Everything You Need to Know About India’s New CERT-In Cyber Incident Reporting Guidelines | Ankura
On 28th April 2022, Computer Emergency Response Team India (CERT-In), a functional organization under the Ministry of Electronics and Information Technology (MeitY), Government of India, issued instructions under subsection (6) of section 70B of the Information Technology Act 2000 relating to information security practices, procedures, prevention, response and reporting of cyber incidents for a safe and reliable Internet. 
The instructions are issued to increase and strengthen cyber security in the country. The guidelines will come into effect on June 27, 2022 (60 days from the date of issue).
- Synchronization of clocks to NIC NTP servers – This applies to all service providers, intermediaries, data centers, legal persons and governmental organizations. For servers and infrastructure hosted in India, the time can be synchronized with the following:
- National Computing Center (NIC):
- National Physical Laboratory (NPL):
- National Computing Center (NIC):
- For servers and infrastructure outside India, the time can be synchronized with the nearest server having atomic time. You can use https://pool.ntp.org/
- When storing logs of any device, application, database, etc., ensure that local time, as well as UTC time, is recorded in separate columns, if possible, with time zone details next to the timestamp.
- Report cyber incidents within 6 hours to CERT-In – While many other developed countries expect incidents to be reported within 48-72 hours, CERT-In has given a very aggressive 6 hour deadline for reporting incidents. This means that companies should put in place a monitoring mechanism to identify cyber security incidents and that a well-equipped incident response team as well as an incident response plan should be in place. Relevant stakeholders must be notified immediately in the event of a suspected security breach, and they must be able to triage and avoid false positives. A readiness assessment can help verify whether the deadline can be met.
- POC to interact with CERT-In – Companies must designate a point of contact with whom CERT-In can communicate for any information. CERT-In has also provided a format in which this information should be provided to them.
- Maintaining logs for 180 days – All companies must keep logs in India for a continuous period of 180 days. This means companies need to review their log management policies, device and application logging capabilities, secure log storage, and accessibility. An assessment to validate these points is important for all organizations to ensure compliance. Companies may have India-related data hosted in overseas data centers, in which case the logs must be replicated in India.
- It is also important to convey these obligations to suppliers and customers who process/store data so that in the event of a breach, they can comply with the guidelines.
- Additional obligations for data centers, virtual private server (VPS) providers, cloud service providers and virtual private network service providers (VPN service):
- In addition to the requirements detailed above, CERT-In has provided a list of data points that must be retained by data centers and server vendors for a period of 5 years or more.
- Virtual asset service providers, virtual asset exchange providers and custodial wallet providers must retain KYC details for 5 years.
CERT-in has also provided a list of cyber security incidents and details such as email id, phone number and fax number where the incidents should be reported.
With limited time, it is important for businesses to review and validate their IT infrastructure and logging capabilities so that they are compliant with the guidelines.