On December 8, 2023, the Cyberspace Administration of China (CAC) introduced Administrative Measures for the Reporting of Cybersecurity Incidents (Draft) ("Measures"). This significant draft, now open for public commentary, mandates specific reporting requirements for network operators in the event of a cybersecurity incident. It clearly outlines the categories of incidents that need to be reported, the information that must be included in these reports, and the consequences for failing to report. This Measures marks a critical enhancement in China's approach to managing and mitigating cybersecurity risks.
1. Identifying the Key Subjects: Who Does the Measures Apply To
The Measures specifically target key subjects within the PRC jurisdiction responsible for network-related activities. These subjects, when facing incidents that jeopardize network security, is obligated to report per the Measures. The primary subjects include:
Subjects | How to Identify |
Network Infrastructure Builders | those involved in the construction of network systems within China |
Network Service Providers | entities providing network services, including ISPs, data centres, etc |
Network Operators | owners and administrators of networks and network service providers |
above subjects will hereinafter be collectively referred to as "Operators"
Each of these Operators must promptly report any 'cybersecurity incident', defined by the Measures as events causing harm to networks or information systems due to human error, technical failures, natural disasters, and other similar causes.
2. Reporting Procedure: How Should the Cybersecurity Incident Be Reported
The Measures require Operators to adhere to specific reporting procedures, which vary depending on the severity of the cybersecurity incident. Each category of incident demands distinct reporting protocols, as outlined in the table below:
Incident Severity | Reporting Subject | Reporting Authority | Required Time | Additional Notes |
General/Relatively Severe | Operators of Critical Information Infrastructures ("CII") |
|
within 1 hour if relatively severe | Operators shall promptly activate the emergency response plan. |
Operators of the Networks and Systems under Central/State Organs |
|
|||
Other Operators |
|
|||
Severe/Extremely Severe |
|
|
Within 1 hour for both lines of the report | Operators shall promptly activate the emergency response plan. |
|
|
|||
|
|
This structured approach ensures that the right level of urgency and detail is applied to each incident, facilitating efficient and effective communication with relevant authorities.
3. Incident Classification: General, Relatively Severe, Severe and Extremely Severe
In accordance with the attached Cybersecurity Incident Classification Guidelines to the Measures, cybersecurity incidents are categorized into four degrees: General, Relatively Severe, Severe, and Extremely Severe. The classification of cybersecurity incidents is based on the incident's scale and impact. This framework is designed to ensure a consistent and effective approach to managing and responding to varying levels of cybersecurity threats. To be specific:
Categories | Description | Classic Scenarios |
Extremely Severe | Key network system losses, state secret theft, significant national security threats, major social disruption, extensive economic loss, or mass illegal information spread. |
|
Severe | Serious system losses, notable data breaches threatening national security and social order, but less severe than Extremely Severe incidents. |
|
Relatively Severe | Substantial disruptions and data breaches, posing serious security and stability threats, but with lesser impact than Severe incidents. |
|
General | Incidents posing threats to security, order, and public interest but not reaching the severity of the above categories. |
4. Reporting Items for Operators: Article 5 & Attachment of the Measures
According to Article 5 of the Measures and its attached Cybersecurity Incident Information Reporting Form, the following items shall be included in the report prepared by Operators:
Items | Description |
Organization and Infrastructure Details | Name of the central/state organs or the enterprises where the incident occurred and essential details about the affected facilities, systems, and platforms. |
Incident Discovery and Impact Assessment | Time and location of discovery, incident type, impact, measures taken, and their effectiveness. For ransomware, include ransom details. |
Incident Development | Ongoing trends, potential future impacts, and harms. |
Preliminary Cause Analysis | Initial assessment of the incident's cause. |
Investigation and Analysis Requirements | Information needed for further analysis, including possible attacker details, attack paths, and vulnerabilities. |
Response and Future Plans | Future response plans and support needs. |
Site Protection Status | Current security conditions at the incident location. |
Additional Information | Other relevant information as necessary |
Initial reports should focus on the first two items if full details are not immediately available, with a comprehensive report due within 24 hours. Post-incident, a thorough analysis covering response measures, impacts, and lessons learned must be compiled within 5 days.
Service providers shall promptly notify Operators to report Relatively Severe, Severe or Extremely Severe Incidents. If Operators fail to report accordingly, service providers can report directly to the appropriate cyberspace administrations. Additionally, social organizations and individuals are encouraged to report Relatively Severe or above cybersecurity incidents as well.
5. Penalties for Non-Compliance in Cybersecurity Reporting: Look for Superior Laws
The Measures indicates that if reporting obligations are not met, Operators will face corresponding legal consequences prescribed by various superior laws. For specific penalties, the Measures refers mainly to the Cybersecurity Law (CSL), the Personal Information Protection Law (PIPL), and the Data Security Law (DSL), among others. The CSL, for instance, imposes warnings and fines for general non-compliance, escalating to higher fines for serious violations. The PIPL specifies fines and potential business suspension for severe breaches. The DSL also details fines and potential business suspensions, while the Regulations on the Security Protection of Critical Information Infrastructure imposes fines for reporting failures, with increased penalties for repeated or grave offenses."
6. Compliance Strategies: Aligning with New Measures for Enhanced Vigilance
Under the new Measures, Operators are required to follow specific protocols both in preventing and responding to cybersecurity threats. The forthcoming chart details these vital measures we recommend, aligning with the Measures' objectives, to enhance Operators' cybersecurity vigilance and responsiveness:
Category | Compliance Area | Recommended Actions |
Preventative Measures | Data Protection | Implement data classification, encryption, isolation, and masking to prevent data breaches. |
Emergency Response | Develop response plans, establish teams, and conduct regular exercises for internet incidents. | |
Organizational Structure | Formulate and monitor cybersecurity policies, implement network security, and conduct information security training. | |
Legal Compliance Audit | Regularly audit cybersecurity measures for regulatory compliance. | |
Remedial Actions | Post-Incident Management | Collect incident information, identify causes and effects, and take immediate actions to minimize harm. |
Reporting and Notification | Report incidents to authorities as required and inform affected individuals of personal data breaches. | |
Documentation and Analysis | Maintain detailed records of incidents, actions taken, and analyze for future improvements. |
Conclusions
The Measures represents a pivotal step to enhance China's cybersecurity framework. Aiming to reduce the repercussions of cybersecurity incidents and fortify national cyber defences, it is designed to work in tandem with China's current legal frameworks such as CSL, PIPL, and DSL. By establishing a unified reporting protocol, the Measures seek to streamline the process of incident reporting, thereby improving the overall effectiveness of cybersecurity governance in the country. We will closely track the legislative process upon this new Measures and update the readers with further analysis upon its official release.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.