Companies that experience cyber security breaches in India will have just six hours to notify authorities under sweeping new regulations declared by the country’s Computer Emergency Response Team, CERT-In.
The regulation [pdf] applies to “service providers, intermediaries, data centres, body corporate and government organisations” and will come into force 60 days from April 28.
These bodies will have to make their reports to CERT-In “within six hours of noticing such
incidents or being brought to notice about such incidents”.
The regulation also requires organisations to provide assistance to CERT-In, as well as “information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness.”
Organisations are also instructed to appoint a single point of contact for communicating with CERT-In, and to maintain logs on all ICT systems, which must be kept in a secure form for 180 days.
The regulation also imposes wide-ranging recordkeeping on services, including data centres, virtual private server (VPS) providers, cloud service providers, and VPN services.
Data these services will have to store for five years include customer identity, when subscriptions were in force, IP addresses assigned to them, contact numbers, and other information.
The declaration also brings virtual assets under financial regulations administered by the Ministry of Finance.
To maintain system synchronisation India-wide, the declaration mandates that systems administrators connect to Network Time Protocol servers run by the National Informatics Centre or the National Physical Laboratory, “or with NTP servers traceable to these NTP servers.”
Anyone opting to use other NTP servers has to ensure that “their time source shall not deviate from NPL and NIC.”