CERT-In Compliance Checklist for Banks and Financial Institutions in India

CERT-In (Indian Computer Emergency Response Team) directives are legally binding on all organisations in India, but financial institutions face the most scrutiny. The April 2022 CERT-In directions fundamentally changed incident reporting obligations — introducing the 6-hour mandatory reporting window that caught most banks unprepared. Combined with RBI, SEBI, and DPDPA requirements, the compliance landscape for Indian financial institutions has never been more demanding.

This checklist covers every CERT-In requirement relevant to banks, NBFCs, insurance companies, stock brokers, and other financial entities, with practical implementation guidance for each.

CERT-In Mandatory Incident Reporting: The 6-Hour Rule

The most operationally challenging requirement: all cybersecurity incidents must be reported to CERT-In within 6 hours of detection. This applies to:

• Targeted scanning or probing of critical networks and systems
• Compromise of critical systems or information
• Unauthorised access to IT systems or data
• Website defacement
• Malicious code attacks (ransomware, trojans, worms)
• Attacks on servers, databases, networks, and applications
• Identity theft, spoofing, and phishing attacks
• Denial of service (DoS) and distributed denial of service (DDoS) attacks
• Data breaches and data leaks
• Attacks on critical infrastructure and cloud computing systems
• Attacks or malicious activities affecting digital payment systems
• Unauthorised access to social media accounts

For financial institutions, the 6-hour window is even more critical because parallel reporting to RBI (CSITE) and sectoral regulators (SEBI, IRDAI) is also required. Your incident response process must handle simultaneous reporting to multiple regulators.

The Complete CERT-In Compliance Checklist

1. Incident Reporting Readiness

• Documented incident response plan with CERT-In reporting procedures
• Pre-built incident reporting templates in CERT-In prescribed format
• Designated point of contact registered with CERT-In
• 24/7 incident detection capability (SOC or equivalent)
• Automated alerting to trigger the 6-hour reporting clock
• Clear escalation matrix from detection to CERT-In notification
• Quarterly incident response drills simulating the 6-hour timeline

2. Log Retention (180 Days Minimum)

• All ICT system logs must be retained for a rolling 180-day period
• Logs must be maintained within Indian jurisdiction
• Firewall logs, IDS/IPS logs, VPN logs, web server logs
• Authentication logs, database access logs, email server logs
• DNS query logs, proxy logs, application logs
• Logs must be available for forensic analysis upon CERT-In request
• Centralised log management (SIEM) recommended for correlation

3. Clock Synchronisation

• All ICT systems must synchronise with NTP servers of NIC or NPL
• Or use NTP servers traceable to NIC/NPL time sources
• This ensures log timestamps are consistent for forensic analysis
• Verify NTP configuration across all servers, network devices, and endpoints

4. KYC for Virtual Private Server and Cloud Service Providers

• VPS and cloud providers must maintain KYC records of subscribers for 5 years
• Financial institutions using VPS/cloud must ensure their provider complies
• Records must be available to CERT-In upon request

5. Vulnerability Assessment and Penetration Testing

• Regular VAPT of all internet-facing and critical systems
• Prompt patching of identified vulnerabilities
• Continuous vulnerability scanning between formal VAPT engagements
• Secure configuration audits of all network devices and servers

How Financial Institutions Should Prepare

Deploy continuous threat detection: The 6-hour reporting window makes it impossible to rely on periodic log reviews. You need real-time detection that identifies incidents the moment they occur — not hours or days later. A SIEM with properly tuned detection rules, supplemented by threat intelligence feeds, is the minimum viable detection stack.

Integrate threat intelligence: Many incidents start with known malicious indicators — IPs, domains, file hashes that are already catalogued in threat intelligence databases. Integrating a TI feed with 390,000+ indicators directly into your SIEM and firewall rules means you detect known threats instantly, well within the 6-hour window.

Run breach simulations regularly: The only way to know if your 6-hour process works is to test it. Run quarterly breach and attack simulations that trigger your detection, escalation, and reporting processes end-to-end. Measure the time from initial compromise to CERT-In notification. If it exceeds 6 hours, your process needs redesign.

Maintain continuous vulnerability visibility: CERT-In directives emphasise prompt patching. Continuous vulnerability assessment provides the real-time visibility needed to identify and prioritise patches — rather than discovering critical vulnerabilities only during quarterly VAPT cycles.

The Overlap: CERT-In + RBI + SEBI + DPDPA

Financial institutions are unique in facing compliance obligations from multiple regulators simultaneously. A single data breach at a bank triggers reporting obligations to CERT-In (6 hours), RBI CSITE (6 hours), the Data Protection Board (72 hours under DPDPA), and potentially SEBI (if the bank is also market intermediary). The incident response plan must account for all four — with different formats, different details, and different timelines.

The efficient approach is a unified security platform that provides continuous vulnerability assessment, real-time threat detection, and automated compliance reporting across all regulatory frameworks. This eliminates the need for separate tools and separate teams for each regulator.

Ogma Consulting provides a unified cybersecurity platform for financial institutions — combining continuous vulnerability assessment, breach and attack simulation, and threat intelligence with 390,000+ IOCs. Our platform maps findings to RBI, SEBI CSCRF, DPDPA, and CERT-In requirements simultaneously, generating audit-ready reports for every regulator from a single pane of glass. Contact us for a compliance readiness assessment.