India’s CERT-In, published new guidelines that require service providers, intermediaries, data centers, and government entities to compulsorily report cybersecurity incidents, including data breaches, within six hours.
The types of incidents include, inter alia, compromise of critical systems, targeting scanning, unauthorized access to computers and social media accounts, website defacements, malware deployments, identity theft, DDoS attacks, data breaches and leaks, rogue mobile apps, and attacks against servers and network appliances like routers and IoT devices.
The government said it was taking these steps to ensure that requisite indicators of compromise associated with the security events are readily available at hand to carry out analysis, investigation and coordination as per the process of law.
The directions also instruct concerned organizations to synchronize ICT system clocks to the Network Time Protocol (NTP) Server of the National Informatics Centre (NIC) or National Physical Laboratory (NPL), maintain logs of ICT systems for a rolling period of 180 days, and require VPN service providers to retain information like names, addresses, phone numbers, emails, and IP addresses of subscribers for a minimum of five years.
These rules, which will take effect in 60 days’ time, call for virtual asset service, exchange, and custodian wallet providers to keep records on KYC and financial transactions for a period of five years.