India’s CERT-In Directive

Prepare your organization for compliance with India’s new cybersecurity rules

The Indian Computer Emergency Response Team (CERT-In) issued a new directive around cybersecurity initiatives and incident notification requirements on April 28, 2022. The directive went into full-force for all organizations in September 2022, introducing the shortest timeline yet for reporting incidents. Here’s what every organization needs to know to get in compliance.

Automate India CERT-In obligations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

Who Must Comply with the CERT-In Directive?

All organizations that serve customers in India, including government agencies, must adhere to the CERT-In directive. Citizens acting as individuals do not need to adhere to the directive.

How India Will Enforce the CERT-In Directive

Enforcement Authority

CERT-In has authority to collect, analyze, and disseminate information about cyber incidents, issue forecasts and alerts, coordinate response activities, and issue guidelines and advisories related to security practices, incident prevention, and incident response and reporting. CERT-In will review and analyze all incident reports and can ask for more information or give additional direction with which companies must comply

Handling Non-Compliance

Non-compliance with the directive or orders from CERT-In is punishable with imprisonment of up to one year and a fine of up to one lakh rupees. The process kicks off with a report from a CERT-In officer, which gets reviewed by a committee. From there, the Director General of CERT-In can file a complaint with the court, which will then decide the ultimate penalty.

Incident Notification Requirements Under the CERT-In Directive

What incidents require a report?
  • Targeted scanning or probing of critical networks/systems
  • Compromise of critical systems/information
  • Unauthorized access of IT systems or data
  • Unauthorized access or changes made to a website, such as inserting malicious code or links to external websites
  • Malicious code attacks
  • Attacks on servers and network devices
  • Identity theft, spoofing, and phishing attacks
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  • Attacks on critical infrastructure, operational technology systems, and wireless networks
  • Attacks on eCommerce and eGovernance applications
  • Instances of data breach or data leaks
  • Attacks on Internet of Things (IoT) devices or associated systems and networks
  • Attacks on digital payment systems
  • Attacks through malicious mobile apps
  • Fake mobile apps
  • Unauthorized access to social media accounts
  • Attacks on or malicious activities affecting cloud computing services or services related to blockchain, virtual assets, Machine Learning, or Artificial Intelligence
When do organizations need to issue a report?Within six hours of becoming aware of the incident. Additional information uncovered later can be shared within a “reasonable timeframe.”
To whom should organizations issue a report?All reports should go directly to CERT-In via email or fax, with contact details provided on the CERT-In website.
What does the incident report need to include?
  • A summary of the incident
  • Details about how the incident was detected
  • Information about the systems, networks, and devices affected, including location and details about any previous security audits
  • Details about any investigations into the incident
  • Details about the impact of the incident
  • Description of how the incident occurred and any vulnerabilities that might have enabled it
  • Information about any mitigation actions taken or planned
  • All IT logs from the past 180 days
  • Name, phone number, and email address for the person reporting the incident and (if different) an ongoing contact
  • Any other relevant information
What are additional requirements?

All organizations must synchronize their information and communication technology system clocks for proper reporting by connecting to the NTP server of the National Informatics Center (NIC) or the National Physical Laboratory (NPL).

VPS and VPN service providers must also retain a record of users for at least five years, including:

  • Validated names of subscribers hiring the services
  • Period of hire, including dates
  • IPs allotted to the subscribers
  • Email address, IP address, and time stamp used at the time of registration
  • Purpose for engaging the services
  • Validated address and contact numbers
  • Ownership pattern of the subscribers leasing services

Examples of Incidents That Can Trigger the Reporting Requirement Under the CERT-IN Directive

Given the comprehensive list of reportable incidents under the CERT-In directive, attacks of all kinds can trigger India’s incident reporting requirement. Common examples of attacks include:

Phishing malware or trojan

Phishing Attack

When attackers trick users into clicking a malicious link or sharing details by pretending to be someone else. This can expose information and provide unauthorized access to systems.

tri-alert

Distributed Denial of Service (DDoS) Attack

When threat actors create a “traffic jam” on a server, service, or network by flooding it with fake visitors. This can disrupt operations or be a distraction for a larger attack.

Nation-state Attack

Trojan Attack

When malicious actors hide malicious software inside a legitimate program that users download. This provides access to systems to monitor behavior and view, steal, or alter information.

How Organizations Can Prepare to Comply with the CERT-In Directive

India’s six hour reporting timeline for incidents, expanded list of reportable incidents, and clock synchronization requirements mean that every organization needs to prepare in advance to remain compliant with the CERT-In directive. Specifically, organizations should prepare for three essential phases of incident response:

Readiness

Prepare response plans in advance of needing them to be ready to act immediately once an incident occurs. This includes:

  • Reviewing requirements in regulations and contracts
  • Outlining ready-to-go response plans, including clear assignments of responsibility
  • Running simulations to prepare team members

Response

Jump into action when an incident occurs to maintain compliance, avoid or reduce penalties, and bolster customer trust. This includes:

  • Identifying what happened, how, and when, and what systems were affected
  • Outlining the potential impact and taking steps to remediate the issue
  • Collaborating with key stakeholders to report the issue according to regulations
  • Introducing a safe haven for team communications about the response

Ongoing Management

Regularly evaluate incident response plans to stay up to date as regulations, contracts, and threats evolve and improve efforts going forward. This includes:

  • Establishing a centralized dashboard for reporting on and monitoring response plans and updates to regulations and contracts
  • Aligning stakeholders on changes to response plans and new responsibilities

It’s More Important Than Ever to Prioritize Proactive Incident Response

India’s CERT-In directive represents one of the strictest regulations to date, with a comprehensive list of reportable incidents, an extremely short notification window of six hours, and several other onerous requirements. As a result, organizations must prepare in advance.

Proactive incident response – including evaluating requirements, developing a response plan, assigning responsibilities, and revisiting those efforts regularly – empowers teams to act quickly and confidently when an incident occurs. In turn, this can ensure compliance and reduce the fallout associated with an incident.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.