Over the past 18 months, the Indian telecom sector has faced increasing scrutiny from the Department of Telecommunications (DoT) on security grounds. On 3 June, the DoT announced an amendment to the Commercial CUG VSAT Licence Agreement for the expansion of telecom services across India. This amendment introduces onerous obligations and restrictions which will greatly impact foreign telecom vendors.
All prior notifications are to be superseded by the new amendment. The salient features of the amendment are outlined below.
Internal security policy
From 1 April 2013, it is mandatory for all telecom licensees to ensure that all of their network equipment is tested in Indian laboratories. Prior to this date, telecom licensees are free to use any certifying agency of their choice for these testing procedures. The DoT will provide a list of certified agencies on its website. Telecom licensees must also conduct an annual audit on their networks (the first audit should be completed before 31 May 2012).
[ihc-hide-content ihc_mb_type=”show” ihc_mb_who=”3″ ihc_mb_template=”2″ ]
In addition, the telecom licensee should: (i) maintain relevant security standards while procuring telecom equipment; (ii) maintain a list of features, equipment and software that is available for inspection by the DoT; and (iii) create facilities capable of monitoring and detecting intrusion by 31 May 2012.
Only Indian residents are eligible to be employed as the telecom licensees’ key officers (e.g. chief technical officers, chief information security officers, nodal executive and system administrators).
Telecom licensees are also expected to maintain a record of operation and maintenance procedures such as (but not limited to) operation and maintenance command logs; user identification; software updates and changes; and supplier chains.
Inspection
The telecom licensees must ensure that agreements with their vendors contain provisions enabling the telecom licensee and/or the DoT (or its agencies) to inspect the hardware/software, design, development, manufacturing facility and supply chain, and subject all software to a security/threat check at any point during the supply of telecom equipment by the vendors. Inspections will be limited to two per purchase order under the vendor agreements. Where the relevant purchase order value is more than ₹500 million (US$11 million) and the duration of such visits exceeds 40 person days per visit, the costs will be borne by the telecom licensee or can be passed on to the vendors.
Penalties
The amendment has attempted to differentiate between an intentional breach and an inadvertent breach. A penalty of up to ₹500 million has been prescribed for any security breach caused due to inadvertent inadequacy.
The DoT will set up a five-member panel which will determine whether the breach is due to inadvertent inadequacy and the amount of penalty to be awarded.
A penalty of ₹500 million has also been prescribed for any intentional omission, deliberate vulnerability or deliberate attempt to breach security.
The DoT has the power to cancel the licence of the telecom licensee as well as blacklist any vendor/supplier of telecom equipment from doing business in India.
The DoT has made compulsory the insertion of a clause to allow it the discretion to blacklist such vendors/suppliers in all equipment procurement agreements entered into by the telecom licensee.
[/ihc-hide-content]
The legislative and regulatory update is compiled by Nishith Desai Associates, a Mumbai-based law firm. The authors can be contacted at nishith@nishithdesai.com. Readers should not act on the basis of this information without seeking professional legal advice.
