment into India, according to the rules.
