Reporting a security breach within six hours – is it or is it not feasible?

The 6-hours window to report cybersecurity breaches as mandated by CERT-In is seen as a measure to put a check on the ever growing cyber-attacks. But is reporting just enough?

While many other developed nations demand that security breach of any kind be reported within 48 to 72 hours, CERT-In (Indian Computer Emergency Response Team), a central government body which collects all the information regarding what types of cyber-attacks are occurring, has set a highly aggressive deadline of 6 hours.

Failure to follow the CERT-In Directions may result in up to a year in jail, a fine of up to INR 100,000, or both. It clearly states that if any organization is found that they willingly default in reporting, under the provisions of sub-section (7) of section 70B of the IT Act 2000, enunciates that “Any service provider, intermediaries, data centers, body corporate or person who fails to provide the information called for or comply with the direction under sub-section (6), shall be punishable with imprisonment for a term which may extend to one year or with fine which may extend to one lakh rupees or with both.”

The Directive means that a monitoring system must be set up by organizations to detect cyber security issues, besides employing a highly-trained incident response team and an incident response strategy. This is for CERT-In to also check whether companies have an incident response ready to track and analyze any cybersecurity breaches.

Additionally, it is also helpful for organizations to keep records on attacks and later look at what kind of data has been breached and might be at risk - this could be data belonging to companies or direct users.

"The new guidelines by the government are clear markers of India's steps to curb the slew of cyber attacks plaguing both public and private sectors. The short window of reporting, too, is indicative of the seriousness with which this rampant problem is being addressed and documented in the country,” says Naman Shah, CEO and Founder, NowPurchase - a company that handles transparent & efficient procurement for foundries. “The new guidelines will act as a barometer for us to gauge our response and preparedness for any such eventuality, and ultimately fortify Indian cyber defenses as a whole."

“Reporting security incidents in due time helps stakeholders and impacted individuals to take suitable measures to minimize the impact,” agrees Swapnil Naik - Senior Director of Engineering at AFour Technologies. “But while reporting is essential, the organization must set up a steering committee that drives the security and risk management programs to reduce the risk of security breaches to an acceptable level.”

Swapnil however feels that the new CERT-In guidelines is not reasonable and would lead to more difficulty in doing business. “Considering the sensitivity of the data and the prevailing privacy laws, analyzing these issues and identifying data that is permissible to share in such a short window is a tedious task. Given such complexity, it will adversely impact revenue and customer trust if legalities are violated,” he says.

“Over the last couple of years, events like Pandemic, China - India strained relationship, and other various events led to an increase in cross border cyber-attacks,” observes Sandip Kumar Panda, CEO & Co-Founder of Instasafe Technologies. “As per Govt data, nearly there is 3x increase in cyberattacks in the year 2021 compared to year 2020. The major victims of cyberattacks are Small and Medium businesses and often these cyberattacks can completely wipe out businesses.”

He further adds, “Reporting may not be the only solution in handling for such a large country and their businesses, but better visibility of cybersecurity incidents at a consolidation level gives better information for a central body like CERT-In to act on it.”

CERT-In Directives vs global mandates

CERT-In in its directions has however clarified that only cybersecurity incidents of severe nature, data breaches, large scale and high impact incidents only need to be reported within six hours. After a breach is reported, they would further investigate and analyze, then provide directives so that organizations can take appropriate precautionary measures.

Surprisingly, many Indian organisations lack specialist cybersecurity tools and professionals to comply with CERT-In’s requirements.

In the Europe region, a security breach in case of GDPR is to be reported within 72 hours. For GDPR data breach reporting, they also need to include records of work that has been done to prevent the breach, estimated impact of the breach, forensics details, remediation plan, and inform all regulators and individuals affected by breach within 72 hours. This is much more intensive reporting compared to CERT-In reporting which needs only reporting of incidents within 6 hours.