| CYBER SECURITY LAW IN INDIA: SUMMARY OF REPORTING OBLIGATIONS | ||||
| Reporting Entity | Type of Security Incident | Entity to Report to | Mode of Reporting | Timeline for Reporting |
| GENERAL REPORTING | ||||
| All companies (Note: A general obligation is imposed on all companies to report incidents to the Indian Computer Emergency Response Team (“CERT-In“) in the manner provided in this table. Additional reporting obligations may apply, depending how an entity is regulated.) | Certain cyber security incidents of severe nature to be mandatorily reported, such as denial of service, distributed denial of service attacks, intrusion, spread of computer contaminant including: ransomware on any part of the public information infrastructure including backbone network infrastructure;data breaches or data leaks; large-scale or most frequent incidents such as intrusion into computer resource, websites, etc.;cyber incidents impacting safety of human beings (collectively, “Prescribed Security Incidents“). All other security incidents. | CERT-In | Email (incident@cert-in.org.in) Phone (1800-11-4949) Fax (1800-11-6969) Incident response form: https://www.cert-in.org.in/PDF/certinirform.pdf | 6 hours upon receipt of knowledge of Prescribed Security Incident. Without undue delay for all other security incidents (however no specific prescribed timeline). |
| All organisations that have “protected systems”, as designated by the government under Section 70 of the Information Technology Act, 2000 | Security incidents that impact protected systems. | National Critical Information Infrastructure Protection Centre (“NCIIPC“) | Email (ir@nciipc.gov.in) Phone (1800114430) Incident report form: https://nciipc.gov.in/documents/Incidence_Report_Form.pdf | No prescribed timeline |
| AADHAAR REPORTING | ||||
| Requesting entities under the Aadhaar (Authentication and Offline Verification) Regulations, 2021 | Misuse of information or systems related to the Aadhaar framework or any compromise of Aadhaar related information or systems within the network. Identified fraud cases and patterns through fraud analytics systems related to Aadhaar authentication. | Unique Identification Authority of India (“UIDAI”) UIDAI and Aadhaar number holders | No prescribed mode of reporting. | Without undue delay (however, no specific prescribed timeline). |
| Offline verification seeking entities under the Aadhaar (Authentication and Offline Verification) Regulations, 2021 | Misuse of information or systems related to the Aadhaar framework or any compromise of Aadhaar related information or systems within the network. Identified fraud cases and patterns through fraud analytics systems related to Aadhaar authentication. | UIDAI and Aadhaar number holders UIDAI and Aadhaar number holders | No prescribed mode of reporting. | 72 hours upon knowledge of incident. |
| PENSION FUND REGULATORY AND DEVELOPMENT AUTHORITY REPORTING | ||||
| Registered intermediaries under the National Pension System | Cyber incidents and cyber security incidents of severe nature (such as denial of service, distributed denial of service, intrusion, spread of computer contaminant including: Ransomware on any part of the public information infrastructure including backbone network infrastructure;Data breaches or data leaks;Large-scale or most frequent incidents such as intrusion into computer resource, websites, etc;Cyber incidents impacting safety of human beings (collectively, “Prescribed Security Incidents“). All other security incidents. | CERT-In | No prescribed mode of reporting. | 6 hours upon receipt of knowledge of Prescribed Security Incident. No prescribed timeline for other security incidents. |
| SECURITIES AND EXCHANGE BOARD OF INDIA (“SEBI”) REPORTING | ||||
| Stock Brokers and Depository Participants | Cyber-attacks, threats, cyber-incidents, and breaches. | SEBI, Stock Exchanges, and Depositories CERT-In | Email (For SEBI: sbdp-cyberincidents@sebi.gov.in) Form for reporting: https://www.sebi.gov.in/legal/circulars/oct-2019/cyber-security-and-cyber-resilience-framework-for-stock-brokers-depository-participants-clarifications_44662.html | 6 hours upon noticing or detection of the incident. |
| All Mutual Funds, all Asset Management Companies (“AMCs”), all Trustee Companies, Boards of Trustees of Mutual Funds, and Association of Mutual Funds in India (“AMFI”) | Cyber-attacks, threats, cyber-incidents, and breaches. | SEBI, CERT-In | Email (For SEBI: vapt_reports@sebi.gov.in and cybersecurity_amc@sebi.gov.in) | 6 hours upon noticing or detection of the incident. |
| Portfolio Managers | Cyber-attacks, threats, cyber-incidents, and breaches. | SEBI, CERT-In | Email (For SEBI: vapt_reports@sebi.gov.in and cybersecurity_pms@sebi.gov.in) | 6 hours upon noticing or detection of the incident. |
| Qualified Registrars to an Issue and Share Transfer Agents | Cyber-attacks, threats, cyber-incidents, and breaches. | SEBI, CERT-In | Email (For SEBI: rta@sebi.gov.in) Form for reporting: https://www.sebi.gov.in/legal/circulars/jul-2022/modification-in-cyber-security-and-cyber-resilience-framework-of-qualified-registrars-to-an-issue-and-share-transfer-agents-qrtas-_60605.html | 6 hours upon noticing or detection of the incident. |
| KYC Registration Agencies | Cyber-attacks, threats, cyber-incidents, and breaches. | SEBI, CERT-In | Email (For SEBI: kra@sebi.gov.in) Form for reporting: https://www.sebi.gov.in/legal/circulars/jul-2022/modification-in-cyber-security-and-cyber-resilience-framework-of-kyc-registration-agencies-kras-_60562.html | 6 hours upon noticing or detection of the incident. |
| Stock Brokers, Depository Participants, Mutual Funds, AMCs, Portfolio Managers, Qualified Registrars to an Issue, Share Transfer Agents, and KYC Registration Agencies whose systems have been identified as “protected systems” by the NCIIPC | Cyber-attacks, threats, cyber-incidents, and breaches. | NCIIPC SEBI, Stock Exchanges, and Depositories CERT-In (depending on reporting requirements) | Email to NCIIPC (ir@nciipc.gov.in) along with the relevant email to SEBI as provided above. | 6 hours upon noticing or detecting the incident (no timeline prescribed for reporting to NCIIPC). |
| All Stock Brokers | Technical glitches occurring in Stock Brokers’ trading systems. | Stock Exchanges | Incident report containing date and time of the incident, the details of the incident, effect of the incident and the immediate action taken to rectify the problem via email (infotechglitch@nse.co.in). | As per the cybersecurity regulations in India, Stock Exchanges must be informed within 1 hour of occurrence of the technical glitch. In line with the cybersecurity rules in India, preliminary incident report must be submitted within one day from the date of incident. |
| INSURANCE REGULATORY AND DEVELOPMENT AUTHORITY REPORTING | ||||
| All Insurers including Foreign Reinsurance Branches and Insurance Intermediaries including Brokers, Corporate Agents, Web Aggregators, TPAs, IMFs, Insurance Repositories, ISNP, Corporate Surveyors, MISPs, CSCs, and the Insurance Information Bureau of India (“IIB”) | A “Security Incident” or “Operational Incident”, i.e., any adverse event where: the IT resource is attacked or threatened with an attack;accessed, monitored, or modified without authorisation;is used in a manner inconsistent with internal or regulatory policy resulting in a real or possible loss of confidentiality, integrity or availability of the IT resource or information. Example of Security Incidents are: internal or external attempts (either failed or successful) to gain unauthorised access to the IT system or its data; Data leakage policy violations;attempts (either failed or successful) to gain access to blocked sites as per proxy rules;denial of service or unauthorised disruption to IT system and infrastructure;actual or suspected loss of proprietary, confidential, or entrusted information of the organisation; changes to system hardware, firmware, or software characteristics without due authorisation, instruction or consent from the organisation;malicious code (such as viruses, and Trojan horse) attacks; social engineering attacks;signature update failure;hoaxes, i.e., deliberate trickery intended to gain an advantage (e.g. false virus warnings may lead some user to ignore all virus warning messages, leaving them vulnerable to a genuine, destructive virus). Examples of Operational Incidents are: firewall hardware failure; anti-virus appliance hardware failure; IDS hardware failure. | CERT-In | Email (incident@cert-in.org.in) Phone (1800-11-4949) Fax (1800-11-6969) A copy of the incident report submitted to CERT-In must be shared with the IRDAI. | 6 hours upon receipt of knowledge of Prescribed Security Incident (as provided above). Without undue delay for all other Security Incidents and Operational Incidents (however no specific prescribed timeline). |
| RESERVE BANK OF INDIA (“RBI”) REPORTING | ||||
| All Banks | Information security incidents such as: Outage of critical IT systems (e.g.: internet banking systems, ATMs, payment systems such as SWIFT, RTGS, NEFT, NACH, IMPS, etc.);Cyber security incidents (e.g. DDOS, ransomware, data breach, data destruction, etc.);Theft or loss of information (e.g. sensitive customer or business information stolen or missing or destroyed or corrupted);Outage of infrastructure (e.g.: power and utilities supply, telecommunications supply, etc.);Financial incidents (e.g.: liquidation);Unavailability of staff (e.g. number and percentage on loss of staff and absence of staff from work);Any other incident (e.g.: breach of Information Technology Act, 2000 or any other law and regulation). | RBI | No prescribed mode of reporting. Form for reporting: https://rbidocs.rbi.org.in/rdocs/content/pdfs/CSFB020616_AN3.pdf | 2 to 6 hours upon receipt of knowledge of incident. |
| All NBFCs (under the Master Direction on Information Technology Framework for the NBFC Sector) | Information security incidents such as: Outage of critical IT systems (e.g.: internet banking systems, ATMs, payment systems such as SWIFT, RTGS, NEFT, NACH, IMPS, etc.);Cyber security incidents (e.g. DDOS, ransomware, data breach, data destruction, etc.);Theft or loss of information (e.g. sensitive customer or business information stolen or missing or destroyed or corrupted);Outage of infrastructure (e.g.: power and utilities supply, telecommunications supply, etc.);Financial incidents (e.g.: liquidation);Unavailability of staff (e.g. number and percentage on loss of staff and absence of staff from work);Any other incident (e.g.: breach of Information Technology Act, 2000 or any other law and regulation). | RBI | No prescribed mode of reporting. Form for reporting: https://rbidocs.rbi.org.in/rdocs/content/pdfs/MD52E07062017_AN1.pdf | 24 hours upon receipt of knowledge of incident. |
| All Banks (with regards to outsourcing of financial services) | Breach of security and leakage of confidential customer related information. | RBI | No prescribed mode of reporting. | Immediately (no specific timeline prescribed). |
| All Co-operative Banks (with regards to outsourcing of financial services) | Breach of security and leakage of confidential customer related information. | RBI | No prescribed mode of reporting. | Immediately (no specific timeline prescribed). |
| Payment System Operators (with regards to outsourcing of financial services) | Breach of security and leakage of confidential customer related information. | RBI | No prescribed mode of reporting. | Immediately (no specific timeline prescribed). |
| All NBFCs (with regards to outsourcing of financial services) | Breach of security and leakage of confidential customer related information. | RBI | No prescribed mode of reporting. | Immediately (no specific timeline prescribed). |
| “Service Providers” under the Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023 | Cyber security incidents. | Relevant RBI Regulated Entities who avail the Service Provider’s services | No prescribed mode of reporting. | Without under delay (however no specific prescribed timeline). |
| All RBI “Regulated Entities” (with regards to outsourcing of IT services) under the Reserve Bank of India (Outsourcing of Information Technology Services) Directions, 2023 | Cyber security incidents suffered by their Services Providers (please refer above). | RBI | No prescribed mode of reporting. | 6 hours upon notice of or detection of the incident by third-party service provider. |
| All Prepaid Payment Instrument Issuers (Banks and Non-banks) and System Participants under the Master Directions on Prepaid Payment Instruments | Cyber security incidents and cyber security breaches. | Department of Payment and Settlement Systems RBI CERT-In | No prescribed mode of reporting. | No timeline prescribed. |
