loader

Disclaimer

The Bar Council of India does not permit advertisement or solicitation by advocates in any form or manner. By accessing this website, www.khaitanco.com, you acknowledge and confirm that you are seeking information relating to Khaitan & Co of your own accord and that there has been no form of solicitation, advertisement or inducement by Khaitan & Co or its members. The content of this website is for informational purposes only and should not be interpreted as soliciting or advertisement. No material/information provided on this website should be construed as legal advice. Khaitan & Co shall not be liable for consequences of any action taken by relying on the material/information provided on this website. The contents of this website are the intellectual property of Khaitan & Co.

Please accept the above
PROCEED TO WEBSITE
Close

Search

See all results for ""

Telecom Cyber Security Rules: A Framework to Bolster Security in the Telecom Sector

download
09-Sep-2024

Introduction

On 28 August 2024, the Department of Telecommunication (DoT) published the draft Telecommunications (Telecom Cyber Security) Rules, 2024 (Rules) in exercise of the powers conferred under the Telecommunications Act, 2023. The Rules are designed to ensure ‘telecom cyber security’, which essentially refers to use of policies and processes to address emerging cyber security threats and ensure the integrity and security of the telecommunication networks, services and infrastructure across India.

These Rules, which will be taken into consideration after expiry of 30 days from the date of publication, impose compliance obligations on ‘Telecommunication Entities’ i.e., any person or company providing telecommunication services or establishing, operating, maintaining or expanding a telecommunication network and includes licensed telecom service providers (Telecom Entity).

The Rules supersede the erstwhile rules framed under the Indian Telegraph Act, 1885, namely the Prevention of Tampering of the Mobile Device Equipment Identification Number Rules, 2017 which were introduced in 2017 and thereafter amended in 2022 (MDEI Rules).

Key provisions under the Rules:

  1.  

Power to seek traffic data: The Rules empower authorised agencies to seek traffic and other data from any Telecom Entity and to direct a Telecom Entity to establish necessary infrastructure and equipment for collection and provision from designated points, coupled with provisions that require such government agencies to prevent unauthorized access or use of this data. Such data collected may be analysed for improving telecom cybersecurity and be shared with relevant government agencies or telecommunication entities or users.
  1.  

Reporting of security incidents: Telecom Entities are required to report any ‘security incidents’ to the Central Government within 6 hours of its occurrence. Importantly, ‘security incident’ is defined in an extremely wide manner to include any event that has an actual or potential adverse effect on telecom cybersecurity. Such report must include details such as the number of users affected, the duration of the incident, the geographical area affected, the extent of the impact on the network or services and remedial measures taken. The Central Government may also require the disclosure of certain incidents to the public if deemed necessary in the public interest. The Central Government may also require the impacted Telecom Entity to undergo a security audit by a certified agency and implement suggested remedial measures.
  1.  

Other obligations of Telecom Entities: Telecom Entities have several obligations under these rules, including:

 
  1.  

Appointment of Chief Telecommunication Security Officer (CTSO): Each Telecom Entity is required to appoint a citizen and resident of India as a CTSO and notify such details to the Central Government. The CTSO is responsible for coordinating with the Central Government to ensure compliance with these Rules including any reporting requirements under the Rules.

 
  1.  

Adoption of cybersecurity policy: Telecom Entities must adopt a comprehensive cybersecurity policy that comprises of security safeguards, risk management approaches, and best practices, and consequently put in place measures to enforce such policy.

 
  1.  

Network testing and risk management: Entities are required to undertake regular testing of telecommunication networks, including vulnerability assessments and penetration testing, to identify and mitigate risks.

 
  1.  

Establishment of incident response mechanisms: Entities must establish rapid action systems to respond to security incidents, mitigate impact of such incidents and conduct forensic analyses to learn from such incidents and further strengthen cyber security.

 
  1.  

Conducting periodic cyber security audits: Telecom Entities are required to conduct periodic cyber security audits through its own mechanisms and through government certified agencies to assess resilience to telecom cyber security threats.
  1.  

Power to suspend / terminate telecom identifier that endangers telecom cyber security: The Central Government may issue show cause notices to individuals or entities whose telecom identifiers are suspected of being involved in such endangering activities and thereafter order the temporary suspension or termination of the use of such telecom identifiers after following due process.
  1.  

Obligations relating to Telecommunication Equipment: Manufacturers and importers of telecommunication equipment with International Mobile Equipment Identity (IMEI) numbers are required to register these numbers with the Central Government before selling or importing the equipment in India. Under the superseded MDEI Rules, manufacturers were required to obtain the right to assign a Mobile Device Equipment Identification Number (MDEI) to a mobile device, however, no such requirement has been set out in the Rules. The Rules further prohibit tampering or alteration of unique telecommunication equipment identification numbers (i.e., a number / signal that uniquely identifies a telecom equipment including an IMEI number or electronic serial number). It is pertinent to note here that the MDEI Rules defined MDEI as unique identification numbers for mobile wireless communication devices, however, the Rules expand this definition as unique numbers for any type of telecommunication equipment
  1.  

Digital Implementation and Enforcement: The Central Government may specify digital means for implementing these Rules (upon taking effect), including for collection, sharing, and analysis of traffic data; issuance of notices and submission of responses; maintaining a repository of individuals and telecommunication identifiers against which actions have been taken; preventing the misuse of telecommunication identifiers or services, etc.

Conclusion

The Rules propose a robust legal framework and by mandating strict cybersecurity policies, incident reporting, and compliance measures, these rules ensure that Telecom Entities are well-prepared to combat cyber threats. While there are similarities with prevailing guidelines and instructions issued by the DoT, the Rules also prescribe certain additional requirements that may lead to additional costs and increase the compliance burden for Telecom Entities. For instance, the obligation requiring Telecom Entities to report actual or potential security incidents within 6 hours of its ‘occurrence’ (rather than the time from when the incident is noticed) seems highly onerous and cumbersome in comparison to similar requirements under other frameworks. Additionally, the Rules grant the Central Government very wide powers to suspend / terminate any telecom identifier with immediate effect. Nevertheless, the Rules are a welcome step in the overall scheme of things.

  • Harsh Walia (Partner); Abhinav Chandan (Partner); Shobhit Chandra (Counsel) and Khyati Goel (Associate)

Harsh Walia (partners) , Abhinav Chandan (partners) , Shobhit Chandra (partners)

We have updated our Privacy Policy, which provides details of how we process your personal data and apply security measures. We will continue to communicate with you based on the information available with us. You may choose to unsubscribe from our communications at any time by clicking here.

For private circulation only

The contents of this email are for informational purposes only and for the reader’s personal non-commercial use. The views expressed are not the professional views of Khaitan & Co and do not constitute legal advice. The contents are intended, but not guaranteed, to be correct, complete, or up to date. Khaitan & Co disclaims all liability to any person for any loss or damage caused by errors or omissions, whether arising from negligence, accident or any other cause.

© 2024 Khaitan & Co. All rights reserved.

Mumbai

One World Centre
10th, 13th & 14th Floor, Tower 1C
841 Senapati Bapat Marg
Mumbai 400 013, India

Mumbai

One Forbes
3rd & 4th Floors, No. 1
Dr. V. B. Gandhi Marg
Fort, Mumbai 400 001

Delhi NCR (New Delhi)

Ashoka Estate
11th Floor, 1105 & 1106,
24 Barakhamba Road,
New Delhi 110 001, India

Kolkata

Emerald House
1B Old Post Office Street
Kolkata 700 001, India

Bengaluru

Embassy Quest
3rd Floor
45/1 Magrath Road
Bengaluru 560 025, India

Delhi NCR (Noida)

Max Towers,
7th & 8th Floors,
Sector 16B, Noida
Uttar Pradesh 201 301, India

Chennai

8th Floor,
Briley One No.30
Ethiraj Salai
Egmore
Chennai 600 008, India

Singapore

Singapore Land Tower
50 Raffles Place, #34-02A
Singapore 048623

Pune

Raheja Woods
03-108-111, 3 Floor
8, Central Avenue, Kalyani Nagar
Pune - 411 006, India

Gurugram (Satellite Office)

Suite No. 660
Level 6, Wing B,
Two Horizon Center
Golf Course Road, DLF 5
Sector 43, Gurugram
Haryana 122 002, India

Ahmedabad

1506 - 1508, B-Blockr
Navratna Corporate Parkr
Iscon Ambli Road, Ahmedabadr
Gujarat - 380058