I can think of many organisations where even getting management sign-off within 6 hours is nigh on impossible, let alone submitting a report to a regulator. Expect push back in India. Oh, and if you’re based outside of India, think about how this might affect your India-based suppliers…:
[…] A notable aspect of CERT-in’s directive is that organisations will have to report even attempted cyber-attacks within six hours. Such incidents range from phishing attacks, in which scamsters send fraudulent messages or emails to steal personal information, to denial-of-service attacks, in which unmanageable traffic is flooded onto a computer resource to make it inaccessible.
To clarify these issues, CERT-Inissued a set of frequently asked questions (FAQs) in May. Through these FAQs, they limited the scope of reportable incidents to “incidents of severe nature”. However, it did not define the threshold of this severity, leaving it open to wide interpretation. Large digital platforms are subjected to a high volume of cyber-attacks on a daily basis. They face hundreds of thousands of cyber-attacks every day. In the absence of a clear, unambiguous stipulation, such a reporting requirement becomes onerous.