wordpress blog stats
Connect with us

Hi, what are you looking for?

CERT-In wants cybersecurity incidents reported within 6 hours

The agency has also expanded the types of cyber attacks that must be reported.

The Indian Computer Emergency Response Team (CERT-In) on April 28 issued new cybersecurity directions covering aspects related to the timeframe for reporting cyber security incidents, maintenance of KYC and transaction information for crypto exchanges and wallets, maintenance of customer details by data centres, cloud services and VPN providers, and maintenance of logs in Indian jurisdiction. These directions will become effective in 60 days.

CERT-In is the government-appointed nodal agency tasked with performing cybersecurity-related functions and has issued these directions under section 70B of the Information Technology Act, 2000.

Who are these directions applicable to?

  1. Service providers such as telecom service providers, network service providers, internet service providers, web-hosting service providers, cloud service providers, crypto exchanges and wallets, etc.
  2. Intermediaries such as social media platforms, search engines, e-commerce platforms, etc.
  3. Body corporates, which is defined as any company including firms and sole proprietorships
  4. Data centres
  5. Government organisations

What are the new directions?

  1. Report incidents within 6 hours: All entities must mandatorily report cyber incidents to CERT-In within 6 hours of noticing such incidents or being brought to notice about such incidents. Entities can report to CERT-In via email (incident@cert-in.org.in), phone (1800- 11-4949) or Fax (1800-11-6969). Entities must follow the methods and formats of reporting published on the CERT-In website. The current rules don’t prescribe any time frame and only mention that entities must report incidents “as early as possible.”
  2. Crypto exchanges and wallets must maintain KYC details and records of financial transactions for five years: Virtual asset service providers, virtual asset exchange providers and custodian wallet providers should mandatorily maintain all information obtained as part of Know Your Customer (KYC) and records of financial transactions for a period of five years. “With respect to transaction records, accurate information shall be maintained in such a way that individual transactions can be reconstructed along with the relevant elements comprising of, but not limited to, information relating to the identification of the relevant parties including IP addresses along with timestamps and time zones, transaction ID, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred,” CERT-In said.
  3. Service providers must maintain information on customers and subscribers for five years: Data Centres, Virtual Private Server (VPS) providers, cloud service providers and Virtual Private Network Service (VPN Service) providers, are required to register the following accurate information about customers and subscribers for a period of 5 years or longer duration after any cancellation or withdrawal of the registration:
    • Validated names of subscribers or customers hiring the services
    • Period of hire including dates
    • IPs allotted to or being used by the members
    • Email address and IP address and time stamp used at the time of registration
    • The purpose of hiring services
    • Validated address and contact numbers
    • Ownership pattern of the subscribers or customers hiring services
  4. Maintain logs for 180 days in India: All entities must mandatorily enable logs of all their ICT systems and maintain them securely for a rolling period of 180 days and the same should be maintained within the Indian jurisdiction. These should be provided to CERT-In along with reporting of any incident or when ordered by CERT-In.
  5. Synchronisation of clocks: All covered entities must connect to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or the National Physical Laboratory (NPL) or to servers traceable to these NTP servers for synchronisation of all their information and communications technology (ICT) systems clocks. Those entities with ICT infrastructure spanning multiple geographies can also use accurate and standard time sources other than NPL and NIC, as long as their time source does not deviate from NPL and NIC.
  6. CERT-In can order actions and demand information: For the purposes of cyber incident response, protective and preventive actions related to cyber incidents, CERT-In can issue orders to entities mandating them to take action or provide information that may be of assistance to CERT-In. Such orders may also include the format of the information that is required (up to and including near real-time) and a specified timeframe in which it is required. Entities not adhering to the requirements may be considered to be in non-compliance. As per the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules, 2013, this order can only be issued by an officer of CERT-In of the rank of Deputy Secretary to the Government of India or above.
  7. Point of contact: Entities are required to designate a Point of Contact to interface with CERT-In. The information relating to the Point of Contact should be sent to CERT-In and must contain a name, designation, organisation name, office address, email ID, mobile number, office phone, and office fax. All communications from CERT-In seeking information and providing directions for compliance will be sent to the said Point of Contact.

What cybersecurity incidents must be mandatorily reported?

According to the directions, the following cybersecurity incidents must be mandatorily reported within 6 hours. Items in bold are the newly added ones:

  1. Targeted scanning/probing of critical networks/systems
  2. Compromise of critical systems/information
  3. Unauthorised access to IT systems/data
  4. Defacement of website or intrusion into a website and unauthorised changes such as inserting malicious codes or links to external websites etc.
  5. Malicious code attacks such as the spreading of viruses/worms/Trojan/Bots/ Spyware/Ransomware/Cryptominers
  6. Attack on servers such as Database, Mail and DNS and network devices such as Routers
  7. Identity Theft, spoofing and phishing attacks
  8. Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks
  9. Attacks on Critical Infrastructure, SCADA and operational technology systems and Wireless networks
  10. Attacks on applications such as E-Governance, E-Commerce etc.
  11. Data Breach
  12. Data Leak
  13. Attacks on Internet of Things (IoT) devices and associated systems, networks, software, servers
  14. Attacks or incidents affecting Digital Payment systems
  15. Attacks through Malicious mobile Apps
  16. Fake mobile Apps
  17. Unauthorised access to social media accounts
  18. Attacks or malicious/ suspicious activities affecting Cloud computing systems/servers/software/applications
  19. Attacks or malicious/suspicious activities affecting systems/ servers/ networks/ software/ applications related to Big Data, Blockchain, virtual assets, virtual asset exchanges, custodian wallets, Robotics, 3D and 4D Printing, additive manufacturing, Drones
  20. Attacks or malicious/ suspicious activities affecting systems/ servers/software/ applications related to Artificial Intelligence and Machine Learning

Why has CERT-In issued these new directions?

“During the course of handling cyber incidents and interactions with the constituency, CERT-In has identified certain gaps causing hindrance in incident analysis. To address the identified gaps and issues so as to facilitate incident response measures, CERT-In has issued directions relating to information security practices, procedure, prevention, response and reporting of cyber incidents under the provisions of sub-section (6) of section 70B of the Information Technology Act, 2000,” the press release from CERT-In said.

Also Read:

Have something to add? Post your comment and gift someone a MediaNama subscription.

Written By

Free Reads


This should facilitate quicker settlement of funds for merchants and also boost user confidence in digital payments, RBI Governor said.


While Chandrasekhar said the advisory doesn't include startups, the advisory itself does not make any such classification based on platform sizes.


The case dates back to 2019 when Spotify filed a complaint against Apple's anti-steering rules which prevented apps like Spotify from informing their users...

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



NPCI CEO Dilip Asbe recently said that what is not written in regulations is a no-go for fintech entities. But following this advice could...


Notably, Indus Appstore will allow app developers to use third-party billing systems for in-app billing without having to pay any commission to Indus, a...


The existing commission-based model, which companies like Uber and Ola have used for a long time and still stick to, has received criticism from...


Factors like Indus not charging developers any commission for in-app payments and antitrust orders issued by India's competition regulator against Google could contribute to...


Is open-sourcing of AI, and the use cases that come with it, a good starting point to discuss the responsibility and liability of AI?...

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ