Introduction
In today’s hyperconnected digital economy, the stakes of a cybersecurity incident have never been higher. Ransomware, advanced persistent threats (APTs), business email compromise (BEC), and sophisticated supply chain breaches are not just technical glitches — they are national security and economic risks. When a major incident occurs, organizations cannot tackle the fallout alone. Coordinating with law enforcement is not just good practice — in many cases, it’s a legal obligation.
In this in-depth guide, I’ll explain exactly how Indian businesses, critical infrastructure operators, and even smaller organizations should engage with law enforcement during a serious cyber incident. You’ll see why timely collaboration with agencies like CERT-In, local cybercrime cells, and specialized task forces can make all the difference between chaos and containment.
Why Reporting Cyber Incidents to Law Enforcement Matters
When a company detects a significant breach — whether it’s ransomware, data theft, insider threat, or nation-state espionage — the immediate instinct may be to “handle it quietly.” Many fear reputational damage, regulatory fines, or customer backlash.
However, not involving law enforcement is short-sighted and can compound risks:
✅ Attackers often target the same industries repeatedly. If you don’t share intelligence, the same group may hit others.
✅ Criminals operate internationally. Tracking ransomware payments, crypto wallets, or botnet operators requires cross-border law enforcement coordination.
✅ Victims gain support. Law enforcement can provide forensic expertise, help recover stolen funds, and sometimes assist with negotiations.
✅ Compliance. Under India’s DPDPA 2025 and CERT-In directives, certain incidents must be reported within strict timeframes. Failing to do so can mean heavy penalties.
Step 1: Prepare Before an Incident Occurs
Proactive relationships are crucial. Many Indian businesses make the mistake of Googling “cybercrime police” for the first time after a breach.
Instead, you should:
✅ Identify Local Cybercrime Cells
Each state in India now has dedicated cybercrime units and cyber police stations. Note your nearest office.
✅ Register with CERT-In
For critical infrastructure operators, banks, and large companies, registering with India’s Computer Emergency Response Team (CERT-In) ensures quick escalation channels.
✅ Know Global Contacts
If your company operates internationally, identify contacts in Interpol, Europol, or other global cybercrime task forces.
✅ Add to the Incident Response Plan (IRP)
Your IRP should name the exact steps, contacts, and escalation triggers for law enforcement notification.
Step 2: Detection and Initial Containment
When an incident is detected:
✅ Isolate and contain systems to prevent spread.
✅ Preserve evidence carefully. Logs, disk images, ransom notes, malicious binaries — do not wipe infected systems before collecting forensic snapshots.
✅ Engage your internal legal and compliance teams. They can advise on mandatory notification windows under DPDPA or sectoral rules (like RBI guidelines for financial institutions).
Step 3: Notify Law Enforcement Promptly
Depending on the severity, reach out to:
✅ CERT-In — For significant breaches, critical infrastructure incidents, or large personal data leaks.
✅ Local Cybercrime Police — They handle fraud, phishing, ransomware extortion, online harassment, and intellectual property theft.
✅ Specialized Task Forces — Large attacks may involve the National Critical Information Infrastructure Protection Centre (NCIIPC) or the Indian Computer Emergency Response Team for National Critical Information Infrastructure.
✅ Industry CERTs — Many industries, such as banking and telecom, have their own sector-specific Computer Emergency Response Teams.
Step 4: What Law Enforcement Needs from You
To help you effectively, agencies need clear, well-organized information:
✅ Incident Timeline: How and when the attack was detected, steps taken, and current impact.
✅ Indicators of Compromise (IoCs): IP addresses, domain names, malware hashes.
✅ Evidence: Forensic images, logs, communications with attackers (for ransomware or BEC), email headers.
✅ Potential Data Impact: What personal, financial, or confidential information was exposed.
✅ Contact Points: One or two senior staff who can provide updates and coordinate evidence handover.
Remember: law enforcement is not there to fix your servers. Their job is to investigate, trace threat actors, and help recover assets where possible.
Step 5: Working with Law Enforcement in Practice
Example: A Ransomware Hit
Imagine an Indian hospital hit by ransomware encrypting patient records. After isolating infected systems, the IT head calls the state’s cybercrime police. Officers arrive, collect logs, and link the ransomware variant to an international syndicate also being tracked by Interpol.
The hospital also informs CERT-In, which issues an advisory to other hospitals. Law enforcement contacts crypto exchanges to track potential ransom payments and block suspicious wallet transfers.
By coordinating early, the hospital avoids paying the ransom, restores from backups, and helps authorities disrupt the broader attack network.
Step 6: Navigating Legal and PR Complexities
✅ Stay Transparent but Careful
Work with law enforcement on what can be disclosed to the public. Be factual but avoid harming the investigation.
✅ Communicate With Victims
If customers or partners are affected, India’s data protection rules may require you to inform them. Law enforcement can guide how to share details without tipping off attackers.
✅ Keep Records
Maintain detailed logs of your communication with the police and CERT-In. This helps during compliance audits and insurance claims.
Step 7: Learning and Strengthening
Post-incident, law enforcement may share threat intelligence — new IoCs, tactics, or foreign links. Use this data to strengthen defenses.
✅ Update your incident response plan with lessons learned.
✅ Contribute insights to your industry ISAC (Information Sharing and Analysis Centre).
✅ Train your teams on real-world attack scenarios.
Practical Tips for Small Businesses and the Public
✅ Individuals: Report scams, ransomware, and fraud via the National Cybercrime Reporting Portal (cybercrime.gov.in). Many cases, especially financial fraud, can be stopped if reported quickly.
✅ SMEs: Build ties with local police and your industry’s security community. A ransomware attack on a small business can still benefit from CERT-In’s guidance and tools.
✅ Never pay silently. Many criminals threaten victims into secrecy. Reporting helps everyone and can reduce your liability.
Example of Global Coordination
In 2024, Indian law enforcement helped dismantle a Southeast Asian phishing gang that targeted thousands of Indian credit card holders. The success hinged on victims reporting quickly and sharing digital evidence — which allowed Interpol to trace infrastructure back to multiple countries.
Conclusion: Stronger Together
No company, no matter how big, can fight cybercrime alone. The most sophisticated threat actors are organized, well-funded, and often shielded by cross-border complexities.
Effective incident response is about people, process, and partnerships. By proactively building relationships with India’s cybercrime agencies, preparing detailed playbooks, and reporting incidents early, organizations protect themselves and contribute to a safer digital economy for everyone.
In the end, coordination with law enforcement is not just a checkbox in your IRP — it’s the lifeline that transforms a chaotic breach into an opportunity to defend, recover, and build resilience.
