CERT-In Gives 60 days to Indian Tech Companies to hit 6-hour deadline for infosec incident reporting
Reading Time: 2 minutes

The Computer Emergency Response Team (CERT-In) in India has asked Indian tech companies to comply with the new set of rules required. According to the rules, they will have to report 20 different types of infosec incidents within six hours of detection, be they a ransomware attack or mere compromise of a social media account.

CERT-In explained the short deadline was required to identify the gaps that caused hindrance in incident analysis.

Organizations can report via email, phone, or fax to send incident reports. Though how this will improve analysis gaps is unclear. Service providers, intermediaries, data center operators, companies, and government organizations will need to follow the mentioned rules [PDF].

Around 20 incidents are listed which include ransomware attacks and data breaches that need to be reported quickly. While some are vaguely mentioned as “Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications, which needs to be clearly mentioned. Website defacement or unauthorized use of social media accounts also need to be reported, though they don’t have the same seriousness as others.

Comparatively, Europe’s General Data Protection Regulations organization has to report a breach within 72 hours, in the US it is around 24 hours for government agencies, in the case of India, it will be a six-hour reporting window. 

Organizations following the rules will also have to maintain logs of all their ICT systems for a rolling period of 180 days, and submit them to CERT-In when asked.

Data Centers, Virtual Private Server (VPS) providers, Cloud Service providers, and Virtual Private Network Service (VPN Service) providers will have to register customer data and maintain it for a minimum of 5 years. They will have to retain data such as customers’ names, hire dates, IP addresses, email addresses, services, ownership patterns, and more.

There are additional requirements for the crypto sector. The Virtual asset exchange and custodian wallet providers require to maintain Know Your Customer (KYC) records and financial transactions for a period of five years. A move by the Indian authorities to clamp down on the use of cryptocurrency for money laundering. 

The Indian IT organizations will have to use Network Time Protocol servers provided by either the National Informatics Center or National Physical Laboratory, or NTP servers traceable and synched to those organizations. 

According to CERT-In, “These directions will enhance overall cybersecurity posture and ensure safe and trusted internet in the country.”

A challenging task considering the rules come into effect in 60 days.  Not much time especially with the procedures required to deliver six-hour reporting.

Related Articles:
Elon Musk Wants Twitter DMs to be End-to-End Encrypted like Signal
Chinese Hackers use Updated PlugX Malware to target Russian Military Personnel
Critical VMware RCE flaw Exploited by Hackers to Install Backdoors