The CAC Releases New Regulation on Cybersecurity Incident Reporting for Public Consultation

Written By

james gong Module
James Gong

Legal Director
China

I am a Legal Director based in Hong Kong and lead the China data protection and cybersecurity team.

harry qu Module
Harry Qu

Associate
China

I am a data associate in our Beijing office. My practice focuses on data privacy, cybersecurity, TMT, as well as antitrust and anti-competition law.

Data security is a crucial concern in this digital age, as cyber-attacks pose a constant threat to data. A security research team recently found a database with a massive 12TB of leaked data, including around 26 billion records from various popular social media platforms. This alarming finding has raised the awareness of enterprises worldwide about data protection. Facing these severe data security challenges, what steps should companies take in response?

Data security is a crucial concern in this digital age, as cyber-attacks pose a constant threat to data. A security research team recently found a database with a massive 12TB of leaked data, including around 26 billion records from various popular social media platforms.[1] This alarming finding has raised the awareness of enterprises worldwide about data protection. Facing these severe data security challenges, what steps should companies take in response?

China recently presented its answer to address cybersecurity incidents. On December 18, 2023, the Cyberspace Administration of China (“CAC”) publicly released the Cybersecurity Incident Reporting Management Measures (Draft for Comments) (“Measures”), providing more detailed guidance for network Operators in fulfilling their reporting obligations in the event of cybersecurity incidents. In this article, we will delve into the main content of the Measures, introduce China’s security incident reporting requirements, and briefly outline the compliance obligations enterprises should heed in preventing and responding to cybersecurity incidents.

If you would like to subscribe for our newsletters and be notified of our events on China cybersecurity and data protection, please contact James Gong at [email protected].

BACKGROUND

China’s requirements for reporting cybersecurity incidents can be traced back to the Regulations on Computer Information System Security Protection issued in 1994. In recent years, with the establishment of the three pillars of Chinese network and data security governance mechanism—the Cybersecurity Law (“CSL”), the Data Security Law (“DSL”), and the Personal Information Protection Law (“PIPL”)—China categorises security incidents into three categories: (1) Cybersecurity Incidents, (2) Data Security Incidents, and (3) Personal Information Security Incidents, each covering an aspect of security within the realms of cybersecurity, data protection, and personal information protection. While there is some overlap among the three categories of security incidents, each one also possesses unique characteristics. The diagram below illustrates the logical relationship between cybersecurity incidents, data security incidents, and personal information security incidents:

In addition, CAC and other essential industry regulatory bodies and local regulatory authorities, including the Ministry of Industry and Information Technology (“MIIT”), the People’s Bank of China, and various local governments, have introduced a series of regulations on incident response. These regulations are designed to enhance and specify the supervisory requirements for effectively responding to security incidents. For instance, the MIIT recently released the Data Security Incident Contingency Response Plan for the Industry and Information Technology Fields (Trial) (Draft for Comments) (“Data Contingency Response Plan”), aiming to improve the ability of data processors in relevant fields to respond effectively to data security incidents.

In a nutshell, while the regulations for handling security incidents in different sectors may vary, the overall approach is consistent. In the case of a cybersecurity incident, enterprises are advised to recognise three main types of reporting bodies: (1) the Cyberspace Administration, (2) Public Security Authorities, and (3) the superior authority within their specific industry sector. With this understanding, they should then tailor the details and timing of their reports to meet the unique requirements of each respective authority.

In recent years, public security authorities and various sector-specific authorities, including the MIIT, have been actively developing and refining the requirements for reporting security incidents. The Measures, which are currently open for public consultation, place a greater emphasis on reporting obligations to the CAC. This focus is intended to standardise the reporting process for cybersecurity incidents and enhance the ability of enterprises to effectively handle these situations. Measures lay out numerous specific details, including the reporting entities, supervisory authorities, the content required in reports, timelines for reporting, and criteria for incident classification. This makes the process of reporting cybersecurity incidents more practical and achievable.

KEY PROVISIONS AND COMMENTS

I. Who should report?

In the aftermath of a cybersecurity incident, the fundamental question that enterprises must confront is, “Am I obliged to report this incident?”

Article 2 of the Measures stipulates that the obligation to report applies to network operators engaged in constructing and operating networks within the territory of the People’s Republic of China, or those providing services via these networks. The definition specifies three key criteria for identifying reporting entities: (1) operating within the territory of the People’s Republic of China, (2) engaging in the construction or operation of network, or providing network services, and (3) being a network operator.

When we compare the Measures with the CSL, we notice that the definition of reporting entities may have some ambiguities. Firstly, under the CSL, “network operators” refer to the owners, managers, and network service providers, which is different from the obligated reporting entities in the Measures, i.e., network operators engaged in constructing and operating networks. Second, the term “network operator” is not consistently applied throughout the Measures as the obligated reporting entities. This inconsistency is evident with the frequent references to “network and system operators” (e.g., in Article 4), yet without a clear definition of this term. Lastly, despite the Measures explicitly referencing governing laws, including the PIPL and the DSL, Article 2 leaves uncertainty regarding the reporting obligations of entities acting as personal information processors or data processors. Specifically, it is ambiguous whether data processors, not categorised as network operators but encountering a security incident (such as theft of paper documents with important data) are mandated to report under the Measures. Despite the fact that there is some ambiguity about the reporting entities, to facilitate understanding, we will refer to the reporting entities as “Operators” in this article.

The Measures classify Operators with reporting obligations into three categories. Operators vary in identity, leading to differences in their reporting responsibilities, timelines, and the authorities to whom they report.

  1. Central and state organs and their affiliated public institutions (“Central Governmental Entities”): The Measures establish specific supervisory authorities for such entities.
  2. Critical Information Infrastructure Operators: The Measures impose additional reporting requirements on critical information infrastructure Operators, which will be elaborated on later. According to the current practices, if an enterprise has not been informed by the competent authority that it is a critical information infrastructure operator, it can assume that it is not required to comply with these additional requirements.
  3. Other Operators

II. Reporting to whom?

After a security incident occurs, enterprises are typically required to report to several regulatory bodies. These include departments responsible for cyberspace administration, sector-specific regulators, and public security authorities, although the exact requirements for reporting can vary. Based on a comprehensive consideration of the requirements from regulatory authorities from industry and information technology, finance, and others, and the relevant regulations (e.g., Regulations on Computer Information System Security Protection), the Measures specify the regulatory authorities that each category of entity is required to report to. The details of these reporting obligations are summarised in the table below:

Type

Regulatory Authorities for Initial Reporting

Upper-Level Supervisory Authorities

Central Governmental Entities

  • Sector-specific Cyberspace Administration Function (i.e., the functional branch responsible for network and information security within the sector-specific regulator): The Measures do not explicitly define “sector-specific cyberspace administration function.” It is understood that each industry-specific regulator oversees network and data security within their domain. Therefore, the “sector-specific cyberspace administration function” likely denotes the dedicated team within the regulatory body responsible for overseeing network and information security tasks
  • Public Security Authorities (if there is suspicion of crimes)
  • CAC (for extremely significant or significant incidents)

Critical Information Infrastructure Operators

  • Protection Work Department: Typically, the supervisory and management authorities of vital industries and fields. Generally speaking, the “protection work department” refers to the sector-specific regulatory authority responsible for managing the critical information infrastructure.
  • Public Security Authorities
  • CAC (for extremely significant or significant incidents)
  • Public Security Department of the State Council (for extremely significant or significant incidents)

Other Operators

  • Local Cyberspace Administration
  • Public Security Authorities (if there is suspicion of criminal activity)
  • Sector-Specific Regulatory Authorities (if applicable)
  • Local Cyberspace Administration reports to the upper-level authorities (for extremely significant or significant incidents)

As demonstrated in the table above, enterprises are required to report to the primary regulatory authorities in the event of a cybersecurity incident. In certain circumstances (e.g., in the case of significant or extremely significant incidents), these primary regulatory authorities shall continue reporting to their upper-level supervisory authorities.

III. How to report?

1. Overall process

While the Measures do not provide a comprehensive guide on how enterprises should respond to cybersecurity incidents, they do offer a succinct overview of the reporting process. Specifically, after a cybersecurity incident occurs, Operators should classify the incident based on Annex 1 Cybersecurity Incident Classification Guide of the Measures. Subsequently, Operators should implement appropriate security measures and initiate reporting based on the classified level of the cybersecurity incident. If, during the initial report, the cause, impact, or tendency of the incident cannot be determined, or if new developments arise or significant progress is made in the investigation, Operators are required to submit a supplementary report. Once the incident has been resolved, Operators also need to conduct a thorough analysis and summary of the cybersecurity incident, perform a comprehensive review, and then compile and submit a report through the original reporting channels.

2. Incident classification

Cybersecurity Incident Classification Guide, as one of the annexes of the Measures, adopts the classification methodology from the National Cybersecurity Incident Contingency Response Plan, categorising cybersecurity incidents into four levels from highest to lowest severity: extremely significant, significant, relatively significant, and general. The specific criteria for classification include:

  • The extent of the attack on networks and information systems;
  • The impact on state secrets, important sensitive information, and important data;
  • Other situations that pose a threat or have an impact on national security, social order, economic development, and public interest.

The Cybersecurity Incident Classification Guide also enumerates instances of extremely significant, significant, and relatively significant cybersecurity incidents, providing Operators with more tangible guidance. For instance, a leak involving the personal information of more than 100 million individuals should be considered an extremely significant cybersecurity incident, while the thresholds for significant and relatively significant incidents, in terms of the quantity of personal information involved, are set at 10 million and 1 million respectively. These numerical thresholds are consistent with those outlined in the Contingency Response Plan for Public Internet Network Security Incidents issued by the MIIT.

While the Measures align with most regulations and drafts concerning security incidents, it is still noteworthy that there might be inconsistencies in the classification standards between the Measures and other documents like the Data Contingency Response Plan. For instance, the Data Contingency Response Plan stipulates that data tampering, destruction, leakage, or illegal acquisition and utilisation, causing extremely significant economic losses—precisely, losses of 1 billion yuan (inclusive) or more—constitutes an extremely significant data security incident. However, the Measures define an extremely significant cybersecurity incident as one causing direct economic losses of over 100 million yuan. Although the classification standards for data security and cybersecurity incidents may not be entirely consistent, considering the goal of unifying regulatory standards and facilitating corporate compliance, it is conceivable that these criteria might converge further in the policy-making process.

3. What to report?

Given the changing nature of cybersecurity incidents at different stages and how Operators’ understanding of the specifics evolves as an incident unfolds, the Measures specify varying content requirements for different types of reports.

In terms of the initial report, Article 5 of the Measures stipulates that when reporting a cybersecurity incident, the annex Cybersecurity Incident Information Report Form should be used to include the following content:

  • The name of the Operator, basic information of the facilities, systems, and platforms where the incident occurred;
  • The time and location of the incident’s discovery or occurrence, the type of incident, the impact and harm already caused, measures taken, and effectiveness. For ransomware incidents, also the amount of ransom required, the method of payment, and the date, etc.;
  • The tendency of the incident and the potential impact and harm;
  • A preliminary analysis of the cause of the incident;
  • Clues required for further investigation and analysis, including possible attackers, attack paths, existing vulnerabilities, etc.;
  • Proposed further response measures and requests for support;
  • The protection of the incident site.
  • Other situations that should be reported.

Due to the timeframes for reporting, Operators may not be able to definitively determine the cause, impact, or tendency of the incident at the time of the initial report. To address this issue, Measures offer a degree of leniency for enterprises. In such cases, enterprises can prioritise reporting the first item (i.e., descriptions related to the facilities, systems, and platforms) and the second item (basic details of the cybersecurity incident) mentioned above.

Generally, supplementary reports are required only under the following three circumstances:

  • When the cause, impact, or tendency of the incident cannot be determined in the initial report;
  • When new significant developments occur;
  • When the investigation makes incremental progress.

We note that the Cybersecurity Incident Information Report Form includes a field for “Report No. x,” providing flexibility for updating, supplementing, or correcting reports of cybersecurity incidents. This indicates that Operators can still use the “Cybersecurity Incident Information Report Form” for supplementary reports.

Regarding the summary report, the Measures only briefly specify the dimensions that enterprises need to summarise and analyse, including the cause of the incident, contingency response measures, harm, allocation of responsibilities, rectification status, lessons learned, etc. However, there are no explicit requirements regarding the content and format of the summary report.

4. Reporting timeframe

The Measures specify different timeframes for reporting based on the three categories of incidents. We have summarised these timeframes in the table below:

Report Type

Prerequisites

Timeframe

Initial Report

Relatively significant, significant, or extremely significant cybersecurity incidents:

  • Operators reporting to the relevant authorities
  • Cyberspace administration authorities reporting to the Central CAC
  • Protection Work Departments reporting to the Central CAC and the Public Security department of the State Council
  • Operators: Within 1 hour after the discovery of a cybersecurity incident
  • Regulatory authorities: Within 1 hour after receiving the report

Supplementary Report

  • If the initial report did not fully cover the required content, necessitating supplementary reporting

Within 24 hours

Summary Report

  • After the resolution of the incident

Within 5 working days

Considering the complexity of the reporting content, the one-hour timeframe is extremely stringent for enterprises. Before making the initial report, Operators need to ensure rapid identification of the facility, system, or platform where the security incident occurred. They must clarify the time and location of the incident’s discovery or occurrence, the type of incident, and assess the impact and harm of the incident. At the same time, they need to implement corresponding contingency response plans and record these actions promptly. Considering that filling out the report also takes time, it is challenging for Operators to ensure the completion of the reporting process within the specified timeframe in practice. For instance, the incident response procedures of multinational companies are usually managed and coordinated by their overseas headquarters. If a cybersecurity incident occurs at a subsidiary in China, it may be difficult to get approval and submit the necessary reports within the required time.

Moreover, the reporting timeframes have not fully considered the potential for escalation in cybersecurity incidents. In practice, the situation of a cybersecurity incident may escalate continuously, and further investigation may reveal additional information. For instance, as the duration of a portal website being inaccessible increases, the level of the cybersecurity incident may escalate from “significant” to “extremely significant.” However, aside from specifying the supplementary situation of reporting within 24 hours, the Measures do not provide clear solutions or operational procedures for situations where the initial assessment of the security incident level is incorrect or when the situation of the cybersecurity incident escalates.

In addition, the Measures may also put certain response pressure on various regulatory authorities - for relatively significant, significant, or extremely significant cybersecurity incidents, some regulatory authorities are required to report them to the next level within one hour, and when a cybersecurity incident occurs out of working hours, it becomes problematic to ensure timely reporting. Besides, as cybersecurity incidents can occur at any time, the CAC should provide Operators with a smooth reporting channel to ensure timely response and provide assistance to these Operators.

IV. Penalties for “failure to report.”

Article 10 of the Measures outlines the responsibilities of enterprises and individuals in cases where they fail to report cybersecurity incidents as required. Operators who fail to report cybersecurity incidents as required shall be punished under relevant laws and administrative regulations. In cases of delayed reporting, omission, false reporting, or concealment of cybersecurity incidents that result in significant harmful consequences, the Operators and related responsible persons will be subject to aggravated penalties according to law. (For an analysis of “significant harmful consequences” and “aggravated penalties,” please refer to our previous article by clicking here).

Conclusion

Penalties related to security incidents have been common in recent years, but they are often milder than what they seem to be. Even so, there have been instances, such as a financial enterprise receiving a fine of RMB 4.2 million for fined for failing to report an important information system incident and leaking sensitive information on its web portal.[2] With the gradual implementation of documents like the Measures, it is expected that enforcement activities related to cybersecurity incidents might become more frequent in the future, and the possibility of increased severity of penalties cannot be dismissed.

In view of this, we advise enterprises to take precautionary measures, continuously monitor legislative developments related to documents like Measures and Data Contingency Response Plan, and thus ensure proactive risk management. Given that current laws and regulations already impose several requirements on enterprises for handling security incidents, we recommend establishing a comprehensive incident contingency response and reporting mechanism. In addition, to better fulfil the reporting requirements, it is advisable to conduct a prior mapping and prepare templates with basic information on each network and system according to their own situation. By taking proactive measures before a cybersecurity incident occurs, the enterprise can respond swiftly and meet the reporting timeframes by promptly completing and submitting the necessary documentation. At the same time, enterprises should pay attention to the following aspects in their daily compliance operations:

  • Establishing and maintaining a robust data security management and protection system, especially concerning contingency plans related to security incidents.
  • Conducting regular contingency drills for security incidents.
  • Strengthening employees’ awareness of cybersecurity and data security through regular training and other means.
  • Enhancing security risk detection during significant events, such as product launches, to prevent incidents like zero-day attacks.

If you would like to obtain the English version of the Cybersecurity Incident Information Report Form, please contact James Gong at [email protected].

 

[1]https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/

[2] https://finance.sina.com.cn/money/bank/2021-02-02/doc-ikftssap2493196.shtml

Latest insights

More Insights
featured image

Bird & Bird marks World Children’s Day by announcing its forthcoming Global Comparative Guide to Children in the Digital World

7 minutes Nov 20 2024

Read More
The European Commission Modern office buildings in Brussels, Belgium.

VAT in the Digital Age (“ViDA”): prepare your business with Bird & Bird – 10 key insights for success

Nov 15 2024

Read More

Hungary: Easing the tax burden of innovative startups – from January 2025, the IP contributions will become tax-free

Nov 14 2024

Read More