India’s CERT-In Directive
Prepare your organization for compliance with India’s new cybersecurity rules
The Indian Computer Emergency Response Team (CERT-In) issued a new directive around cybersecurity initiatives and incident notification requirements on April 28, 2022. The directive went into full-force for all organizations in September 2022, introducing the shortest timeline yet for reporting incidents. Here’s what every organization needs to know to get in compliance.
Automate India CERT-In obligations with the BreachRx platform
Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response
Who Must Comply with the CERT-In Directive?
All organizations that serve customers in India, including government agencies, must adhere to the CERT-In directive. Citizens acting as individuals do not need to adhere to the directive.
How India Will Enforce the CERT-In Directive
CERT-In has authority to collect, analyze, and disseminate information about cyber incidents, issue forecasts and alerts, coordinate response activities, and issue guidelines and advisories related to security practices, incident prevention, and incident response and reporting. CERT-In will review and analyze all incident reports and can ask for more information or give additional direction with which companies must comply
Non-compliance with the directive or orders from CERT-In is punishable with imprisonment of up to one year and a fine of up to one lakh rupees. The process kicks off with a report from a CERT-In officer, which gets reviewed by a committee. From there, the Director General of CERT-In can file a complaint with the court, which will then decide the ultimate penalty.
Incident Notification Requirements Under the CERT-In Directive
|What incidents require a report?|
|When do organizations need to issue a report?||Within six hours of becoming aware of the incident. Additional information uncovered later can be shared within a “reasonable timeframe.”|
|To whom should organizations issue a report?||All reports should go directly to CERT-In via email or fax, with contact details provided on the CERT-In website.|
|What does the incident report need to include?|
|What are additional requirements?|
All organizations must synchronize their information and communication technology system clocks for proper reporting by connecting to the NTP server of the National Informatics Center (NIC) or the National Physical Laboratory (NPL).
VPS and VPN service providers must also retain a record of users for at least five years, including:
Examples of Incidents That Can Trigger the Reporting Requirement Under the CERT-IN Directive
Given the comprehensive list of reportable incidents under the CERT-In directive, attacks of all kinds can trigger India’s incident reporting requirement. Common examples of attacks include:
When attackers trick users into clicking a malicious link or sharing details by pretending to be someone else. This can expose information and provide unauthorized access to systems.
Distributed Denial of Service (DDoS) Attack
When threat actors create a “traffic jam” on a server, service, or network by flooding it with fake visitors. This can disrupt operations or be a distraction for a larger attack.
When malicious actors hide malicious software inside a legitimate program that users download. This provides access to systems to monitor behavior and view, steal, or alter information.
How Organizations Can Prepare to Comply with the CERT-In Directive
India’s six hour reporting timeline for incidents, expanded list of reportable incidents, and clock synchronization requirements mean that every organization needs to prepare in advance to remain compliant with the CERT-In directive. Specifically, organizations should prepare for three essential phases of incident response:
Prepare response plans in advance of needing them to be ready to act immediately once an incident occurs. This includes:
- Reviewing requirements in regulations and contracts
- Outlining ready-to-go response plans, including clear assignments of responsibility
- Running simulations to prepare team members
Jump into action when an incident occurs to maintain compliance, avoid or reduce penalties, and bolster customer trust. This includes:
- Identifying what happened, how, and when, and what systems were affected
- Outlining the potential impact and taking steps to remediate the issue
- Collaborating with key stakeholders to report the issue according to regulations
- Introducing a safe haven for team communications about the response
Regularly evaluate incident response plans to stay up to date as regulations, contracts, and threats evolve and improve efforts going forward. This includes:
- Establishing a centralized dashboard for reporting on and monitoring response plans and updates to regulations and contracts
- Aligning stakeholders on changes to response plans and new responsibilities
It’s More Important Than Ever to Prioritize Proactive Incident Response
India’s CERT-In directive represents one of the strictest regulations to date, with a comprehensive list of reportable incidents, an extremely short notification window of six hours, and several other onerous requirements. As a result, organizations must prepare in advance.
Proactive incident response – including evaluating requirements, developing a response plan, assigning responsibilities, and revisiting those efforts regularly – empowers teams to act quickly and confidently when an incident occurs. In turn, this can ensure compliance and reduce the fallout associated with an incident.
Supercharge your incident response strategy with the BreachRx platform
Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.