India directs companies, govt orgs to report cyber incidents within 6 hours

India’s nodal cybersecurity agency, Computer Emergency Response Team (CERT-In), has issued new directions that require all service providers, intermediaries, data centre providers, corporates, and government organisations to report cyber incidents within 6 hours of their detection. It also requires virtual asset, exchange, and wallet providers to maintain records on KYC and financial transactions for a period of five years. Companies providing cloud, a virtual private network (VPN) will also have to register validated names, emails, and IP addresses of subscribers.  

The directions have been issued under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000 after CERT-In found certain gaps that were “causing hindrance to incident analysis.” 

CERT-In said that these directions will enhance “overall cybersecurity posture” and guarantee “safe and trusted Internet” in the country.  

Under the directions on incident reporting, CERT-In has said that service providers will also have to provide information and assistance to CERT-In for any action taken to mitigate the impact of the cyber incident. The information has to be provided in a specified format and time frame, failing which it will be treated as non-compliance, CERT-In warned.   

To ensure the chain of events is accurately reflected in the time frame, service providers have been asked to connect and synchronise all their ICT systems clocks to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL). NTP is a protocol used for reliably transmitting and receiving accurate time sources over TCP/IP-based networks. It is used for synchronising the internal clock of computers to a common time source.  

CERT-In has also directed service providers to enable and securely maintain logs of all their ICT systems for a period of 180 days.  

The cyber incidents that require mandatory reporting include everything from phishing attacks, identity theft, data breach, data leak, IoT attacks to targeted scanning of critical networks, compromise of critical systems, defacement of websites, or malicious code attacks such as ransomware, spyware or crypto miners. CERT-In has listed 20 such incidents, which have to be reported directly to them through email or fax.  

Cyberattacks on Indian organisations have more than doubled in recent years. For instance, ransomware attacks on Indian organisations in 2021 increased 218% year-on-year (YoY), reported security firm Palo Alto Networks.  

“To effectively fight cybercrime, all companies and enterprises must mandatorily report cyber incidents to IndianCERT New CyberSecurity directions for a SafeAndTrusted Internet issued under Sec 70b of IT Act,” Rajeev Chandrasekhar, Union minister of state for electronics and IT said in a Twitter post.