On April 28, 2022, India issued new guidance relating to “information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet.” Notably, the guidance requires “service providers, intermediary, data centre, body corporate and Government organizations” to report cyber incidents to India’s Computer Emergency Response Team (“CERT-In”) within six hours of noticing such incidents or being notified about such incidents. Before this guidance, notification of a cyber incident was required “within a reasonable time” after occurrence or discovery.

A “cyber incident” is defined under the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules as “any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.”

Examples of cyber incidents that must be reported to CERT-In include, among others: targeted scanning/probing of critical networks/systems; compromise of critical systems/information; unauthorized access to IT systems/data; defacement of website or intrusion into a website and unauthorized changes (such as inserting malicious code links to external websites); malicious code attacks (such as the spreading of viruses, worm, trojan, bots, spyware, ransomware or cryptominers); attacks on servers (such as database, mail DNS and network device); identity theft, spoofing and phishing attacks; data breach; data leak; and attacks or malicious/suspicious activities affecting cloud computing systems/servers/software/applications.

The new guidance will enter into force after 60 days from the date on which it was issued.