Multi-regulator incident notification with coordinated submission timelines
Primary statement
External incident notification operates as a coordinated multi-regulator submission with the tightest concurrent clocks: CERT-In 6 hours from detection (mandatory for all in-scope incidents); RBI CIMS 6 hours initial + 21 days detailed (for RBI REs); SEBI 6 hours per CSCRF (for SEBI REs); IRDAI 24 hours (for insurance entities, per March 2025); DPBI 72 hours detailed + immediate notification of Data Principals (from 13 May 2027 for all Data Fiduciaries). NCIIPC notification parallel for Protected Systems. Pre-staged templates, identified authority contacts, and rehearsed escalation are the difference between routine compliance and missed clock.
Audit-fatigue payoff
A single coordinated incident notification programme — pre-staged templates, authority-contact register, escalation matrix, tabletop exercise records, concurrent-submission workflow — satisfies notification requirements across all 14 contributing frameworks. Without coordination, the auditor sees 6 independent reporting processes and 6 independent clocks (most of which will have been missed during a real incident). With coordination, the auditor sees one CCMP with one IR runbook surfacing all regulator clocks in parallel — and the operational evidence (recent submissions, tabletop reports) shows the coordination actually works. The Multi-Regulator Incident Reporting Timeline tool in the ControlForge Tools surface operationalises this directly.
Strictness matrix
Scope
Notification scope: ANY cyber security incident per the CERT-In Direction 70B 20-category list — including ransomware, data breaches, identity theft, DDoS, unauthorised access, IT system fraud, attacks on critical systems, intrusions, defacement, exposed databases, cryptojacking, supply chain attacks. The CERT-In scope is the baseline for all sectoral notifications; sectoral regulators add their own additional categories on top.
Ceiling source: cert_in:CERTIN.11
Rationale: CERT-In Direction 70B / Direction 28 April 2022 specifies the broadest, most-categorised incident scope. The 20 listed categories are the audit-defensible scope; sectoral regulators (RBI, SEBI, IRDAI, DPBI) layer additional categories.
Threshold
Threshold: 6 hours from internal awareness (not public disclosure) is the universal floor for cyber-incident reporting. The "awareness" timestamp starts the clock — typically when a SIEM alert is investigated and confirmed as an incident, OR when an employee reports an observed event that triggers investigation. For DPDPA personal-data breach (from 13 May 2027): "without undue delay" initial notification + 72-hour detailed report — interpreted consistently with the 6-hour floor where personal data is involved.
Ceiling source: cert_in:CERTIN.1
Rationale: The 6-hour CERT-In threshold is the tightest universal floor and starts at internal awareness. RBI and SEBI sectoral guidance reinforce the 6-hour clock for in-scope incidents. The internal-awareness anchor (not public disclosure) is the operationally strictest interpretation.
Method
Method: (1) documented Incident Response Management plan covering detection, classification, response team, escalation, communication, runbooks per incident category, post-incident review; (2) pre-staged authority-contact register for CERT-In, RBI CIMS, SEBI, IRDAI, DPBI (from 2027), NCIIPC (where applicable); (3) pre-staged submission templates per regulator in the prescribed format; (4) tested escalation matrix with role-based accountability; (5) tabletop and live exercises (at least annual, more frequent for critical entities); (6) coordination with sectoral-regulator specific channels (RBI CIMS, SEBI portal, IRDAI prescribed format).
Ceiling source: sebi_cscrf:CSCRF.RS.1
Rationale: SEBI CSCRF RS.1 specifies the most comprehensive IR Management plan requirements, including the pre-staged submission template element that is uniquely strict. Pre-staging is the difference between routine compliance and missed clock during a real incident.
Frequency
Exercise cadence: annual tabletop minimum across CCMP / IR plan; critical entities (Maturity Level 4 banks, MIIs, Qualified SEBI REs) conduct cyber-range exercises (technical-team hands-on simulation) + cross-functional tabletop (executive sponsors + IT + business heads + legal + communications) + Board-level scenario rehearsal. Multi-level rehearsal at minimum annually; more frequent (quarterly) for the technical-team cyber-range component.
Ceiling source: rbi_csf:RBI.RS.7
Rationale: RBI CSF RS.7 is the strictest exercise-frequency articulator with its three-level rehearsal model. Other frameworks require "exercises" but do not specify the multi-level rehearsal. The RBI specification is the audit-defensible cadence for critical entities.
Evidence
Required evidence: (1) IR Management plan document with all elements; (2) authority-contact register with current contact details + submission channels; (3) submission templates per regulator (CERT-In incident format, RBI CIMS template, SEBI prescribed format, IRDAI format, DPBI from 2027); (4) recent incident submissions for each applicable regulator (sample minimum 1 per regulator per 12-month period); (5) tabletop exercise records with after-action reports; (6) post-incident lessons-learned cycle evidence; (7) forensic capability — internal team or CERT-In empanelled retainer with documented engagement terms.
Ceiling source: sebi_cscrf:CSCRF.RS.1
Rationale: SEBI CSCRF RS.1 evidence list combines plan documentation, submission evidence, and exercise records — the most comprehensive package. Demonstrating recent actual submissions to multiple regulators (not just template existence) is the audit-defensible evidence ceiling.
Auditor test pattern
Step 1: Inspect the IR Management plan; verify it covers all required phases and all applicable regulators. Step 2: Sample 1 actual incident from the past 12 months and trace through the response: detection timestamp, internal awareness, regulator notifications (CERT-In + sectoral + DPBI where applicable), timeline compliance per regulator. Step 3: Inspect the authority-contact register; verify currency (contact persons still in role). Step 4: Inspect the most recent tabletop / cyber-range exercise records; verify the multi-regulator coordination was actually rehearsed. Step 5: Verify the forensic capability — confirm CERT-In empanelment of the retainer firm or qualifications of the internal team.
Common findings
Common 2024–26 findings: (1) "Without undue delay" interpreted as up to 72 hours — collapsing the tier; the 6-hour CERT-In clock is the actual minimum; (2) 6-hour clock measured from public disclosure rather than internal awareness — typically days late; (3) DPBI submission channel not pre-identified — discovery happens mid-incident; (4) Sectoral regulators not coordinated; CERT-In 6-hour deadline missed while DPBI focus dominates (or vice versa); (5) Tabletop exercises annual but recycled with the same scenario every year — multi-regulator coordination never specifically rehearsed; (6) CCMP exists but not BCP-integrated; double recovery paths uncoordinated; (7) CERT-In submission delegated to MSSP without RE oversight of the timing.