Cybersecurity experts have raised concerns around the recently announced standards by the Indian Computer Emergency Response Team.
0n 28 April 2022, the Indian Computer Emergency Response Team (CERT-In) issued directives that, among other things, require entities to report cybersecurity incidents to the agency within six hours and maintain IT logs and communications for six months. The directives, to be effective from 27 June 2022, are applicable to all service providers, intermediaries, data centres, corporate bodies, and government organisations.
Some Indian cybersecurity practitioners say the six-hour incident reporting mandate is unnecessarily short and does not compare to the global standards. Jaspreet Singh, clients and markets leader at auditing firm Grant Thornton, notes that mature markets have reporting guidelines of 24 hours to 72 hours.