Overview
When a cyber incident strikes — whether a ransomware attack, data breach, business email compromise, or insider threat — the first hours are simultaneously the most technically critical and the most legally consequential. CERT-In's mandatory six-hour reporting window, DPDP Act notification obligations to the Data Protection Board, and sectoral reporting requirements to RBI, SEBI or IRDAI create an immediate regulatory clock that begins running from the moment of discovery. Simultaneously, decisions made in the first hours — about forensic preservation, stakeholder communications, and initial containment actions — can have lasting consequences for regulatory exposure, insurance claims, litigation risk, and reputational management.
Our Incident Response & Digital Investigations practice provides integrated legal and technical response coordination across the full lifecycle of a cyber event — from immediate containment and regulatory notification through forensic investigation oversight, stakeholder communications, litigation support, and post-incident remediation. We work alongside your internal teams and specialist technical responders, providing the legal framework, regulatory guidance, and governance oversight needed to manage the incident effectively while protecting your organisation's legal position throughout the response.
Our Services
Legal response coordination across every stage of a cyber incident.
Legal & Regulatory Framework
Key obligations triggered at the moment of a cyber incident.
CERT-In 6-Hour Reporting
Mandatory reporting of prescribed cyber incidents to CERT-In within six hours of discovery — covering data breaches, ransomware attacks, unauthorised access, website defacements, and a range of other specified incidents. Non-compliance attracts criminal liability under the IT Act.
DPDP Act — Breach Notification
Data fiduciaries must notify the Data Protection Board of India and affected data principals upon a personal data breach — the timeline and manner of notification to be specified in rules under the DPDP Act, with penalties up to ₹200 crore for non-notification.
IT Act — Sections 43A & 72A
Section 43A imposes compensatory liability on body corporates that fail to implement reasonable security practices leading to wrongful loss or gain. Section 72A creates criminal liability for unauthorised disclosure of personal information obtained during lawful services.
RBI / SEBI / IRDAI Notifications
Regulated financial entities face parallel incident reporting obligations to their respective sectoral regulators — RBI requires cyber incident reporting within two to six hours; SEBI and IRDAI have their own timelines — all running concurrently with CERT-In obligations.
How We Work
Three response phases — structured for the realities of an active incident.
Immediate Response (0–24 Hours)
We mobilise immediately on notification of an incident — assessing the regulatory notification clock, advising on immediate containment decisions, briefing senior leadership and counsel, preserving legal privilege over investigation findings, and coordinating the first regulatory communications to CERT-In and sectoral regulators within mandatory timelines.
Investigation & Notifications (24–72 Hours)
We oversee forensic investigation from a legal perspective — ensuring evidence integrity, managing chain of custody, coordinating with technical forensic teams, preparing regulatory notifications, advising on affected individual notifications, managing insurer engagement, and developing the stakeholder communication strategy.
Remediation, Claims & Post-Incident Review
We support remediation planning, coordinate regulatory interactions and follow-up notifications, manage litigation exposure and insurance claims, and conduct a structured post-incident legal and governance review to strengthen resilience against future events and address any residual regulatory or liability risk.
