On 8 December 2023, the Cyberspace Administration of China (“CAC”) issued the Measures for the Management of Cybersecurity Incident Reporting (Draft for Public Comments) (“Draft”) , together with the accompanying Guidelines for Grading Cybersecurity Incidents and Cybersecurity Incident Information Reporting Forms, which are intended to standardize the reporting of cybersecurity incidents, reduce the cybersecurity incidents, reduce losses and hazards caused by cybersecurity incidents, and safeguard national security.
As mentioned in our article published in July this year – China’s Cross-Border Data Transfer Rules Explained, China has also actively improved the system of laws and regulations on data security protection and cross-border data flow in recent years, and the legislative coverage has been gradually expanded to form a more complete legal system for data security protection, personal information protection and cross-border data initially. The Cybersecurity Law, Personal Information Protection Law, and Data Security Law, have all made relevant provisions on cross-border data flow, and built a basic management system to promote the free, orderly and efficient data flow under secure conditions. The Measures for the Security Assessment of Outbound Data Transfer released in July 2022 put forward comprehensive and systematic requirements and provided specific legal solutions on the security review and assessment of outbound personal information and important data from China. Since the network and data sector is different from the traditional brick-and-mortar industry in that it is characterized by greater technical expertise and rapid development, the security of data and networks has become a key issue of concern for all countries. In this regard, China will continue to introduce laws and regulations to ensure the safety and smooth development of the network and data industry.
The Draft clarifies the procedural requirements and content requirements for cybersecurity incident reporting. It specifies the specific standards for grading cybersecurity incidents through an annexure, which is significant in guiding enterprises to implement the requirements for reporting cybersecurity incidents and preventing cybersecurity risks. The following are the essential contents of the Draft.
I. Subjects and recipients of the report
1. Reporting subject: Network operators that build, operate, or provide services through networks in China.
2. Reporting Objects: The Draft set specific reporting objects for operators based on the types of networks and systems, as shown below:
1) Networks and systems belonging to the departments of the central and state organs and the enterprises and institutions under their management should be reported to the department’s net information work organization;2) Networks and systems for critical information infrastructure should be reported to the critical information infrastructure protection department and public security organs;3) The occurrence of network security incidents in other networks and systems should be reported to the local net information department.
In addition to the above reporting requirements, if the operator’s industry has a competent industry regulator, it should also report following the requirements of the capable industry regulator; if the operator finds that a cybersecurity incident is suspected to be a crime, it should report to the public security authorities at the same time.
II. Specific requirements for cybersecurity incident reporting
1. Triggering of the reporting obligation: when a cybersecurity incident occurs. A cybersecurity incident is an event that causes harm to network and information systems or the data therein due to human causes, software, hardware defects or failures, natural disasters, etc., and negatively impacts society.
2. Reporting content requirements: Operators should report incidents by the Cybersecurity Incident Information Reporting Form, and the report should include at least the following contents:
1) The name of the incident unit and basic information about the facility, system, or platform where the incident occurred;2) The time and place of discovery or occurrence of the incident, the type of incident, the impact and harm caused, and the measures taken and their effects. The amount, manner, and date of ransom payment requested for ransom attacks should also be included.3) The development trend of the situation and the possible further impact and harm;4) Preliminary analysis of the cause of the incident;5) Clues needed for further investigation and analysis, including information on possible attackers, attack paths, and vulnerabilities present;6) Further response measures to be taken and requests for support;7) Protection of the incident site;8) Other situations that should be reported.
3. Reporting time requirements: If a cybersecurity incident is a major, significant, or especially significant cybersecurity incident by the Guidelines for Classification of Cybersecurity Incidents, it should be reported within one hour; for those who cannot determine the cause of the incident, its impact or trend within one hour, the contents of subparagraphs 1) and 2) above can be reported first, and the other cases will be reported in a supplementary report within 24 hours.
4. Progress report on the incident:
1) If new and important circumstances emerge after the report of a cybersecurity incident, or if the investigation makes progress in stages, it should be reported in a timely manner;2) After the disposal of the network security incident, the operator should conduct a comprehensive analysis and summary of the cause of the incident, emergency response measures, hazards, responsibility for handling, rectification, lessons learned, etc., within five working days to form a summary report and report it by the original channels.
5. Suppliers’ reminder and reporting obligations: when an organization or individual providing services to an operator discovers that a major, significant, or especially significant network security incident has occurred in the operator, it shall remind the operator to report the incident by the provisions of the Draft; if the operator intentionally conceals the incident or refuses to report the incident, it may report the incident to the local internet information department or the state internet information department;
6. Social supervision: social organizations and individuals are encouraged to report major, significant, or especially significant cybersecurity incidents to the internet information department.
III. legal responsibility
1. The subject of the penalty: Operator and its responsible person concerned;
2. Basis for penalization: The Draft does not specifically set out legal responsibilities, but rather, through transitive provisions, makes it clear that operators who violate the requirements for reporting network security incidents shall be penalized by the net information department by the provisions of the relevant laws and administrative regulations, such as the Cybersecurity Law, the Personal Information Protection Law, the Data Security Law, and the Regulations on the Protection of Critical Information Infrasture, and other relevant provisions.
3. Penalizing circumstances:
1) Aggravating Circumstances: If significant harmful consequences are caused by the operator’s late reporting, omission, false reporting, or concealment of a network security incident, the operator and the responsible persons concerned shall be severely penalized according to the law;2) Exemptions or mitigating circumstances: In the event of a network security incident, the operator has taken reasonable and necessary protective measures, taken the initiative to report by the provisions of the Draft, and at the same time disposed of the incident by the relevant procedures of the plan and made the best efforts to minimize the impact of the incident, and the operator and the relevant responsible persons may be exempted from or mitigated from the responsibility, depending on the circumstances.
The introduction of the Draft implies implementing a reporting mechanism for security incidents, which will further enrich and improve China’s cybersecurity and data security laws. The deadline for public consultation is 7 January 2024; the Draft will be amended according to public opinions and suggestions and then published formally.