informa
2 min read
article

New Regulations in India Require Orgs to Report Cyber Incidents Within 6 Hours

CERT-In updates cybersecurity rules to include mandatory reporting, record-keeping, and more.

The Indian Computer Emergency Response Team (CERT-In) issued new cyber incident reporting guidelines, including the requirement for service providers, intermediaries, data centers, corporations, and government agencies to report cyber incidents to the regulator within six hours.

The new government-issued cybersecurity rules will take effect in 60 days.

Incidents requiring immediate CERT-In notification include:

  • Targeted scanning/probing of critical networks/systems
  • Compromise of critical systems/information
  • Unauthorized access of IT systems/data
  • Defacement of website or intrusion into a website and unauthorized changes such as inserting malicious code, links to external websites, etc.
  • Malicious code attacks such as spreading of virus/ worm/ Trojan/ bots/ spyware/ ransomware/ cryptominers
  • Attack on servers such as database, mail, and DNS, and network devices such as routers
  • Identity theft, spoofing, and phishing attacks
  • Denial of service (DoS) and distributed denial of service (DDoS) attacks
  • Attacks on critical infrastructure, SCADA and operational technology systems, and wireless networks
  • Attacks on applications such as e-governance, e-commerce, etc.
  • Data breach
  • Data leak
  • Attacks on Internet of Things (IoT) devices and associated systems, networks, software, and servers
  • Attacks or incident affecting digital payment systems
  • Attacks through malicious mobile apps
  • Fake mobile apps
  • Unauthorized access to social media accounts
  • Attacks or malicious/ suspicious activities affecting cloud computing systems/ servers/ software/ applications
  • Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to big data, blockchain, virtual assets, virtual asset exchanges, custodian wallets, robotics, 3D and 4D printing, additive manufacturing, and drones
  • Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to artificial intelligence and machine learning

Other new rules require service providers and their intermediaries, data centers, corporations, and government agencies to connect to the Network Time Protocol (NTP) server of the National Informatics Center (NIC) or National Physical Laboratory (NPL) — or with servers that can be traced back to one of those two servers — and synchronize their ICT system clocks with the government's.

These organizations will also need to start keeping logs for the previous 180 days and provide it to CERT-In if an incident occurs, the new guidelines said.

The tightening up of reporting rules is intended to close "certain gaps causing hinderance in incident analysis," the Ministry of Electronics & IT said in its statement announcing the new cybersecurity measures. "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."