CERT-In's enforcement posture has shifted in the last twelve months. The shift is not announced in any single circular. It is visible in the pattern of correspondence, the depth of follow-up after initial notifications, and the questions that are now asked of organisations whose incidents would, a year ago, have closed without further engagement. Three operational changes follow from this shift, and every CISO and General Counsel operating in India should make them before the next material incident, not after.
The first change concerns notification content. CERT-In's six-hour notification window is, by international standards, aggressive. Organisations that meet the window with a placeholder notification, a single line acknowledging an incident with details to follow, are now being asked, in writing, why the placeholder did not contain the specific technical artefacts the directions require. The defensible answer is not 'we did not have them yet'. It is 'we had a pre-approved template, populated as fully as the first six hours allowed, with explicit identification of the fields awaiting confirmation'. The template is the deliverable. Organisations whose response playbook does not include a populated six-hour template, walked through with counsel in advance, are organisations whose first notification will be deficient in a way the second cannot fix.
The second change concerns the relationship between notification and privilege. A notification to CERT-In is a regulatory filing. A forensic investigation conducted in parallel is, properly structured, privileged work product. The two should not be conducted by the same team writing from the same documents. The organisations whose privilege has held under scrutiny are the ones that established, before the incident, a clear separation between the regulatory workstream, handled by named counsel and the CISO's office, and the investigative workstream, handled by external counsel directing forensic vendors under engagement letters that establish privilege at the outset. The organisations whose privilege has been challenged are the ones that conflated the two and discovered, after the fact, that their forensic report was discoverable.
The third change concerns the closure of an incident. CERT-In is increasingly asking, in follow-up correspondence, what corrective measures have been adopted and what evidence exists that they have been adopted. The right answer is not a list of intentions. It is a remediation log with dates, owners, and verification steps, prepared in a form that can be shared with the regulator without exposing privileged material. The organisations that have planned for this question in advance close incidents quickly. The organisations that have not spend the months after the incident negotiating the form of their own remediation evidence.
All three changes are inexpensive. None requires new technology. All require deliberate pre-work and the willingness to rehearse a regulator-facing response before it is needed. The CISOs and General Counsel who do this work in calm weather are the ones whose names will not appear in the next year's enforcement annual report.
Privileged commentary · Not legal advice · © Zuber & Partners