How to structure a cyber-incident response plan for your company

Cyber incident response is governed by the Digital Personal Data Protection Act, 2023 which provides for the mechanism and timeline for the responding and reporting of any breach. The structuring a cyber-incident response plan must thereby comply with the Digital Personal Data Protection Act, 2023 (“DPDP Act”) and the CERT-In Directions. The primary objective is to establish a legally viable response protocol which mitigates the risk and also ensures that the reporting is conducted within the mandatory 6 hour incident reporting window.

What are the mandatory requirements for a cyber-incident response plan in India?

 A cyber incident response plan in India must ensure that such a protocol has the well structured mechanism established for the immediate detection, determination of the breach, containment of potential further breach, and statutory reporting of security breaches to the Indian Computer Emergency Response Team (CERT-In) and the Data Protection Board (DPB) if and when applicable. The plan must ensure compliance with the  6-hour reporting window and integrate “reasonable security safeguards” to stay compliant with the Digital Personal Data Protection Act, 2023.

The statutory framework for incident management

The DPDP Act has shifted the nature of the incident management plan with tools such as IT manuals and internal governance policies playing a vital role in risk-aversion. While the act does not mandate the need to establish any of the above documents, the mandate to serve a data privacy notice acts as one of the prominent documents which establishes the function for incident management. A compliant plan must move beyond technical recovery to address:

• Designated Accountability: Appointment of a Data Protection Officer (DPO) for the significant data fiduciary or a senior executive responsible for certifying the “point of discovery” to the authorities.
• Categorisation of Incidents: Establishing clear  distinguishing factors between a routine “system glitch” and a “reportable cyber security incident” to ensure an effective and case specific mechanism for the reporting of breaches.
• Documentation and Preservation: A protocol for the retention of traffic data and logs for the legally prescribed period to facilitate forensic audits by regulators.

Mandatory reporting timelines and escalation matrices

Unlike the GDPR regulations which require the reporting to be made on a 72 hour basis, the Indian cyber-incident response plan is the 6-hour reporting mandate.  The response plan must set out the following key points:

1. Point of discovery protocol: The plan must establish the point where the incident will be deemed to have commenced and determining the point for the purpose of statutory compliance.
2. Tiered response levels: Setting up of different categories of the data and establish the mechanism for reporting of the breach. Based on the category of the data, the Legal and Compliance departments to evaluate “reasonable security practices” before formal filing.

How does the 6-hour CERT-In reporting timeline impact corporate response strategies?

The paradigm shift in the reporting mechanism of the cybersecurity breaches by the corporates was witnessed by the implementation of the 6-hour CERT-In reporting timeline. This obligated the corporates in India to ensure a timely reporting of the cyberbreach in India and thereby fundamentally altering the policy structure of the corporates.

The Compression of the Incident Lifecycle

The new regulation of the DPDP does not have the same timeline benefits as the GDPR which is the EU regulation governing data protection. While the GDPR offers the entities a window of 72 hours to report any data breach, Indian regulations still mandates the reporting of a breach within six hours of “noticing” the event. This creates a sense of urgency and mandates corporate to have a well document mechanism in place to combat data breaches so that it can prevent immediate tension between the need for forensic certainty and the legal mandate for disclosure.

An entity must ensure that its strategy now prioritise the following aspects:

• Point of Discovery Documentation: Maintaining a verifiable log of the time of an incident as it assists in distinguishing between the “time of occurrence” and the “time of notice”.
• Pre-emptive Classification: Having breach classification in place in order to instantly determine if an event falls under the mandatory reporting list.
• Shadow Response Teams: Deploying a dedicated “Legal Task Force” that operates in tandem with the IT Security Operations Centre to address the data breach.

Operationalizing the “Preliminary Filing” Strategy

Due to the paucity of time in making of the statutory disclosure, an entity must have the following mechanism in place to conduct its preliminary filing:

1. Initial Notification: Filing of initial notification which contains brief content of the breach to satify the legal requirements under the law before theCERT-In and demonstrate procedural compliance.
2. Supplemental Filings: Conducting of internal investigation and drafting a preparing of forensic audit to the extent of the Personal Data Breach for which such notice is being filed.
3. Regulatory Interplay Management: Ensuring that the report filing mechanism before the CERT-In remains consistent with future legal requirements before the Data Protection Board as well as the sectoral regulators like SEBI or RBI.

Contractual Reinforcement of Timelines

An entity may face significant risk in structuring a cyber-incident response plan under Indian law and may likely face delay in reporting of the same due to processing of digital data by  third-party vendors. To this effect the entity can enforce the following to seek remedy for the process:

• Back-to-Back Reporting Obligations: The Data Processing Agreements (DPAs) mandates that the Data Processor inform Data Principal of any breach before the statutory requirements. Eg. Reporting of breach details within 3 hrs of breach incident.
• Indemnity for Statutory Penalties: Agreements should contain explicit indemnity with respect to the INR 250 Crore penalty.

What are the notification obligations to the Data Protection Board and affected individuals?

Under the Digital Personal Data Protection Act, 2023, there is a dual reporting obligation on the Data Fiduciary whereby it is required to notify the Data Protection Board of India (DPB) as well as each of the affected Data Principals in the event of a personal data breach. The Statutory Trigger for Notification

The DPDP act does not concern itself with the financial loss or the volume of data affected by the breach. The obligation to notify is based on the breach itself and there is no threshold or the sensitivity of the data provided under the law. The DPDP Act defines such a breach broadly to include any unauthorized processing, disclosure, alteration, or destruction of personal data that compromises its confidentiality, integrity, or availability.

For the purposes of regulatory compliance, the notification framework must include:

• Intimation to the Board: Formal notice to the DPB detailing the nature of the breach, the estimated number of individuals impacted, and the immediate steps taken to contain the incident.
• Communication to Data Principals: Direct notification to affected individuals in a clear and plain language, informing them of the breach and their rights with respect to the personal data.
• Itemised disclosure: The entity is required to provide an itemised description of the data categories compromised and the potential impact on the data principal.

Procedural Requirements and Regulatory Oversight

The Data Protection Board has been established under the DPDP Act and it serves as the primary enforcement and investigation authority for the provisions of the act.

Form and manner of reporting

Notifications must be presented in a manner that is understandable independently of other information and must be accessible in English or any language specified in the Eighth Schedule to the Constitution. The notice must containing the following information:

1. Contact Details: The notice provides the contact information of the Data Protection Officer (DPO) or a designated representative authorized to respond to inquiries from Data Principals.
2. Remedial Measures: The fiduciary must explicitly provide the steps which it has undertaken which includes boththe technical and organisational measures implemented to mitigate the effect of the breach and prevent recurrence.
3. Third-Party Accountability: The Data Fiduciary shall be responsible to comply with reporting requirement even if the breach occurred at the end of a Data Processor.

How can companies mitigate director liability and regulatory penalties after a breach?

The liability of violating the data security breach can be imposed on a director of company under the Section 166(3) which mandates that the director is required to maintain duty of care. This it is imperative that a director maintains duty of care while conducting data processing to ensure that the director is not held liable for the same. Furthermore, the company proving the implementation of “reasonable security safeguards” as mandated by the Digital Personal Data Protection Act, 2023 can substantiate active governance framework which assist the data principal’s case before the Data Protection Board (DPB).

Navigating the Fiduciary Risk Landscape

Under the Companies Act, 2013, due diligence is the primary measure to mitigate risk by implementing a verifiable trail of statutory compliance and proactive risk management.

To insulate the Board and the entity from the maximum INR 250 Crore penalty, the response strategy must document:

• Pre-incident Diligence: Board-level approval of cyber-budgets and regular review of Data Protection Impact Assessments (DPIA).
• Immediate Remediation: Evidence of “reasonable effort” taken to mitigate harm to Data Principals immediately upon the point of discovery.
• Regulatory Cooperation: Full transparency during a DPB inquiry, which the Act explicitly lists as a mitigating factor when determining the quantum of a fine.

Strategic Pillars for Penalty Mitigation

1. Invoking the “Business Judgment” Defense

Directors can mitigate personal liability by demonstrating that they have conducted due diligence and the security measures were implemented based on decisions which were informed, deliberated, and made in the best interests of the company.

• Expert Reliance: Seeking of professional advice from the Data Protection Officer (DPO) and external legal counsel with respect to processing and breach of the personal data.
• Standard Adoption: Aligning the company’s internal controls with recognized frameworks like ISO 27001.

2. Tactical Management of Section 33 Mitigation Factors

When the Data Protection Board determines a penalty, Section 33 of the DPDP Act requires it to consider specific variables. A sophisticated response plan includes a “Mitigation File” that addresses:

• The Nature and Gravity of the Breach: Demonstrating that the breach was not the result of systemic negligence but a sophisticated, unforeseeable attack.
• Repetitive Nature: Proving that the incident is an isolated event and not a recurring failure of the internal grievance redressal mechanism.
• Loss Averted: Quantifying the potential harm that was prevented through the swift execution of the incident response plan.

3. Utilizing Directors’ and Officers’ (D&O) Insurance

The D&O Insurance is a critical indemnity tool protecting directors and officers from potential losses. Provided that D&O insurance in most instances exclude “gross negligence” or “willful non-compliance.”

• Policy Review: Ensuring the policy covers statutory fines and the costs of litigation in TDSAT appeals.
• Conduct Coverage: Ensuring the policy triggers upon a “formal inquiry” by the DPB or CERT-In, rather than just a court proceedings.

Contractual and Statutory “Shields”

For Significant Data Fiduciaries, mitigation also depends on fulfilling additional governance mandates.

• Annual Security Audits: Conducting and documenting yearly audits by an independent auditor to prove that security was not a “point-in-time” exercise but a continuous process while ensuring that the entity is in compliance with the data impact audit requirements under the law.
• Data Processor Indemnity: Structuring Data Processing Agreements (DPAs) with comprehensive liability clauses to ensure that the data processor has implemented adequate security measures. The agreement must also have provision for vendor due diligence to avoid being held solely responsible for the vendor’s lapse reducing the risk arising out of such agreements.
• TDSAT Appeals: If the DPB imposes a disproportionate penalty, the company must be prepared to appeal the order before the the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days.

What should be included in a cross-border data breach response protocol?

A cross-border data breach response protocol must integrate the mandatory 6-hour CERT-In reporting window while synchronising it with the legal requirements from the foreign jurisdictions such as GDPR.

The protocol for cross-border incidents must prioritises the following:

• Timeline Harmonization: Contain provision for both CERT-In and GDPR by either incorporating separate clauses based on jurisdiction or implementing an”as soon as practicable” standard for any breach irrespective of jurisdiction.
• Lead Authority Identification: Determining which regulator acts as the primary authority for the breach.
• Data Localisation Nuances: Assessing if the there is statutory localisation requirements for any particular jurisdiction.

Mandatory Elements of a Global Response Strategy

1. Multi-Tiered Regulatory Notification Matrix

When structuring a cyber-incident response plan, the protocol must include a regulatory map that provides the triggers for notifying the authority based on the jurisdiction and the specific incidents of breach.

2. Vendor and Processor Alignment

Cross-border data flows often involve contractual interactions with Data Processors. Your response plan must account for the clauses under the DPA to ensure that reporting is made in an effective and efficient manner.

• Flow-Through Obligations: Data Processing Agreements (DPAs) must mandate that offshore processors notify the Indian fiduciary within a “sub-6-hour” window.
• Standard Contractual Clauses (SCCs): In the absence of a formal adequacy decision, the response plan must rely on executed SCCs to prove that reasonable security safeguards were contractually enforced across borders.

3. Managing Transnational Liability and Indemnity

A global breach often leads to “mirror litigation” across different courts. Mitigation strategies must include:

• Consolidated Forensic Reports: Commissioning a single, high-quality forensic audit that meets the evidentiary standards of multiple jurisdictions.
• Indemnity Activation: Precise triggers in insurance policies to cover the costs of regulatory defense in India as well as potential “class action” settlements in foreign courts.
• Privilege Protection: Utilizing legal counsel to direct the global investigation, ensuring that internal “lessons learned” documents are shielded by legal professional privilege across all relevant jurisdictions.

How do SEBI and RBI regulations overlap with the DPDP Act during a cyber crisis?

Regulatory overlap during a cyber crisis in India is characterized by the concurrent application of sector-specific disclosure mandates from the RBI or SEBI and the statutory incident notification requirements under the DPDP Act. For regulated entities, a cyber-incident triggers multiple, non-exclusive reporting streams that must be managed through a unified statutory compliance protocol to avoid conflicting disclosures and regulatory sanctions.

Navigating the Multi-Regulator Reporting Landscape

When a “Data Fiduciary” in the financial or capital markets sector faces a breach, the incident ceases to be a singular legal event. It activates a “cascading disclosure” obligation where the same set of facts must be tailored to meet the distinct oversight objectives of different authorities. While the Digital Personal Data Protection Act, 2023 focuses on the protection of Data Principals, regulators like the RBI and SEBI prioritize systemic stability and market integrity.

The complexity of structuring a cyber-incident response plan under Indian law lies in reconciling these parallel requirements:

• Systemic vs. Individual Focus: RBI/SEBI reports often focus on operational downtime and financial contagion, whereas DPB notifications must address the compromise of personal data confidentiality.
• Conflicting Timelines: A response plan must account for the 6-hour CERT-In mandate alongside the RBI’s “immediate” (often interpreted as 2-6 hours) reporting standards for banks.
• Materiality Thresholds: SEBI (LODR) Regulations require listed companies to disclose “material” events to stock exchanges, creating a tension between public market transparency and the need for confidentiality during an active forensic investigation.

Sector-Specific Mandates and the DPDP Act Interplay

1. The Banking Sector: RBI’s Cyber Security Framework

For Banks and NBFCs, the RBI mandates a stringent reporting regime that often overlaps with CERT-In and the DPDP Act.

• RBI Cyber Security Directions: Regulated entities must report any unusual cyber-security incident to the RBI within 6 hours.
• Sub-Processors and Outsourcing: Since most banks rely on third-party IT vendors, the response plan must ensure that “downstream” breaches at a service provider are reported upward in time to meet both RBI and DPB deadlines.
• Fiduciary Accountability: The RBI increasingly holds the Board-level Information Security Committee responsible for lapses, mirroring the fiduciary duties established under the Companies Act and the DPDP Act.

2. Capital Markets: SEBI’s Disclosure Standards

Listed entities and market intermediaries must comply with the SEBI disclosures in the event of a cyber-incident. These requirements are as follows:

• SEBI (LODR) Compliance: Reg. 30 requires the disclosure of any cyber-security incident or loss of data that is deemed material. Unpublished Price Sensitive Information (UPSI): The listed entity must ensure that it has a response plan prepared to ensure that “Insider Trading” regulations are not violated.
• SEBI Circulars on Cyber Security: For brokers and AMCs, SEBI has issued specific “Cyber Security and Cyber Resilience” frameworks that mandate quarterly reporting and half-yearly internal audits, which can serve as mitigating evidence during a DPB adjudication.

3. Resolving Regulatory “Compliance Friction”

To maintain a defensible legal position and to be prepared for compliance with all the regulations, the entity should undertake the following steps:

• Unified Fact Sheet: Maintaining a single, version-controlled “Master Fact Sheet” to ensure that the details provided to the RBI, SEBI, CERT-In, and the DPB are factually consistent
• Trigger Mapping: The plan must include a procedure for setting up of a trigger map that identifies which specific data sets and the regulatory requirements for each category of data.
• Privilege and Disclosure: All reports should be vetted by legal counsel to ensure that mandatory disclosures do not inadvertently waive attorney-client privilege over internal forensic reports that may be needed for future TDSAT appeals or litigation.

FAQ’s – Structuring a cyber-incident response plan under Indian law

1. What is the primary law currently governing data protection in India?

Presently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, governs the data protection in India. However, with the phased implementation of the DPDP Act, 2023, it will amend the IT rules and become the primary regulation governing data protection in India.

2. To what types of data does the DPDP Act, 2023 apply?

The Act applies to the processing of digital personal data within India that is either collected in digital form or initially collected in non-digital form and later digitised. It also has extra-territorial jurisdiction with theprocessing outside India having to comply with its provisions if it relates to offering goods or services to data principals within Indian.

3. What is the maximum penalty for non-compliance under the DPDP Act?

The Act imposes severe penalties for breaches of data protection obligations, with a maximum penalty ofof INR 250 Crore on breach of observing reasonable security measures.

4. Who is a “Data Fiduciary” under the new Indian law?

A Data Fiduciary is any person who, alone or in conjunction with others, determines the purpose and means of processing personal data. 5. Are there mandatory reporting timelines for cyber security incidents?

Yes, under the present legal regime the CERT-In Directions, mandates that any cyber security incident must be reported to the Indian Computer Emergency Response Team (CERT-In) within 6 hours.

6. Can “known risks” be covered under Warranty and Indemnity (WI) Insurance?

The inclusion of the known risk is subjected to negotiation on a case-by-case basis.

About Us

Corrida Legal is a boutique corporate & employment law firm serving as a strategic partner to businesses by helping them navigate transactions, fundraising-investor readiness, operational contracts, workforce management, data privacy, and disputes. The firm provides specialized and end-to-end corporate & employment law solutions, thereby eliminating the need for multiple law firm engagements. We are actively working on transactional drafting & advisory, operational & employment-related contracts, POSH, HR & data privacy-related compliances and audits, India-entry strategy & incorporation, statutory and labour law-related licenses, and registrations, and we defend our clients before all Indian courts to ensure seamless operations.

We keep our client’s future-ready by ensuring compliance with the upcoming Indian Labour codes on Wages, Industrial Relations, Social Security, Occupational Safety, Health, and Working Conditions – and the Digital Personal Data Protection Act, 2023. With offices across India including Gurgaon, Mumbai and Delhi coupled with global partnerships with international law firms in Dubai, Singapore, the United Kingdom, and the USA, we are the preferred law firm for India entry and international business setups. Reach out to us on LinkedIn or contact us at contact@corridalegal.com/+91-9211410147 in case you require any legal assistance. Visit our publications page for detailed articles on contemporary legal issues and updates.

Legal Consultation

In addition to our core corporate and employment law services, Corrida Legal also offers comprehensive legal consultation to individuals, startups, and established businesses. Our consultations are designed to provide practical, solution-oriented advice on complex legal issues, whether related to contracts, compliance, workforce matters, or disputes.

Through our Legal Consultation Services, clients can book dedicated sessions with our lawyers to address their specific concerns. We provide flexible consultation options, including virtual meetings, to ensure ease of access for businesses across India and abroad. This helps our clients make informed decisions, mitigate risks, and remain compliant with ever-evolving regulatory requirements.