India’s Computer Emergency Response Team (“CERT”) has published new obligations for how companies manage cyber risk that are expected to take effect on 29 June. These not only create new documentation and log retention requirements for various industry sectors but also require notification of data security incidents to regulators within 6 hours of the incidents. Notification requirements are triggered where certain types of cyberattacks are detected, even if there is no suspicion of access to personal data. The regulations leave some questions unanswered, such as their territorial scope and the range of personal data potentially impacted, and provide for civil and criminal penalties for non-compliance. In this video for our Global Data Protection Review series, Scott Loughlin, Global Co-Lead of the Privacy and Cybersecurity practice discusses the new regulations with our local counsel contact in India, Stephen Mathias from Kochhar & Co.