CERT-In Compliance · Incident Response · BFSI SOP

The 6-Hour Clock Is Already Running.

CERT-In's 6-hour reporting mandate isn't a deadline you plan for during an incident — it's a deadline you must have already planned for. This is the complete SOP for Indian banks, NBFCs, and payment aggregators.

6 hrs

Reporting deadline

Reportable incident types

₹1L/day

Penalty for non-compliance

72 hrs

DPDP parallel clock

🚨

The mandate: Under CERT-In's April 2022 Directions (Rule 25(2) of the IT Rules), all organisations — including every bank, NBFC, insurer, and payment aggregator operating in India — must report cyber incidents to CERT-In within 6 hours of becoming aware. Failure carries penalties of up to ₹1 lakh per day and, under RBI framework, potential regulatory enforcement action.

Why BFSI organisations consistently miss this window

68%

Miss 6-hr due to slow detection

61%

No pre-built IR contact list

54%

Miss parallel RBI reporting

43%

Destroy volatile evidence before capture

The 6-hour clock is not a forensics deadline. You are not expected to have completed your investigation. You are expected to notify CERT-In with what you know at the time of detection, then file follow-up reports as the picture becomes clearer. The mistake most BFSI security teams make is waiting until they have the full story.

"The CERT-In reporting obligation begins at detection, not at breach confirmation. Filing an incomplete report on time is better than filing a complete report late."

Hour-by-hour response SOP

This timeline assumes detection at T=0. Adapt to your specific scenario.

0–30 min

DETECT & CONTAIN

Trigger Incident Response Plan — notify CISO and IR team
Isolate affected systems from the network immediately
Preserve volatile evidence: RAM dump, active sessions, logs
Classify incident type against the 44 CERT-In reportable categories
Open the CERT-In reporting portal (incident.cert-in.org.in)

30–90 min

ASSESS & NOTIFY

Confirm the incident is CERT-In-reportable (see category matrix below)
Gather preliminary data: attack vector, systems affected, data exposed
Notify RBI/SEBI/IRDAI (as applicable) — separate regulatory obligations
Engage legal counsel for potential DPDP breach notification
Begin CERT-In portal submission — partial report acceptable

90 min–4 hr

REPORT & DOCUMENT

Complete CERT-In portal fields (see checklist below)
Document timeline with timestamps for every action taken
Preserve forensic evidence: disk images, network captures, logs
Assess DPDP Act breach notification trigger (72 hours to regulator)
Brief board/senior management with preliminary impact assessment

4–6 hr

SUBMIT & ESCALATE

Submit completed CERT-In incident report before 6-hour deadline
Save submission reference number and PDF receipt
Begin RBI / SEBI parallel reporting if mandated by your sector
Activate business continuity procedures if services are affected
Schedule 24-hour follow-up report with updated forensics

Incident categories: what qualifies for CERT-In reporting?

CERT-In lists 20 incident types in its April 2022 Directions. The BFSI sector additionally inherits reporting obligations under RBI's Cybersecurity Framework (2016) and SEBI CSCRF (2024). The categories below are especially common in BFSI contexts:

Incident Category	BFSI Examples	CERT-In Reportable	Priority
Targeted Scanning/Probing	Port scans, vulnerability probes	✓	High
Compromise of Critical Systems	Banking core, payment switch, SWIFT	✓	Critical
Website Defacement	Content replaced, phishing injected	✓	High
Malicious Code (Ransomware)	File encryption, backup deletion	✓	Critical
Data Breach / Data Theft	Customer PII, account credentials	✓	Critical
Denial of Service (DoS/DDoS)	Net banking down, API flooding	✓	High
Phishing / Fraudulent Campaigns	Fake bank emails, credential harvest	✓	High
Rogue / Botnet Infection	C2 beaconing, lateral movement	✓	High
Attacks on IoT / OT Systems	ATM tampering, branch network	✓	High
Unauthorised Access	Privileged account compromise	✓	Critical
Crypto-Mining Abuse	Compute hijacking on servers	✓	Medium
Supply Chain / Third-Party Attack	Vendor software backdoor	✓	Critical

ℹ️

Dual reporting in BFSI: Most regulated entities must report the same incident to BOTH CERT-In (6 hours) AND their sector regulator — RBI (banks/NBFCs/payment aggregators), SEBI (brokers/AMCs/depositories), or IRDAI (insurers). These are separate obligations with different forms and timelines. Reporting to one does not satisfy the other.

CERT-In portal: what you need to fill in

The CERT-In portal is at incident.cert-in.org.in. Have these fields pre-populated in your IR runbook — gathering this data during an active incident under time pressure leads to errors.

Incident Identification

✓

Incident date and time (UTC and IST)

✓

Date/time of detection

✓

How was the incident discovered?

✓

Incident type (from approved taxonomy)

✓

Incident severity (Critical/High/Medium/Low)

Systems Affected

✓

Number of systems / hosts affected

✓

IP addresses / hostnames of affected systems

✓

Data/services impacted

✓

Operating systems and versions

✓

Is this internet-facing? (Y/N)

Impact Assessment

✓

Nature of data exposed (PII, financial, credentials)

✓

Estimated number of data subjects affected

✓

Financial impact (if quantifiable at this stage)

✓

Operational services disrupted

✓

Downstream systems impacted

Initial Remediation

✓

Containment actions taken

✓

Evidence preservation steps

✓

External agencies notified (RBI, SEBI, law enforcement)

✓

Estimated time to restore services

✓

Point of contact (name, designation, phone, email)

The 6 most common mistakes that trigger enforcement

Based on BFSI incident response engagements, these are the errors that turn a security incident into a regulatory penalty.

Delayed detection — clock doesn't start at breach, it starts at detection68%

Reporting only to CERT-In, missing parallel RBI/SEBI obligation54%

Incomplete portal submission (waiting for full forensics before reporting)47%

No pre-built IR contact list — scrambling for CISO/legal numbers at 2 AM61%

Failing to preserve volatile evidence before isolating the system43%

No DPDP breach triage alongside CERT-In — separate 72-hour clock39%

Source: CreativeCyber incident response survey, 2025. Percentage of BFSI IR teams committing this error.

The DPDP Act parallel clock

If the cyber incident involves a personal data breach — customer PII, financial records, account credentials — the DPDP Act 2023 (Rules 2025) triggers a separate 72-hour notification obligation to the Data Protection Board of India (and potentially to affected data principals). This clock runs concurrently with the CERT-In 6-hour deadline.

Your IR SOP must explicitly split the incident response into two parallel tracks: the CERT-In cybersecurity track and the DPDP Act data breach track. They require different forms, different recipients, and different content.

⚠️

Action item: If you do not have a DPDP Act-aligned breach notification template for data principals (customers), this is a mandatory DPDP Rules 2025 requirement. The template must include: nature of breach, categories of personal data affected, probable consequences, and measures taken. Penalties for non-notification reach ₹250 crore per incident.

Pre-incident readiness: 10 things to do before the next incident

Register your organisation on the CERT-In portal (incident.cert-in.org.in) before an incident occurs. You cannot create an account during one.
Maintain an up-to-date IR contact list: CISO, legal, RBI/SEBI nodal officer, external counsel, forensics vendor, PR — with mobile numbers.
Map your incident categories to the 20 CERT-In types in advance. Know which of your systems are most likely to be affected and what category that maps to.
Pre-draft partial CERT-In report templates for your 3 most likely incident scenarios (ransomware, data breach, DDoS).
Test your logging infrastructure: can you produce a 30-day log extract within 2 hours? CERT-In requires log retention of 180 days.
Establish your DPDP breach notification workflow separately from the CERT-In workflow — different regulator, different form, different threshold.
Conduct a tabletop exercise simulating a ransomware incident at 2 AM. Run the clock. Find the gaps before CERT-In finds them for you.
Ensure your NDA and vendor contracts include mandatory incident notification to you within 1 hour — supply chain attacks are reportable but your vendor may not know your obligation.
Designate a CERT-In Reporting Officer by name and role — not just a team. This person owns the submission.
Integrate CERT-In reporting triggers into your SIEM/SOAR alerting so the 6-hour clock is automatically flagged at detection, not after triage.

Continue Your Research

SEBI CSCRF

SEBI CSCRF Maturity Assessment: The Practitioner's Survival Guide

Evidence quality matrix, Maker/Checker governance, and the 6-month assessment calendar that holds up under SEBI audit.

Read article DPDP ROPA

Your ROPA Is Incomplete. Here's What DPDP Rules 2025 Actually Demand.

CERT-In and DPDP breach clocks run in parallel. Understand your ROPA obligations alongside your 6-hour duty.

Read article Board Reporting

The Slide That Made My CEO Stop Asking "Are We Secure?"

After the incident: how to present the post-breach financial impact to the board in rupee terms, not RAG status.

Read article

Is your team CERT-In ready?

Share this SOP with your IR team, CISO, and DPO before the next incident hits.

Share on LinkedIn Share on X Share on WhatsApp Get DPDP Breach SOP →

Automate CERT-In readiness with CreativeCyber

RiskSage — CreativeCyber's AI-native GRC platform — includes a built-in CERT-In 6-hour incident response engine with pre-mapped categories, parallel DPDP breach tracking, and auto-populated portal fields from your asset registry. Learn more about RiskSage or explore the BFSI Incident Response Toolkit.