July 4, 2022

Volume XII, Number 185

Advertisement
Advertisement

India to Require Cybersecurity Incident Reporting Within Six Hours

On April 28, 2022, India issued new guidance relating to “information security practices, procedure, prevention, response and reporting of cyber incidents for Safe & Trusted Internet.” Notably, the guidance requires “service providers, intermediary, data centre, body corporate and Government organizations” to report cyber incidents to India’s Computer Emergency Response Team (“CERT-In”) within six hours of noticing such incidents or being notified about such incidents. Before this guidance, notification of a cyber incident was required “within a reasonable time” after occurrence or discovery.

A “cyber incident” is defined under the Information Technology (The Indian Computer Emergency Response Team and Manner of performing functions and duties) Rules as “any real or suspected adverse event in relation to cybersecurity that violates an explicitly or implicitly security policy resulting in unauthorized access, denial of service or disruption, unauthorized use of a computer resource for processing or storage of information or changes to data, information without authorization.”

Examples of cyber incidents that must be reported to CERT-In include, among others: targeted scanning/probing of critical networks/systems; compromise of critical systems/information; unauthorized access to IT systems/data; defacement of website or intrusion into a website and unauthorized changes (such as inserting malicious code links to external websites); malicious code attacks (such as the spreading of viruses, worm, trojan, bots, spyware, ransomware or cryptominers); attacks on servers (such as database, mail DNS and network device); identity theft, spoofing and phishing attacks; data breach; data leak; and attacks or malicious/suspicious activities affecting cloud computing systems/servers/software/applications.

The new guidance will enter into force after 60 days from the date on which it was issued.

Copyright © 2022, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume XII, Number 122
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct
Advertisement
Advertisement
Advertisement