Cyber breach notification within 6 hours mandated in India

India’s mandate on a “six-hour” window for companies to notify authorities about cyber breaches is now in force under sweeping new regulations declared by the country’s Computer Emergency Response Team, CERT-In.

The regulation applies to “service providers, intermediaries, data centres, body corporate and government organisations” and will come into force 60 days from 28 April.

iTnews reported that these bodies will have to make their reports to CERT-In “within six hours of noticing such incidents or being brought to notice about such incidents”.

The regulation also requires organisations to provide assistance to CERT-In, as well as “information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness”.

Organisations are also instructed to appoint a single point of contact for communicating with CERT-In, and to maintain logs on all ICT systems, which must be kept in a secure form for 180 days.

The regulation also imposes wide-ranging record-keeping on services, including data centres, virtual private server (VPS) providers, cloud service providers, and VPN services.

Data these services will have to store for five years include customer identity, when subscriptions were in force, IP addresses assigned to them, contact numbers, and other information.

The declaration also brings virtual assets under financial regulations administered by the Ministry of Finance.

To maintain system synchronisation India-wide, the declaration mandates that systems administrators connect to network time protocol servers run by the National Informatics Centre or the National Physical Laboratory, “or with NTP servers traceable to these NTP servers”.