India’s mandate on a “six-hour” window for companies to notify authorities about cyber breaches is now in force under sweeping new regulations declared by the country’s Computer Emergency Response Team, CERT-In.
The regulation applies to “service providers, intermediaries, data centres, body corporate and government organisations” and will come into force 60 days from 28 April.
iTnews reported that these bodies will have to make their reports to CERT-In “within six hours of noticing such incidents or being brought to notice about such incidents”.
The regulation also requires organisations to provide assistance to CERT-In, as well as “information or any such assistance to CERT-In, which may contribute towards cyber security mitigation actions and enhanced cyber security situational awareness”.
Organisations are also instructed to appoint a single point of contact for communicating with CERT-In, and to maintain logs on all ICT systems, which must be kept in a secure form for 180 days.
The regulation also imposes wide-ranging record-keeping on services, including data centres, virtual private server (VPS) providers, cloud service providers, and VPN services.