CERT-In, India's computer, and emergency response team released new guidelines on Thursday that mandate that service providers, intermediaries, data centres, and government institutions disclose cybersecurity incidents, including data breaches, within six hours.
The government said in a release, "Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents."
Compromise of critical systems, targeting scanning, unauthorised access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances such as routers and IoT devices are among the types of incidents covered.
The government stated it was taking these steps to ensure that the required indicators of compromise (IoC) associated with security events are easily accessible to "carry out the analysis, investigation, and coordination as per the process of the law”
Concerned organisations are also required to synchronise ICT system clocks to the National Informatics Centre (NIC) or National Physical Laboratory (NPL) Network Time Protocol (NTP) Server, maintain ICT system logs for a rolling period of 180 days, and necessitate VPN service providers to maintain data such as names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years, according to the guidelines.
The guidelines also require virtual asset service, exchange, and custodian wallet providers to preserve records on Know Your Customer (KYC) and financial transactions for a period of five years, starting in 60 days.
India's Ministry of Electronics and Information Technology (MeitY) said in a statement, "These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country."
