Finlabs India

Contact us

Cyber Incident Response in India: A Basic Guide

Indian companies experienced the highest rate of ransomware attacks in Asia in 2024, with 68% of organizations falling victim . The average cost of a data breach in India reached ₹19.5 crore . 

What happens when an attack succeeds? 

For too many organizations, the answer is chaos. Regulatory deadlines are missed. Evidence is lost. Customer trust evaporates. 

A basic cyber incident response plan is not complicated. It requires clarity, preparation, and alignment with India’s regulatory framework. 

The Regulatory Landscape

Sector-specific regulations (RBI, SEBI, IRDAI, etc.) may impose additional requirements, but CERT-In and DPDPA apply to every organization handling digital data in India. 

The Five Phases of Incident Response

Phase 1: Prepare

Phase 2: Detect

How incidents are detected: 

  • Automated tools (endpoint detection, IDS) 
  • Employee reports of suspicious activity 
  • Customer complaints about fraud 
  • Vendor notifications 

When alerted: 

  1. Validate whether it is a real incident 
  2. Determine affected systems and data 
  3. Assess business impact 
  4. Log everything—timestamps, actions, decisions 

Phase 3: Contain 

Document every containment action. Regulators will ask. 

Phase 4: Eradicate and Recover

Do not rush. A partially recovered system with remaining malware is a disaster waiting to happen. 

Phase 5: Report and Learn

CERT-In Reporting 

  • Deadline: Within 6 hours of noticing an incident 
  • What: Targeted attacks, unauthorized access, malware, ransomware, data breaches, DoS attacks 

DPDPA Breach Notification 

  • Deadline: Within 72 hours to Data Protection Board 
  • Also notify affected individuals without delay 
  • Penalty for non-compliance: Up to ₹250 crore 

After-Action Review

Ask:

  • How did we detect the incident? 
  • How quickly did we respond? 
  • Where did we hesitate? 
  • What would we do differently? 

Update your plan based on lessons learned. 

Retain logs for 180 days (CERT-In requirement). 

Common Mistakes 

Conclusion

Organizations with a plan respond faster, contain damage effectively, meet regulatory deadlines, and preserve customer trust. 

Organizations without a plan face regulatory action, financial loss, and reputational damage. 

The five phases are simple: 

  1. Prepare – Build your team and tools 
  2. Detect – Know what happened 
  3. Contain – Stop the damage 
  4. Eradicate & Recover – Remove and restore 
  5. Report & Learn – CERT-In (6 hrs), DPDPA (72 hrs), update plan 

Start today. You do not need perfection. You need a plan that works. 

References :

  1. CERT-In. (2022). Directions regarding information security practices, procedure, prevention, response and reporting of cyber incidents. 
  2. Ministry of Electronics & Information Technology. (2025). Digital Personal Data Protection Rules, 2025. 
  3. IBM / Ponemon Institute. (2024). Cost of a Data Breach Report 2024: India findings. 
  4. Sophos. (2024). State of Ransomware in Asia 2024. 
You Might Also Like
Part 3: The Role of Social Media, Mobile, and Finaware 
We have seen how digital platforms are transforming investor education. Now, let...
Read More >>
Part 2: The Digital Revolution – Breaking Down Every Barrier 
In our first part, we explored how traditional investor education methods limited...
Read More >>
From Classroom to Cloud: How Technology Is Rewiring Investor Awareness Programs 
Part 1: The Transformation Begins – From Chalkboards to Cloud Remember when learning...
Read More >>
Scroll to Top

Schedule a Demo

Tell us a bit about your organization and we'll help you find the perfect solution.