Part 13.3

Incident Reporting - 6-Hour Rule

"Time is Critical in Cybersecurity"

Mandatory 6-hour reporting timeline, 20 incident types, CERT-In portal usage, reporting format, escalation matrix, and practical documentation requirements.

3.1

6-Hour Rule - Understanding the Timeline

Critical: 6-Hour Clock Starts from "Noticing"

Important Clarification: The 6-hour window begins from the moment the incident is "noticed" or becomes known to the organization, NOT from when it occurred.

Example: If a breach occurred at 2:00 AM but was detected at 10:00 AM, the 6-hour deadline is 4:00 PM (not 8:00 AM).

Implication: Strong monitoring systems help detect incidents early, giving more response time.

Hour 0

Incident Detected: SOC/SIEM alert, user report, or third-party notification triggers incident awareness.

Hour 0-1

Initial Assessment: Confirm incident validity, classify incident type (from 20 categories), assess severity.

Hour 1-3

Containment Actions: Isolate affected systems, preserve evidence, begin log collection.

Hour 3-5

Report Preparation: Gather required information, complete incident report form, internal approvals.

Hour 5-6

CERT-In Submission: Submit report via portal/email, confirm receipt, save acknowledgment.

3.2

Reporting Channels and Format

CERT-In Reporting Channels

Channel	Details	Use Case
Online Portal	https://www.cert-in.org.in	Primary reporting method
Email	incident@cert-in.org.in	Alternative/backup method
Phone	1800-11-4949 (Toll Free)	Urgent incidents, follow-up
Fax	1800-11-6969	Documentation backup

Mandatory Information in Incident Report

Organization Details:

1. Organization name, address, sector

2. Point of Contact (POC) - Name, designation, mobile, email

3. Alternate POC details

Incident Details:

4. Incident type (from 20 categories)

5. Date and time of occurrence

6. Date and time of detection

7. Systems affected (IP addresses, hostnames)

8. Initial impact assessment

Technical Details:

9. Attack vectors identified

10. Indicators of Compromise (IOCs)

11. Immediate actions taken

12. Evidence preserved (log files, memory dumps)

3.3

Sector-Specific Reporting Timelines

Sector	Primary Regulator	Reporting Timeline	Additional To
Banking	RBI	2-6 hours	CERT-In + RBI + IDRBT
Capital Markets	SEBI	6 hours	CERT-In + SEBI
Insurance	IRDAI	6 hours	CERT-In + IRDAI
Telecom	DoT/TRAI	6 hours	CERT-In + DoT
Power	CEA/NCIIPC	Immediate	CERT-In + NCIIPC + CEA
Healthcare	MoHFW	6 hours	CERT-In + Ministry notification
E-commerce	MeitY	6 hours	CERT-In
General IT	MeitY	6 hours	CERT-In

Maharashtra - Parallel Reporting

Criminal Incidents: In addition to CERT-In, file NC/FIR at Maharashtra Cyber

Data Breach: Consider DPDPA obligations to Data Protection Board

Banking/Finance: Report to RBI Mumbai office

Listed Companies: SEBI disclosure requirements may apply

3.4

Documentation Requirements

Evidence Preservation Checklist

Immediate (within 1 hour):

1. System logs - Firewall, IDS/IPS, application logs

2. Network traffic captures (if feasible)

3. Memory dump of affected systems

4. Screenshots of anomalies

Within 24 hours:

5. Full disk images of affected systems

6. User access logs

7. Email headers (for phishing incidents)

8. Malware samples (quarantined)

Ongoing:

9. Timeline documentation

10. Communication records

11. Remediation actions log

180-Day Log Retention

CERT-In Mandatory Requirement

All service providers, intermediaries, and body corporates must maintain logs of ICT systems for 180 days on a rolling basis. Logs must be within Indian jurisdiction and provided to CERT-In upon request. Log types include: Firewall logs, IDS/IPS logs, Network device logs, Application logs, Database access logs, System event logs.

3.5

Case Studies - Reporting Failures

Case Study 1: Delayed Reporting - Financial Penalty

Scenario: E-commerce company detected ransomware on Friday evening, delayed reporting until Monday.

Consequence: CERT-In issued show-cause notice; regulatory scrutiny increased; reputation damage when breach became public.

Lesson: 6-hour rule applies regardless of weekends/holidays. Maintain 24x7 incident response capability.

Case Study 2: Incomplete Information

Scenario: Bank reported phishing attack but omitted number of affected customers and financial loss estimate.

Consequence: Multiple follow-up queries from CERT-In and RBI; extended investigation period; additional compliance burden.

Lesson: Provide complete information even if approximate; update as investigation progresses.

Best Practice: Incident Response Plan Template

1. Pre-defined roles and responsibilities

2. Escalation matrix with contact details

3. Pre-approved report templates

4. Communication protocols (internal and external)

5. Legal team involvement triggers

6. Regular drills and tabletop exercises

Key Points - Part 13.3

6-Hour Rule - Clock starts from "noticing" incident, not occurrence; submit before deadline
CERT-In Portal - Primary reporting channel; email incident@cert-in.org.in as backup
20 Incident Types - All must be reported; ransomware, data breach, DDoS, phishing, etc.
Mandatory Information - Organization details, incident details, technical details, actions taken
Sector-Specific - Banks report to RBI (2-6 hours), SEBI entities to SEBI (6 hours)
Maharashtra - Parallel reporting to Maharashtra Cyber for criminal incidents
180-Day Logs - Mandatory retention; must be in Indian jurisdiction; available on request
Evidence Preservation - Logs, memory dumps, disk images; chain of custody important
Consequences - Section 70B(7) penalty; regulatory scrutiny; reputation damage
Preparedness - Pre-defined IRP, escalation matrix, regular drills reduce response time