Data Privacy Newsletter – India: Regulatory Reporting Requirements for Cyber Incidents and Data Breaches : July 2024

Cyber Incidents and Data Breaches in India

The Indian Computer Emergency Response Team (“CERT-In”) according to its annual report for the year 2022 stated that it handled close to 14 lakh cyber incidents that year. Further in 2023, according to private cybersecurity agencies India was ranked in the top 5 countries to face data breach with over 5.3 million accounts breached. 

The Indian legal landscape for data protection and cybersecurity has evolved rapidly over the past few years to address the increasing threat to individuals and national security in the digital environment.

Overarching Reporting Requirements for All Businesses 

Currently, India has certain overarching mandatory legal obligations that apply to any and all businesses, no legal entity or body corporate is exempt from the requirement to report cyber incidents and data breaches to the authorities.

One of the first major changes was introduced in the Indian regulatory framework for reporting by the CERT-In Directions issued on April 28, 2022, which made it mandatory to report cyber security incidents (by all entities) within 6 hours of becoming aware (“CERT-In Directions”). The CERT-In Directions contain additional compliance obligations as well as a detailed procedure to report a cyber security incident. 

The latest Digital Personal Data Protection Act, 2023 (“DPDPA 2023”) enacted on August 11, 2023, also makes it mandatory to report data breaches containing personal data to the new regulator (the Data Protection Board of India) as well as affected individuals. The revised legal
obligations are backed by hefty fines going up to INR 200 Crores, solely for failure to report data breaches under the DPDPA 2023. The process and timelines to report the data breaches are yet to be notified by the Government. 

Sector-Specific Reporting Requirements

There are also sector-specific rules issued by regulators and agencies which are as follows (please note the list is non-exhaustive there may be other timelines for specific sectors):

  • Securities Exchange Board of India (“SEBI”): All SEBI-regulated entities have been instructed to report all cyberattacks, threats, and breaches experienced by them within 6 hours of detecting such incidents to SEBI and CERT-In. Additionally, the Stockbrokers / Depository Participants, whose systems have been identified as “Protected Systems” are also required to report the incident to the National Critical Information Infrastructure Protection Centre (NCIIPC).
  • Reserve Bank of India (“RBI”): All banks are required to report incidents within 2-6 hours of becoming aware, while non-banking financial companies are required to report the incidents within 24 hours.
  • Insurance Regulatory and Development Authority of India (“IRDAI”): All IRDAI regulated entities are directed to scrupulously follow the provisions regarding reporting of incident to IRDAI and CERT-In within 6 hours of becoming aware. Further, regulated entities are required to additionally submit available details of cyber security incidents to the IRDAI in a specified format within 24 hrs of intimation of the incident.  
  • Aadhaar Information: The requesting entity along with the offline verification-seeking entities is obligated to report the breach in any Aadhaar-related data or its misuse without undue delay to the Unique Identification Authority of India & affected Aadhaar number holders. Additionally, the offline verification-seeking entities are obligated to report the breach in no case beyond 72 hours.

Conclusion

Given the evolving requirements to report security cyber incidents and data breaches in India, it is important to formulate internal reporting policies, identify the stakeholders, and ensure all incidents are reported within specified timelines.

Process Flow for reporting Cyber Security Incident to Government Authorities in India

Related Posts