Nearly two years after the ransomware compromise of C-Edge Technologies — the TCS-SBI joint venture that powers core banking for roughly 300 of India's smaller cooperative and regional rural banks — Indian regulators are still recalibrating their approach to third-party cyber risk. The July 2024 incident, which briefly knocked retail banking offline for millions of customers in tier-2 and tier-3 India, has become the reference case for nearly every supervisory circular, advisory and parliamentary discussion on financial-sector cybersecurity since. It is also a useful lens through which to evaluate whether India's emerging ransomware policy framework is genuinely raising resilience, or simply raising compliance costs.
The supervisory shift after C-Edge
The Reserve Bank of India had already issued its Master Direction on Outsourcing of Information Technology Services in April 2023, formalising due-diligence, audit and exit obligations for regulated entities relying on technology vendors. The C-Edge attack exposed how unevenly those obligations were being implemented across India's long tail of urban cooperative and regional rural banks, many of which had effectively delegated their entire IT estate to a single shared service provider. In the months that followed, the RBI tightened scrutiny of concentration risk in shared banking platforms and pushed boards to take direct ownership of vendor cyber posture rather than treating it as a procurement matter.
CERT-In, India's national computer emergency response team, has run parallel sectoral advisories on ransomware preparedness, segmentation of core banking environments, and offline backups. This is the right instinct. Ransomware is not primarily a paperwork problem — it is an operational continuity problem, and the C-Edge episode was resolved comparatively quickly precisely because affected banks could be isolated from the NPCI network while clean systems were restored.
The 6-hour reporting rule remains contested
Industry's principal friction point, however, remains the CERT-In Direction of April 28, 2022, issued under Section 70B of the Information Technology Act, 2000. The Direction requires reporting of a wide range of cyber incidents — including ransomware — within six hours of "noticing" them, alongside extensive log-retention obligations. Indian and global industry associations have pushed back consistently since the rule's issuance, arguing that six hours is operationally unrealistic for any organisation that has not yet completed even rudimentary triage.
The policy intent is sound: regulators need timely visibility into systemic incidents, and the C-Edge case demonstrated how quickly a single vendor compromise can cascade. But the practical effect of a six-hour clock is to incentivise either (a) precautionary over-reporting that drowns CERT-In in noise, or (b) late reporting after defensive lawyers get involved. Neither outcome serves the underlying goal. A tiered model — short-window notification of significant incidents affecting critical infrastructure, with longer, more substantive reports for everything else — would better mirror international practice, including the EU's NIS2 Directive (24-hour early warning, 72-hour incident notification) and the US Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA).
'No ransom' commitments and the limits of moral suasion
India is a participating member of the International Counter Ransomware Initiative (CRI), a US-led coalition that has, across successive summits, pushed member governments to commit that their own public-sector bodies will not pay ransoms, and to discourage payment by private entities. The political logic is straightforward: ransom payments fund the next attack. But the operational reality for an Indian cooperative bank watching its customers' salary credits stall is far less tidy.
A blanket 'no ransom' rule, if elevated from political commitment to legal prohibition, would have predictable consequences:
- Smaller institutions without mature backup regimes would bear disproportionate harm.
- Insurance markets for cyber cover, already thin in India, would contract further.
- Decisions that should be made in narrow operational windows would be pushed into regulatory grey zones.
A more proportionate path is to keep payment legal but heavily discouraged — through tax non-deductibility, mandatory disclosure of any payment to CERT-In and the regulator, and sanctions screening obligations modelled on the US Treasury OFAC advisory. This preserves boards' fiduciary discretion in genuinely catastrophic scenarios while removing the routine, frictionless payment pipeline that ransomware economics depends upon.
What proportionate policy looks like
The post-C-Edge moment is an opportunity to consolidate India's patchwork of cyber rules — the IT Act, CERT-In Directions, RBI Master Directions, SEBI's Cybersecurity Framework, and the forthcoming rules under the Digital Personal Data Protection Act, 2023 — into a coherent, risk-tiered regime. Three principles should guide that consolidation:
Resilience over reporting. A six-hour notification rule is worth less than a tested 24-hour recovery point objective. Regulators should reward demonstrated recovery capability — verified by independent red-team exercises — at least as much as paperwork compliance.
Concentration risk needs explicit supervision
The C-Edge incident was a concentration-risk event as much as a cybersecurity event. India's smaller banks rely on a handful of shared technology providers, and that structural reality is not going away. Rather than pretending each bank can independently harden a vendor it cannot meaningfully audit, the RBI should designate critical third-party providers to the financial system and supervise them directly — an approach analogous to the EU's Digital Operational Resilience Act (DORA) regime for ICT third-party providers.
Information sharing should be the carrot, not just the stick
CERT-In's sectoral CSIRTs are valuable, but participation is uneven. A safe-harbour for good-faith, timely incident disclosure — protecting reporting entities from regulatory enforcement based solely on the contents of their disclosure — would meaningfully increase the quality of information CERT-In receives, and is consistent with the approach taken under CIRCIA in the United States.
India does not need to choose between a strict cybersecurity posture and a thriving digital economy. The former enables the latter. But strictness is not the same as severity, and the policy lessons from C-Edge point firmly towards proportionate, resilience-focused regulation rather than reflexive criminalisation of payment or unrealistically short reporting clocks. Getting that balance right is what will determine whether the next C-Edge-class incident — and there will be one — is a footnote or a crisis.