By: Jiwon Lim

Every year, there are about 12,000 cyber security incidents that jeopardize the confidentiality, integrity, or availability of an information system, costing an average of $3 million each. With a more than six-fold increase in incidents since 2008, nations have started to recognize the necessity of mandatory cyber incident reporting frameworks. The goal of a cyber incident report is to share information in a timely manner to allow rapid response by vulnerable parties and build trusted relationships between government and industries.

Of existing cyber security frameworks, Australia’s and the European Union’s (EU) have stood out due to their enhanced scope of incidents and governance, as well as their effectiveness in increasing cyber incident reporting and response tactics. These frameworks have built in definitions, timelines, and industry participation that make meeting cyber incident reporting goals streamlined for both government and industry.

Australia defines cyber incidents as “critical” and “other.” Critical incidents must be reported within 12 hours, and all other incidents within 72 hours. The EU follows the NIS 2 Directive, which divides incidents into “essential” and “important” thresholds. When these incidents occur, entities must notify authorities within 24 hours of detection with a follow up, then a final report within a month's timeline. During their creation and implementation, both frameworks have incorporated industry voices. Australia established the Cyber Incident Review Board as an independent statutory advisory body and brought in expert panels. The EU, prior to the publication of the directive, ran an open public consultation. In both cases, the processes allow for ease of reporting and communication; timely and detailed assessments of threats; and trust among public and private partners.

India’s cyber incidence reporting is based on April 2022 CERT-In Directives, by which broadly categorized entities must report incidents within 6 hours. The directive has drawn criticism from industry for having one of the shortest reporting windows globally and a lack of categorization of severity or scope of incidents. Both foreign and domestic companies have cited concerns over feasibility, lack of clarity, and limited collaborative policy development. They indicate an inability to comply with requirements such as logging ICT systems to maintain them in India for 180 days. Overall, these issues risk non-compliance of the directive, challenges in ensuring public-private trust, and delays in threat response.

India’s internet penetration is growing 8% year on year. The country is now the top global target for hacktivists and the top regional target of advanced persistent threat groups. India’s cyber security focus has been on the quantifiable results of reporting as many incidents as possible, but in doing so marginalizes the trust building and assessment abilities that make up a reporting framework. Despite a rapidly evolving cyber landscape, three years have passed since the most recent CERT-In directive. An updated policy — one that distinguishes between critical and less-critical incidents and incorporates industry perspectives on implementation — could make cyber incident reporting standards more feasible, trusted, and effective.

Jiwon Lim is a Summer Intern at ORF America.