India's computer and emergency response team, CERT-In, on Thursday published new guidelines that require service providers, intermediaries, data centers, and government entities to compulsorily report cybersecurity incidents, including data breaches, within six hours.
"Any service provider, intermediary, data center, body corporate and Government organization shall mandatorily report cyber incidents [...] to CERT-In within six hours of noticing such incidents or being brought to notice about such incidents," the government said in a release.
The types of incidents that come under the ambit include, inter alia, compromise of critical systems, targeting scanning, unauthorized access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances like routers and IoT devices.
The government said it was taking these steps to ensure that requisite indicators of compromise (IoC) associated with the security events are readily available at hand to "carry out the analysis, investigation and coordination as per the process of law."
The directions also instruct concerned organizations to synchronize ICT system clocks to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL), maintain logs of ICT systems for a rolling period of 180 days, and require VPN service providers to retain information like names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years.
Additionally, the rules, which will take effect in 60 days' time, call for virtual asset service, exchange, and custodian wallet providers to keep records on Know Your Customer (KYC) and financial transactions for a period of five years.
"These directions shall enhance overall cyber security posture and ensure safe and trusted Internet in the country," India's Ministry of Electronics and Information Technology (MeitY) said in a statement.