 Thank you, everyone, for joining us here. I'm Neeta. I work on outreach and communications at Haskeek. Before we get started, and I hand it over to Sonali, who is our moderator today. I'm just going to briefly give some context for this final discussion and some introduction of the conference in Haskeek. So, on 28 April, the Indian Computer Emergency Response Team issued new directions for information security practice and procedure and the prevention, reporting, and response to cyber incidents. On 4th May, in the root confidelogram group, we discussed the key concerns in implementing these directives from the perspective of business operations and also privacy. This is a follow up on that conversation to build on how the industry can engage with this intervention and others in the future to provide meaningful feedback. Root conf started as an annual conference for practitioners from DevOps and now SRE to share approaches to solve infrastructure-related challenges. It has now diverged into a continuous community engagement program with focus on data security, cloud ops, data ops, and more. Privacy mode is a growing community on data privacy with a focus on engagement with policy and improving the overall privacy ecosystem from consumer and maker standpoints. You can find the work we've done so far under haskeek.com slash privacy mode. Please take a look at our topic map, which is published at the end of the page. Root conf and privacy mode are hosted by haskeek.com, a platform for collaborations across practices surrounding technology, including design, law, policy, systems, and data. We collaborate through user-generated content with the aim to enable discovery and elevation of ideas and individuals. Haskeek.com and Haskeek Media Division provide the underlying infrastructure, tools, and services to facilitate these collaborations. Thanks to our partner, FOSS United Foundation for supporting us through this event. FOSS United Foundation has monthly meetups in Bangalore. You can keep up with these meetings and participate on their telegram channel. The links to all the pages and telegram groups I have mentioned will be shared on the chat on Zoom and YouTube. And, okay, that's it. I am now going to hand it over to Sunali, who is an associate at 9.9 Insights, strategic advisor of Albright Stonebridge Group, and will be moderating this discussion. Before we get started, please note, you can leave your questions in the chat box on Zoom or on YouTube. We do have a dedicated time slot for Q&A, during which participants on Zoom can use the raise hand feature to get our attention, and then you can ask your questions. Over to you, Sunali. Hi, thanks, Nita. Good evening, everyone. So, like Nita already mentioned, over the course of next hour or so, we'll be discussing the certain guidelines. These guidelines were released on April 28, and they're aimed at enhancing the cyber incident reporting and security practices. This session will primarily focus on understanding two aspects. The impact that these directives have on privacy and business operations today, and the potential methods for stakeholder engagement to alley concerns. The latter would, of course, not only focus on certain guidelines per se, but we'll also sort of look at the other emerging regulations and how we can approach stakeholder engagement for tech regulations at large. Our panelists for the session include Mr. Srinivas Podali, an independent researcher, Ms. Ruchha Mukherjee, the director of Public Policy and Corporate Affairs at PAYU India, and Mr. Pratik Vagri, the policy director at the Internet India Foundation. Welcome all. So before we delve specifically into the certain directives, it is important to note that these guidelines, of course, do not emerge in a vacuum, right? So they've been released in the backdrop of a regulatory revamp of sorts of the tech ecosystem with the draft data protection bill, a non-personal data framework, a data governance policy, a potential amendment to the IP Act, all being delivered simultaneously. The IT rules for 2021 and, of course, the various draft policies released in the past year or two, cumulatively indicate a trend towards increasing compliance burdens for business entities. These, of course, are likely to raise costs and operational challenges. The certain 2022 guidelines in that sense adds to the slew of such onerous regulations, right? So this is, of course, this is not the first time that certain has issued cybersecurity directives. We know that the 2013 IT rules that mandated data storage and reporting requirements for cybersecurity, those guidelines can be seen as somewhat being the precursor of the 2022 directions. Certain also issues advisories from time to time and its 2021 advisory on preventing data breaches and data leaks also discuss similar issues. However, the concern with this specific 2022 directive is that the proposed compliance is not only more onerous compared to not only the previous guidelines, but also the global best practices. It introduces requirements like reporting cyber incidents within six hours of becoming aware. Sorry, I think I got dropped there for a minute. So yeah, like I was saying, the certain 2022 guidelines introduce compliance requirements. Some of them include things like having to report cyber incidents within six hours of becoming aware. What is reportable incident has again been expanded broadly to include things like unauthorized access to social media accounts. There are time synchronization requirements. Entities are also mandated to designate a point of contact to sort of interface with the certain. We have to maintain blogs of ICT systems for a rolling period of 180 days. And there are many other such requirements, right? These are only some of them. And while we will be discussing the specific implications of these requirements as we progress with our session this evening, it is worth noting that the industry has already been responding to these directions and most of them have conceived them as being cumbersome and unclear. And most of them have lots of lack concerns around issues like heightened compliance costs, questionable implementability scope, especially given how these directions sit with global data privacy laws like GDPR and also the potential privacy implications of this direction in itself. While we understand that some of these ambiguities have been clarified by the FAQs released earlier this week during the course of the next 50, 55 minutes or so, the analysts will discuss the challenges and questions that businesses face if these directions were to be implemented as is. The Minister of State Rajiv Chandrasekhar has of course publicly stated that compliance is mandatory and entities unable to comply should not operate in India. He's also claimed that these directives are less stringent than many other jurisdictions and that the requirement are imperative for ensuring cybersecurity. In this slide I think we will also discuss of course mechanisms that stakeholders can opt to engage with stakeholders government for this directive but also for the slew of other tech regulations coming up. We will be exploring options like scope for building coalitions, having consultations and legally challenging directors if at all possible since that's also something entities stakeholders have talked about. So I would now hand it over to Mr. Qadali and I would also request Mr. Qadali to sort of, if you could just highlight the technical challenges that particularly that entities might face in implementing these guidelines, especially with requirements, you know, such as time synchronization, reporting timeframes, love maintenance. Over to you. Hi, so I think the challenge to businesses, primarily implementing some of these guidelines is resources. What cert is asking them to do is constantly log every action of everyone accessing any of their infrastructure, whether it is a legal access and illegal access you don't know right like if you are maintaining a service which is open for everyone you don't know who is actually accessing your services. I'm not saying that there are certain operations that are regulated, there are some operations which are unregulated you really don't know. It depends on the business and the kind of sector the business is in where these businesses tend to store some data for their own internal requirements or tend not to store any data when they're offering it as a service. So, both Direction 4 and Direction 5 of the cert directions. Direction 4 says everything needs to be logged for 180 days and that includes SSH access logs. It includes if you're a cloud service provider. I'm assuming here because these directions are never clear even the cert clarifications of the directions are not clear enough. But if you are a cloud service provider and everything that your client does you're pretty much required to log right now that could be HTTP access logs, SSH logs and there are also error logs and whatnot so pretty much everything needs to be logged for 180 days. Now, the volume of these logs can get pretty high depending upon how big your business is and storing customer logs who are temporary customers who may be using your cloud services for just a day or just few hours for a size of say AWS or even Microsoft Azure could be so high that storing data for 180 days could incur significant costs on electricity for no reason. Right. And it's important to understand here why they are saying 180 days 180 days is again a standard legal requirement when you look at the telecom sector for storing call data records or if you even look at the other judgment and the storage of metadata with other transactions it's limited to 180. It's an assumed standard in India so that's the reason they're saying 180 days a bare minimum of six months now for the industry. It's not the issue of technical requirements it's the issue of the cost of storage and operations right that will be the primary problem here. Now the manoeuvres will go up for compliance and I believe that's the reason they are opposing it primarily but if you look at Regulation 5 which is for VPN service providers that kills anonymity for good. Now while cert clarifying these directions has said that Direction 5 is only for VPN service providers and not for company corporate VPNs right but Direction 4 still applies where cloud service providers who may be offering to individuals to allow to set up their own VPNs like anybody can set up an open VPN if you have a server. You're still required to log all of the transactions that are happening and you're required to give it to cert except the time period is less compared to Direction 5. Now apart from this the most the first direction of time synchronization. I think if you look at global standards right like NIST the National Institute of Standards and Testing in US actually offers a host of time servers like anyone can point their machines time servers to NIST NTP servers. Now that's optional. The issue here is the mandatory nature of it saying that look we need to ensure that any cybercrime instant needs to be responded by cert so we want everyone to sync to Indian time zones. Now the difficulty in doing this is that if you are a multinational firm where you're trying to synchronize your times within your corporate networks. It could be challenging to sync it only with the Indian network servers right the NTP servers that cert and India is providing. It would be near impossible unless you isolate it and have your own internal network for India only. If corporates and like business structures have already done this great. But if you have to move away to something like this it could be again resource intensive and it is something that companies may not be looking forward to do so. Like if say even some certain cloud service providers like Google cloud or Azure or even AWS have to do this particularly for India. I think they have to change and change their entire business operation mechanisms for India specific only. Now for smaller firms this could be a challenge where doing all of this is so hard that they'll just quit and comment of India saying why don't you do that like we don't really care if you're so small and for the big businesses they're going to force them to comply somehow. And we have to wait and watch where this is going to go. Thank you. Thank you, Mr. Godali. I would not. We'll of course discuss this in more detail and bring in some questions after we're through with introductory remarks but I would now like to bring in Richard, which I feel could just highlight a little about how pay you and its peers are thinking about sort of complying with these guidelines. And you know given a 60 day timeline the minister is saying that it's adequate time, you only have to comply with the reporting requirements in 60 days and there's no real resource that you have to build or infrastructure that you have to institute to sort of get this going. So as pay you what are some of the key challenges that you are envisioning? How do they compare with prior regulations and do you think you'd be able to comply with this? Sure. Thanks Sonali for setting the context and thanks Haskig for having me in this discussion. Very pertinent, very important that we are having this discussion today. First of all, I would want to start with certain cert ends and they were to both to the cyber security, you know, ecosystem in India. I mean I've been interacting with certain for last so many years and they've been really instrumental along with the National Cyber Security Coordinator's Office etc. So these guidelines have come I mean and they also have a history of why they have brought in these kind of guidelines because there were certain segments which were not directly accountable to certain because they said the customers are the ones who are directly responsible for certain. But nevertheless, let me just start by what these directions are and how it's going to impact the fintech ecosystem since I represent the fintech. So let me just broadly talk about the fintech and ecosystem. So the guidelines as they came out on April 28 have a stringent applicability of within two months so that leaves us with about 40 days time to implement. And just now only we have started to have discussions internally within pay you are within any organizations because. So I would say, with all the guide with all the circular, even though certain is not a regulator or certain is not a regulatory body. It is still has its role as a quasi regulatory body just like NPCI is and all the guidelines that they have laid out if they are implemented in the current form they will have wide ranging unanticipated impact on the internet ecosystem in India. While I do understand the well intentions of the certain but I really feel I see that it can dramatically increase the administrative burden both for the industry, as well as for certain. Like, as I will just talk about in my subsequent things that how it's going to, you know, increase the burden for certain as well. The guidelines it covers just about anybody who is connected to internet whether it is a service provider corporates companies having data centers cloud service provider government organizations, and even the foreign companies with serve Indian customers so my first question is whether my my organization is covered under this. So I'm assuming it is because we are the service provider in whichever form and so. So for us for the FinTech ecosystem there are Sonali broadly for three to four points I would want to highlight I'll just call them out and also talk about the justification sorry the challenge that it might have for the ecosystem. So first and foremost is the report incidents within the six hours. There's any entity has to report report the cyber security incident of within six hours of noticing the incident. This can be done via email fax phone, etc, as per an extra one that is what the guideline says. Now here I want to emphasize that while the initial view of the incident or the notification can be reported within six hours but detailed RCA will of course require quite tough time in hand. There have also been talks in the industry that why the six hours is being stipulated because normal the global standards as this is about 48 to 72 hours and I think we were till this point of time we were going by that time time frame of within three days within 72 hours of coming into notice. So six hours looks like stringent one and also sometimes what happens is if it is a very sophisticated ransomware you just spot it but you cannot report it immediately because you do not know how it will manifest. So six, six hours I would say is a very short window to actually understand that what sort of he's to ransomware or malware has impacted you. So it takes. Sometimes I would say most of the time it will take more than stipulated six hours. That is number one. Number two is the circular guidelines that practically covers all the incidents that could possibly happen which needs to be reported. So it is as simple as a spam notification which any individual gets like about so many of them, at least, I would say 50, 60 also sometimes if you look at our email. So that I don't see any point reporting those because that will just, you know, create the logs and logs of it. And of what I was discussing within the pay you and within the industry is that we need to really define the severity methodology where in only the most severe of the most severe of the transactions or whatsoever they are reported within the timelines defined. Third is about the crypto exchanges and wallets crypto exchanges and wallet since we are also operator wallet so the KYC details have to be kept for five years. It's kind of most of the industry is doing at the moment, but still there are some. This is not that much of a concern because you know some of the deadlines which are mentioned here, or the timelines that are mentioned here that is still covered by the sectoral regulator. I don't remember what is it for wallet but that is still not that much of a stringent one. Also, I think we want to understand that when certain says that we have to report all kind of transactions and they have laid out the list of these other things that we have to report it. What is the certain going to do with those transactions or with those kind of reportings, what will be the incident log look like and what would be the audit mechanism and what happens after that so we want to as an industry as a fintech ecosystem player we want to really understand that. Next is, I would not dwell much on that is on the cloud service provider which the previous speaker Srinivas had. You know he covered that I was earlier working with the cloud service provider and I really understand where these notifications is coming from that all the data all their blogs they have to be reported because it was essentially the customers thing that that the certain was asking for. So, I will skip that part on the next one is a maintaining logs for 180 days in India, in all the fintechs they have to mandatorily enable logs of their ICT system now ICT system is what what is that exactly that has not been elaborated upon. And they have to maintain them securely for a rolling period of 180 days. So this again is kind of covered under the under the RBI guidelines. So it's it's it's doable it's challenging but it's doable as such. The next thing is a certain can order actions and demand information in the real time basis. So just don't understand the, you know, what is the logic of that. Really, we would need that what is a certain going to what kind of information they are going to demand if it's going to be real time. It's it's going to be a challenge. My last point is on the point of contact that's a very valid point and I think in all my interactions with RBI supervision department and even with certain and even with NCSC, they have always been saying that point of contact is something each organization should have should should pass it on to the regulators that essentially you know helps in if there is any kind of a he's to run thing goes wrong. So that can be contacted and things can be done. Things can be audited very well and incident response management can be taken care of well. So that is one thing which is which is a good practice, I would say. Should I highlight some of the concern areas now or shall we move to the next speaker Sonali. We can discuss that in more detail when we come up with the questions. I would now move on to Prateek Prateek. You know, we've been hearing about these two divergence schools of thought almost about the legality of the directions. Now, could you shed some light on that and of course also elaborate on what the common perception of industry has been so far vis a vis these guidelines. So let me first point out that I am not a lawyer, right, so you should not take to take it from from from that from that perspective. I do want to highlight some of the broader concerns that that you know that we as IFF had with these with the directions when they came up right the first was the whole the fact that these came around without any sort of public consultation right I think and this is this is a general trend it's not it's not restricted to these we also had the minister of state statement saying that this is not required because it doesn't affect the arm of me and I think we differ with that with that because it may not be directed. Okay, my video is frozen. Can you see me. Okay. So yeah, so you know, we can have a line in the FAQ saying that this is not meant for individual individuals but it does affect individual users and that's where our a large concern for us comes from. The other one was about ambiguity in with no with its scope and in the phrasing of the direction and I think both both cinema science which I have pointed out some of the things that were ambiguous that that seemed like they were hard to interpret. Yes, there is an FAQ that has been released I think officially finally. But even even with that, there are there are still, you know, a lot of question marks in terms of the NTP synchronization they've said okay you don't have to synchronize with IST, but you don't but you have to still ensure that there is no deviation. How does that work. These are these are these are complex process right these are things that would have ideally come out in an open consultation kind of process. So the area is around, you know, penal provisions right which is, and if tied back to ambiguity right so when you have a set of directions that have a lot of, you know, ambiguity and people are generally unsure of what applies to them what doesn't apply to them how to, you know how to respond, then when you add penal provisions in there which includes which can include a prison term as well. So in this case, based on the section of the idea that they've that they refer to. That's also a huge, huge area of concern. And of course, you know, the final point is again, and this is again not the secret research direction that's happening with with with most regulation is coming out right now is that they're all happening in the absence of a data protection bill. And so from an individual user perspective from a privacy perspective. That's certainly an area of concern as well. Thanks. Thanks for the just to follow on for what you mentioned right now you know, the government had said, we did have closed door consultations. And we didn't make it available for public consultations. The reason being that it's not something that in impact citizens per se. One from what we understand, there were only like three to four companies who were invited to this close the conversation. However, in your experience, not only the certain guidelines but you know other regulations also what wouldn't ideal process be like we've seen in BBB, they have been iterations of the draft itself but they've also been like series of stakeholder right. We saw there were a bunch of actual depositions before the Joint Committee, there were ministry was made it was officially open for comments. Now we know that the ministry has since about December January has been receiving informal submissions. So what would I do I do the situation. How should it be like. So, you know, so there's no single good answer for that right but having said that, I think it's understandable for someone to start with, you know, with the smaller group for the initial consultation to just to frame and have something in place. But then, you know, with that as a working example that that's when you open it out for for public consultation to get feedback. And, you know, it's easy to interpret public consultation not only as you know not only a member of the public but even companies that haven't had the opportunity to provide feedback into the process would have come would have done so via public consultation process right so it's again, it's not a man right it's also it's also the company that would have that that would have come in. Right, so ideally you know you do want to open it up for public consultation that is a pre legislative consulting policy that's in place. Yes, you can say that this is not really, you know, legislation from that perspective, but it that has certain guidelines that are your principles that you can adhere to in terms of providing people enough time to respond right then being transparent with the with the responses that you get right posting that again that stuff that the practice that we've seen is not is not really being being followed right even. They also cite that sometimes this the the responses themselves are confidential and things like that right to a to a public consultation process you need to be transparent about about things like that right and you know it then working through that to that incrementally of what's inside is it can also turn out sometimes the way the some of the consultation for the data protection bill has there is gone protected and it's gone across multiple years and we're still not sure when that bill, you know, will actually be passed. But, you know, it's about finding that that middle ground in between them but certainly coming out without certainly coming out without any sort of public consultation is definitely not the right way to do it. That that makes a lot of sense actually following on from that which I you know as a member of the industry who was not invited to the consultation. Um, have, hasn't like have industries stakeholders actually been in the process of developing the submission have a coalition's being made. We know that some industry associations are planning to submit comments on the on the guidelines but given how short the timelines are and given out. It's supposed to come into force in about a week's time. What, what is the scope to engage also after the comments that Minister Chandrasekhar is meeting. So, definitely in this industry consultation and industry submission is a must. And what I'm seeing is most of the chambers and the associations, they are getting ready to make the submission and we are also in the process of sending our submission via the associations. And I think as a, as a part of the tech ecosystem, all the possible association whether it is IMA I S H M NASCOM India Tech DSCI we are all going to give our submissions we are all going to raise our concerns and challenges with this kind of guidelines. So that is the first step and and then there are of course there are certain organizations which are deeply impacted by this. They can also think of having a direct engagement with a certain as such. That makes sense. Yeah. Thanks. So, she never, you know, there have been one of the most. I think a clause which is attracted the most media attention is the success reporting requirement right now. The ministry has said that, you know, look at jurisdictions like US, Singapore, which have these three days, 72 hour time frames, but the minister has come back and said, you know, why don't you look at Indonesia, which is a one hour reporting requirement of France, which is a foreign reporting requirement. So I think the question is now not about who does what I think it's about what is technologically viable and to what is absolutely essential for mitigating any potential risks. From a physical perspective, like, how are you thinking about it do you think it's actually possible to implement that six hour timeline. See, I think it's definitely feasible if you're a large organization which has the three shift stuff, which is doing your eight hour eight hour shift 24 hours. But if you're a small organization where you're letting your DevOps team go to sleep. We have some hacker in the US attacking you at 1am in the night. I don't think he can report to you by 7am in the morning. Okay. Well, so it's it's a question of operations and how big you are. Now, I think the minister statement is actually directed against large players. And large players are usually the ones who have not been compliant and when I say large players also multinational platforms who have kind of ignored the Indian regulatory setup for a really long time. Now, whether it's six hours 24 hours or 72 hours, the matter of fact is what will certain do with it. Okay, so for a long, for a longer time, the cybersecurity community has been actually reporting incident to search, hoping it will actually respond to an emergency. Okay, it never does. And like, as someone who has sent some of these instant reports, I know the reply time period can range from few hours to few months. Unless you send in a journalist to search saying, look, I've sent this important emergency incident vulnerability report to search, but they haven't reacted to it. One day a journalist goes for a quote and they realize we're going to fix it. I mean, so the way cert operates, they're not equipped for it. The entire cybersecurity industry is kind of self regulated cert kind of empanels a host of cybersecurity organizations who then go provide services to a lot of these companies. Cert as an organization is not equipped to handle these emergencies. I mean, they're trying to do that now there's a lot of pressure on them to address a lot of cyber fraud instance specially fintech related fraud if you're, if you have seen the kind of APS fraud that's happening people losing money, social engineering, there is a host of host of cybersecurity instance that are happening. Also, we have become an increasingly digital society with COVID everyone went online. There's a huge pressure on government of India to do something about it. But the way they are trying to respond to it is something that may not yield in anything good. What you might eventually end up with is a lot of noise with every minor incident being reported to them and they don't know what to do with it. No, that makes sense. And also, you know, when you're thinking about this six are reporting requirement on something that's also worth thinking about is, what is it that we have to report within those six hours, right? Because if, if sure it's a bigger attack that we're talking about, then it might make sense. However, we know that the list of reporting reportable incidents is almost doubled from 10 to 20 now. And, you know, Richard previously talked about how something like a spam email, like how do you report that and how frequently you report that because of the high frequency of such incidents. And then globally, another thing that's been talked about is unauthorized access to social media accounts. You know, sometimes entities might not have the visibility of such incidents. How do you tackle with those cases? So does it then become only a small company issue or can, like, you know, say a bigger entity, bigger social media for the Facebooks and Twitter of the world. Can they also not implement these in the letter of spirit, letter and spirit of the directives? See, I believe what they're trying to do is actually prepare for a cyber warfare kind of scenario. But right now, if there is actually a cyber war on India, cert would never know it. It would be companies and all these people who get affected by it, like our enemies who actually get affected by it, they would know it, right? Now, there are no systems in place for cert to actually understand what's happening over the cyberspace. So it has never in the last decade of its existence since 2008 when cert was formed out of the idea of amendments. We really don't know what they have done, right? If you actually go and look at their annual reports, you will have a bunch of numbers. So many incidents have occurred, but we don't know what they're doing about it. And I think there was a news report today that they're going to make a cert, like not to reply to any RTIs, exempt from RTIs. Okay, so what you're doing now is you're trying to prepare a national security apparatus, which will potentially actually respond to cyber warfare scenarios. But to do that, they're saying every other entity needs to prepare for emergencies and allow only ask you these logs when there is an actual emergency. So to know there is an actual emergency, you will have to consistently reply, respond to every single incident. So if there are a parallel set of instance, there are probably 100 instance of particular kind, they know there is something big going on. So cert is not making this part clear. I mean, for anyone who has followed cert for a longer time and the government of India's policies, it is very clear they're trying to ramp up infrastructure. But they can work with the Indian cybersecurity community and even the Indian corporates to do it the right way. What they're doing is not actually going to help them. So which is why it's important to ask some of these questions and bring some accountability on them. Because even if there is a cyber war, they don't want to be accountable and they don't want to tell you what went with it. Understood. You know, and having a national security apparatus sure sounds good and maybe it's need of the hour as well. Pratik, I'd like you to come in here and you know, because the timing of these guidelines is very interesting to me. So I'm thinking there is a data protection bill that's been in the works for very long. There are severe privacy related risks with this direction as well that emerged from these directives. For example, DPP talks about data minimization, but this is anything but that right you're talking about 180 days worth of logs, etc, etc, etc. Also, it contributes with some of the provisions from the data protection bill. It talks about the DPP, for example, it talks about reporting a breach within 72 hours to the data protection authority. This has a very different provision for the same thing. So do you think they should perhaps have waited for the data protection bill to kick in and then sort of brought in this guidelines. You're also talking about the IDAC amendment that might also have been another avenue through which some of these would have been brought in. So is timing something that is making sense to you or how do you see all of these parallel? You know, that's an interesting question and a tricky one, right? Because in the sense that, look, the issue of, you know, let's say the reporting to DPA versus to the certain, they're essentially two different authorities. So theoretically, yes, you can have different timelines of reporting to each of them. That in itself is probably okay. Now, there have been, you know, I think we've spoken enough about the duration of the timeline and potential for gradation of different types of attacks, etc. That you should report that. But I think what, again, what's important here was, you know, as you might just point out, right? In terms of process, this should have happened the right way, right? It could have happened in, yes, you know, you could have done it before you overhauled the IDAC, you could have done it after you overhauled the IDAC. Obviously, the government saw some pressing need to do this now. And, you know, that's, I guess, okay. But it, again, goes back to the method, right, of doing this, that instead of taking, you know, the industry into account, instead of going to a broader consultation process, it's been pushed out like a dictate, right? And I think that's where the fundamental issues. That makes sense. Now we have questions coming in from the YouTube live stream. Someone's asking, are companies allowed to disclose to their users that their data was sent to certain and the reasoning and for why? Which are, what is your understanding on this? Do you think someone like a pay you will have to disclose to his customers that the data was sent to certain? So it really depends, ideally, not just pay you in my past experiences in various organizations. Suppose if any government, not government, the law enforcement entity seeks the customer data. Until unless it's a terrorist-related thing, we normally inform the customer that your data is being shared. So I think that is the stand that the organizations are going to take. But I think we don't have any clarity in these guidelines. It also depends on the company's policies. But this is what I'm assuming, that the organizations will have to report to the customers that your data is being shared. Yeah. Also, there's another question on- Sorry, Shahebas has something to say. I just want to add, like, I think there were a couple of statements which were made by some insiders. They were saying that, look, all this logging that we're asking you to do, even though the directions actually say we want real-time data. But they're like, we only need it when there is an incident. So when there is an incident, we're going to get a court order or issue directions under section 69 of the IT Act. Section 69 of the IT Act allows a set of government agencies to decrypt any encrypted information and intercept information, essentially. It's a very national security provision. Now, if you're being issued a section 99 order under section 69 of the IT Act, I don't believe you can disclose them to your consumers. A lawyer could give you a better opinion, but we haven't seen any section 69 orders. I believe the first kind of censorship orders that we are seeing is through IFFs, one of the cases. And these are encryption, decryption-related orders, which they don't want to ever disclose. So it's very unlikely to see them. That's quite interesting. So in that case, users will be oblivious to the fact that their data has been shared by with certain amount. Also, someone's asking if there is going to be a transfer in process and reporting on how this data is requested, used or stored by certain. And you know, with Srinivas, what you mentioned earlier about certain being excluded from the ambit of RTI, that might again be a question to look at, but any idea about how transparent this process would be? I mean, for the past 10 years, none of the certain operations were transparent. I mean, if you look at some of the major breaches that happened during the COVID period, BigBasket, MobicWake, AirIndia, Dominos, cert never reacted to any of them. So the question is, forget transparency, is there any accountable answer? None. And it kind of extends to multiple other organizations, but we haven't seen cert being accountable or doing anything significant unless you go to court. Right. Right. That's interesting. Richa, one question for you. You know, Srinivas was earlier talking about how the big versus the small company distinction and being able to comply with these guidelines. You know, as Peu, how do you see it? And you were talking earlier about some of the concerns that Peu specifically has with these guidelines. So would love to hear more on that. Yeah, sure. So I think some of the, there are two to three concerns that I would see any fintech organization would have. First was of course, as we have been talking about the six hours thing that six hours is too short a window. You are not able to analyze what is a specific SLA, how what details you can conclude and you definitely need to have, you know, carry out root cause analysis. So six hour window is definitely a concern area. Second point is, normally what we do in the fintech sector is with respect. So each of you each of the organization it defines its severity mechanism severity methodology in terms of what they will be sharing with RBI. And this is why a PCI also. So can, is it fine that the companies which I have been defining severity to the cyber incidents, this will be applicable and acceptable to, to say certain, just like we share it with RBI, or what sort of incidents we are going to share. I mean, it cannot be all, I mean, it cannot be all right. Number three is, what is the expected to be reviewed and approved by the auditors expecting benchmark, what will be, what will it be, now that the audit will happen, as we say it is all certain and paneled auditor. Public consultation I think Srinivas had already spoken about. There was one more thing I wanted to talk about was, yeah. In terms of there is no clarity on the processes and the grievance redress mechanism in place, if after an incident has been reported to certain so what will happen after that. That's those are the some of the questions and the concerns that we have from the fintech perspective. Understood. And what about the ease of compliance, you know, within a week's time from now. No, it is two months right so April, May, June we have 40 days right. Yeah, sorry, from by June 28. Yeah. Yes, so that is again a challenge I think that will have some amount of cost dedicated resources have to be employed for that particular thing so of course it has the administrative burden compliance burden. All those things are of course into the picture now. Understood. Um, you know, since the FAQs were released earlier this week, there has been talk about the good and the bad of it. So if you could just shed some light on if the FAQs have been helpful at all. And if so, are they exhausted. And maybe each of each of you could talk a little bit about what clarity the FAQs bring if any at all. Yeah, sure. So, look, it's hard to characterize, you know, a 40 odd question document as good and good or bad. But you know, I will say that yes on certain points they have added some clarity, but as I was saying, a lot of questions still remain still remain open. Right. And for example with the, the bit about the NTP synchronization right what does it mean to say yes you don't have to sync it to to IST but you also have to ensure no deviation now again outside many of expertise and timing is a very complex process. But how does that work, you know, etc. So there are, there are still a lot of questions that remain unanswered. I'm struggling to remember to recall one at this point one that that's still left, you know, left me asking more questions but you know on the balance of it some added some clarity, but we have you know we're far away from having clear clarity and then there's also the point that look the FAQ the supporting document it's not it's not a legal document by itself it has no standing as such right so yes it can it can add some clarity but ultimately it's the directions themselves and the wording of the directions that that really matters right and I think and and that's where most of the challenges. She never stops. Okay. Yeah, I'm one of those people who was actually asking sir to do something. Because when, when they will, these large scale data breaches we actually wrote to search saying why are you not investigating this. Right. Now, suddenly sir does like oh I've woken up I'm going to investigate everything. I'm looking at two ends of the spectrum right and neither of it. Now, how can people oppose this what do we do with this. I think a lot of companies are going to oppose this, which has already made it clear there are associations which are trying to send some responses. But whatever you do as a citizen at this stage, unless you're going to courts, or unless you're actually going to show up in front of mighty office. I don't think they care, because the last time we sent them letters asking to take some action at least tell us if there was a breach do some audit. They didn't respond at all. And then when we send them a legal notice, the official in charge, so it has a citizen coordinator like they have a citizen charter. And the citizen charter has a citizen coordinator who actually supposed to reply to you for any queries that you have in 30 days. He sent a reply saying that you don't have to tell us what we have to do. When this was put in front of a judge in Delhi High Court, the judge was furious. What sort of replies this. Okay, so they are very, I don't know what sort of experience Richard has as representative of a company, but if you're an arm of me, so it really doesn't care about you. And if you're a cybersecurity researcher, I believe everyone's pointing to the 2014 guidelines, but there were 20 21 guidelines last year, which talks about how cybersecurity researchers can report to cert. There is a clause where it says that, you know what, even if you report as some of the security instance, it doesn't mean that we are not going to arrest you. Okay, so it's like, we don't care what you do. So none of the processes in any of the setup have been accountable. Now, if the question is who should make cert accountable, there is something called the Parliamentary Committee of IT. Unfortunately, the parliament's not working. So it's back to the people to pressure them saying this is going to affect us, go to court, shout, the max you can do is this, but businesses do have a leverage saying this is going to impact us. And I think at the end of the day, it will be what businesses say. Well, we certainly do hope so. Richard thoughts on the FAQs. Yes, so I will just tell you to Srinivas's point. You know, I was interacting most with certain when I was with my first 12 company called Swift, and they had to open up a joint venture and I was part of it now at least. So that was the time 2016 to 2017 2015 to 2017 when most of the cyber he's were happening, not only in India but outside India also starting with the Bangladesh Bank Central Bank. And then in India Union Bank of India and several other bands so that was the time and I was most interacting with certain because of the cyber he's so it was also like we were informing of the whatever incident that was happening when Swift was name was there and we were reporting to them, but it was also only of our own like Swift came out with a cyber security program so it was up to an individual organization, how they protect its consumers how they protect its customers, because at that time so it came out with customer security program the incident response mechanism the five pillars etc etc. That is one part. Second part if whether the FAQs have helped the ecosystem or not. I don't know, I really don't have an answer to this because after I saw the guidelines and then I read through the FAQs. That does not give me much of a clarity I would say, you know, so to speak, I have read it like twice. There are a lot of questions, there are still a lot of clarifications and uncertainties there. I think the best thing would be to have multiple public consultation because one consult one or two or consultations would not suffice so I think and for any healthy ruling or any directions to come out at such a scale, we need open consultation so that is my take on this. That's a very valid point. Next we have a question in our chat box from Sergei Shmati who's asking and who's qualified it by saying that he know that there's no lawyers here, but what are the legal grounds on which this directive could be challenged. Now, we've seen in the case of IT rules, the question of whether how helpful legal challenges can be questionable. However, why this is helpful, like the entities were saying that you know section 87 to ZF, because these are not being formulated within that specific clause, that could be a potential reason, but if anyone would like to take this question and sort of respond to this. I have no idea, no legal background as such. Okay. I think we're citrating this as well, no, like these directions are not like a cert is not a regulator, quasi regulator so it's a mere directions. Now the penal provisions, how we don't know like only when they issue these orders, there's a judge or judge who is ordering you to do something or there's the section 69 orders. But I don't think government of India has the power to force you to log without a lot like there are a host of laws like if you have. We do this thing called digital certification right like digital science. The Office of the certification control authority makes it mandatory for all digital signature logs to be stored for seven years. Okay, even RBA has few provisions, each regulator has few provisions right now. These directions don't have the backing of a parent act from the way I see it. So they can't force you to start logging. Now in terms of challenging, like you cannot comply. But then, then there is always this threat of going to jail. You can challenge it. In terms of challenging on the grounds, I think privacy is one of the grounds of the customers. But you can challenge few parts of the directions which is mandatory reporting. I don't think you can say that all of these directions are bad and I want all of them gone. Some of them can be taken away completely like the VPN can be taken away for good logging. What is likely going to happen is more clarity timeframe and the costs. Right, like that is something that the industry is going to negotiate. They can't say no to it entirely, but some level of agreement or compromise will happen but I don't think any court is going to take this away because if you look at the other judgment where the idea of metadata and controlling regulating metadata and allowing governments to have metadata for a period of 180 days is going to influence any legal challenge. Now, I don't know if there is any good ground to challenge direction for. Yeah, the NTP, again, if you can, if you're an Indian company, I think you'll be forced to. If you're a multinational, they'll probably give you some relaxations and yeah. So it's not like we can challenge all of the directions, not going to happen. That's very helpful. I think we are almost done with our time, but before we close, I wanted to take quick remarks from all of you about, you know, what are the next steps? What should be the next steps in the stakeholder engagement? How should companies be thinking about it? How should business entities be thinking about it? And especially in the light of the fact that, you know, we discussed how certain is a very unique stakeholder in that sense. It's not even though it's part of maybe it's not one of those usual ministries that you have to deal with. So from that perspective, what do you think the next steps should look like? Pratik, over to you. Yeah, I mean, I think I'm just going to reiterate, right? A lot of what we've said is that, look, I think there needs to be a transparent consultation process, right? With more industry involved, with arm log, who care about their arm logs also involved, right? Perfect. I think there needs to be a lot of pushback, demand for a what cert is doing in terms of both transparency and accountability. But I think it's not going to happen. I'm being very realistic here. Yes, companies do have some power here to negotiate, but the MRP might be on the road for good. End of the day, you are going to lose some part of your rights. But I think, as I was saying before, certain has a citizen charter, go to certain's website. If you're a citizen or any cybersecurity researcher, you're not a company where you're not implementing these rules, but you're concerned with it. Then I think the only way to engage with certain is through their citizen charter. Well, companies know what they have to do. Perfect. Richard? Yes. So as I mentioned earlier also, I think the technical submission to certain via associations, all possible associations, whichever organization one is part of, one should give. And I think along with the challenges and the concern one has to raise with certain, if possible, leveraging their experience, global experience or local experience. One can also put forward the suggestions or the global standards or the best practices as well in the submission, so that we have the holistic picture that what can be done right or what is the proper timeframe, timelines, etc. So along with the concerns and challenges, I would say let's put forward some suggestions as well to certain via associations. Thank you. Thank you, Richa, Srinivas Prateek, for your time. It's been a pleasure interacting with all of you. Neeta, over to you, too, for the closing session. Thank you, Sonali.