Reporting of Cybersecurity Incidents - the People’s Bank of China Issues Draft

To address the new challenges of cybersecurity, further regulate the reporting of cybersecurity incidents within the business domain of the People’s Bank of China (PBOC), and better safeguard financial services and maintain financial security, the People’s Bank of China drafted the “Administrative Measures for the Reporting of Cybersecurity Incidents in the Business Domain of the People’s Bank of China (Draft for Public Consultation)” (hereinafter referred to as the “Measures”). These measures were released on January 26, 2025, and are open for public consultation until February 24, 2025.

The “Measures” consist of five chapters: General Provisions, Classification of Cybersecurity Incidents, Reporting of Cybersecurity Incidents, Legal Responsibilities, and Supplementary Provisions, with a total of 32 articles. This article will focus on the key contents of the “Measures”, specifically the classification of cybersecurity incidents and related reporting requirements.

I. Classification of Cybersecurity Incidents

According to the “Measures”, financial institutions must formulate and periodically update their cybersecurity incident classification standards. Based on a comprehensive assessment of the impact on operations, funds, customers, and public opinion, the “Measures” categorize incidents into four levels: “Extremely Significant,” “Significant,” “Relatively Significant,” and “General”, and establish corresponding baseline classification criteria:

1. Extremely Significant Cybersecurity Incidents

According to the “Measures”, any of the following situations shall be classified as an Extremely Significant Cybersecurity Incident:1)	Interruption of critical financial services: The PBOC business network serving over 50 million customers experiences a complete outage for more than 3 hours across at least two provincial-level regions or for more than 6 hours within a single provincial-level region during peak operational hours.2)	Large-scale customer impact: The incident affects over 10 million customers.3)	Compromise of core data: Occurrence of core data leakage, tampering, or destruction.4)	Massive personal data exposure: Leakage of over 10 million pieces of sensitive information or 1 billion pieces of general personal information.5)	Regulatory determination: The incident is classified as Extremely Significant by the Cyberspace Administration of China (CAC), public security agencies, or the People’s Bank of China.

2. Significant Cybersecurity Incidents

According to the “Measures”, any of the following situations shall be classified as a Significant Cybersecurity Incident:1)	Interruption of financial services: The PBOC business network serving over 50 million customers experiences a complete outage for more than 1.5 hours across at least two provincial-level regions or for more than 3 hours within a single provincial-level region during peak operational hours.2)	Customer impact: The incident affects over 1 million customers.3)	Important data breach: Occurrence of important data leakage, tampering, or destruction.4)	Significant personal data exposure: Leakage of over 1 million pieces of sensitive information or 10 million pieces of general personal information.5)	Regulatory determination: The incident is classified as Significant by the CAC, public security agencies, or the People’s Bank of China.

3. Relatively Significant Cybersecurity Incidents

According to the “Measures”, any of the following situations shall be classified as a Relatively Significant Cybersecurity Incident:1)	Interruption of financial services: The PBOC business network serving over 50 million customers experiences a complete outage for more than 15 minutes across at least two provincial-level regions or for more than 30 minutes within a single provincial-level region during peak operational hours.2)	Customer impact: The incident affects over 100,000 customers.3)	Personal data leakage: Leakage of over 500 pieces of sensitive information or 50,000 pieces of general personal information.4)	Public attention: The incident triggers widespread discussion on social media or news platforms.5)	Ransomware attack: The institution experiences a ransomware attack that poses a threat to its operations.6)	Regulatory determination: The incident is classified as Relatively Significant by the CAC or public security agencies.

4. General Cybersecurity Incidents

According to the “Measures”, any of the following situations shall be classified as a General Cybersecurity Incident:1)	Interruption of financial services: The PBOC business network experiences a complete outage for more than 15 minutes across at least two provincial-level regions or for more than 30 minutes within a single provincial-level region.2)	Business impact: Service disruption affects more than 10,000 customers, or a non-customer-facing network function is disrupted for more than 1 hour.3)	Data compromise: Occurrence of data leakage, tampering, or destruction, causing social harm.4)	Personal data exposure: Any leakage of personal information.5)	Regulatory determination: The incident is classified as General by the CAC or public security agencies.
Additionally, the “Measures” specify that when cybersecurity incidents occur in financial infrastructures managed by the People’s Bank of China, financial institutions must coordinate with the relevant operating entities to establish a unified classification standard. This requirement ensures consistency in risk assessment and response strategies, preventing misjudgments that could compromise the security and stability of the overall financial system.

Furthermore, the “Measures” mandate that financial institutions must evaluate incidents against the established classification criteria, assess the severity, and assign the highest applicable classification. If an incident meets multiple classification criteria, it should be classified according to the most severe impact. If classification is uncertain, it should be treated as at least a Relatively Significant Cybersecurity Incident. If an incident escalates in severity, financial institutions must immediately adjust its classification and implement appropriate measures to ensure timely and effective risk containment.

The classification framework outlined in the “Measures” provides a structured, hierarchical standard that enhances financial institutions’ ability to respond to cybersecurity threats and ensures the stable operation of the financial system. The classification criteria consider factors such as service downtime, affected customer numbers, data exposure levels, public opinion impact, and regulatory determination, making the framework highly practical and adaptable.

However, several challenges may arise in practice:1)	Applicability of classification standards. Financial institutions vary in size and technological infrastructure, making a unified standard difficult to apply to smaller institutions. Therefore, additional refinements may be needed.2)	Data collection and assessment difficulties. During sudden cybersecurity incidents, institutions must rapidly assess the number of affected customers and the extent of data exposure. However, obtaining accurate data in real time is often challenging, potentially affecting the timeliness and accuracy of classification.3)	Cross-institutional coordination and information sharing. Cybersecurity incidents often involve multiple institutions, but the current classification system mainly relies on individual institutions’ assessments. Enhancing cross-institutional cooperation and data sharing mechanisms is necessary to prevent information silos.

II. Reporting of Cybersecurity Incidents

The “Measures” establish comprehensive and detailed regulations regarding reporting procedures, reporting timelines, reporting channels, report content, special reporting circumstances, and responsibility identification. At the same time, the “Measures” explicitly state that financial institutions must clarify their division of responsibilities, ensuring that reports are timely, accurate, and complete and prohibiting delays, omissions, or concealment of reports. Additionally, financial institutions must enhance their cybersecurity risk monitoring and early warning systems, improving their ability to detect and report cybersecurity incidents at the earliest possible time. Meanwhile, the reporting process must not interfere with business recovery, evidence preservation and traceability, customer communication, or public opinion management.

1. Reporting Procedures

The “Measures” stipulate the reporting channels for different types of financial institutions:1)	Head offices of the China Development Bank, policy banks, state-owned commercial banks, and Postal Savings Bank of China must directly report to the People’s Bank of China (PBOC). Their branches must report to the local branch of the PBOC.2)	Subsidiaries of the PBOC and financial infrastructure operators managed by the PBOC must report directly to the PBOC headquarters.3)	Other financial institutions and their branches must report to the local branch of the PBOC.4)	Securities, futures, and fund institutions must first submit reports to the China Securities Regulatory Commission (CSRC) local office, which will then forward the report to the corresponding PBOC branch.

Additionally, the “Measures” establish a tiered reporting system, which requires:1)	Municipal-level PBOC branches that receive reports of Relatively Significant cybersecurity incidents or above to escalate them to the provincial-level PBOC branch.2)	Provincial-level PBOC branches that receive reports of Significant cybersecurity incidents or above to escalate them to the PBOC headquarters.
2. Reporting Timelines

1) Initial Incident ReportFor Relatively Significant cybersecurity incidents or above, financial institutions must submit an initial brief report within 30 minutes and a more detailed incident report within 2 hours.2) Interim Progress Reportsa)	For Significant cybersecurity incidents or above, financial institutions must submit progress reports at least every 2 hours until the incident is fully resolved.b)	If there are major developments (such as an escalation in severity, discovery of new issues, or important progress in resolution), financial institutions must immediately report the updates.3) Post-Incident Investigation and Summary Reporta)	For General cybersecurity incidents or above, financial institutions must submit a post-incident investigation and summary report within 10 business days after the incident is resolved.b)	If unable to meet the deadline, financial institutions must first submit a preliminary report, stating the expected submission date of the final report, which should generally not exceed 40 business days after the incident resolution.

3. Reporting Channels and Methods
1)	For initial incident and interim progress reports, financial institutions may report through telephone, instant messaging tools, email, fax, or the designated PBOC reporting system. Notably, the “Measures” specify that sensitive information must not be transmitted via internet-based communication channels. Besides, when using email or fax, financial institutions must confirm receipt by the PBOC or its branches via telephone or instant messaging tools.2)	For post-incident investigation and summary reports, financial institutions must submit a hard copy with an official institutional seal. If the PBOC requires electronic submissions, financial institutions must comply with these electronic reporting requirements.
4. Report Content
According to the “Measures” cybersecurity incident reports must contain the following elements:1) Initial Brief Incident Report need to include Incident severity level (classified according to national standards), time of occurrence, category of cybersecurity incident, impacted business networks and corresponding security protection levels, affected data centers, reporting institution and report submission time, and contact information of the reporting personnel.2) Detailed Incident Report need to include all elements of the initial brief incident report, plus scope and severity of the impact, measures already taken and their effectiveness. For cybersecurity attacks, an analysis and assessment of the attack need to be provided.3) Interim Progress Reports need to include latest determined severity level, changes in the impact scope, progress in handling the incident, and planned next steps. If the financial institution requires assistance from the PBOC or its branches, it must explicitly state the needed support.4) Post-Incident Investigation and Summary Report need to include final determined severity level of the incident, review of the entire incident response process, extent of the impact and loss assessment, technical and managerial root cause analysis, lessons learned from the incident, follow-up improvement measures, reporting institution and report submission time, names and contact information of reporting personnel and signatures of responsible officials.5) Special Reporting for Personal Information Incidents. If a cybersecurity incident involves personal information, the Post-Incident Investigation and Summary Report must include remedial measures taken by the institution to minimize harm, legal notifications provided to affected individuals, guidance on how affected individuals can mitigate potential damages. For Significant cybersecurity incidents or above, these details must also be included in the Interim Progress Reports.

5. Responsibility Identification

According to the “Measures” for Relatively Significant cybersecurity incidents or above, financial institutions must clearly identify the directly responsible supervisory personnel and other accountable individuals and specify how these responsible parties will be held accountable.

Additionally, the “Measures” allow for mitigation or exemption of penalties for responsible personnel if one or more of the following conditions are met:1)	The institution proactively reported the incident and followed emergency response protocols, making the best efforts to minimize the impact.2)	The institution promoted secure and trustworthy network products and services and had no obvious subjective fault in the incident.3)	The institution fully implemented the PBOC’s cybersecurity and data security regulations and strictly followed its internal cybersecurity and data security policies.

Furthermore, the “Measures” require financial institutions to maintain a complete cybersecurity incident log, which must accurately record incident occurrence time, report submission time, PBOC or branch contact person receiving the report, and all reports submitted during the response process. Besides, the “Measures” also require these logs must be preserved for at least three years.
The “Measures” establish a systematic reporting mechanism for cybersecurity incidents in financial institutions, covering reporting procedures, timelines, reporting channels, content, and responsibility determination. This framework aligns with the Cybersecurity Law of the People’s Republic of China, the Data Security Law, and the Personal Information Protection Law, ensuring hierarchical incident classification, risk early warning, timely reporting, and clear accountability.
[Comment]
The Administrative Measures for the Reporting of Cybersecurity Incidents in the Business Domain of the People’s Bank of China (Draft for Public Consultation) represent a major step forward in China’s financial cybersecurity regulatory framework. By clarifying incident classification standards, refining reporting processes, setting strict reporting timelines, and strengthening accountability mechanisms, the “Measures” establish a transparent, efficient, and enforceable cybersecurity incident response system. This enhances the cybersecurity resilience of financial institutions and enables regulators to more accurately monitor industry risks.
Nevertheless, implementation challenges remain, including the applicability of classification standards, real-time data assessment difficulties, and cross-institutional coordination issues. Moving forward, regulators may introduce supplementary guidelines to enhance operational flexibility and improve industry collaboration, ensuring that the cybersecurity incident management system is both practical and effective in real-world applications.