Contributors
Related Core Practices
Get legal insights delivered to your inbox.
On 8 December 2023 the Cyberspace Administration of China (“CAC”) issued for public comment draft Measures for the Management of Cybersecurity Incident ReportingI (“Draft Measures”). The Draft Measures are designed to regulate the reporting of cybersecurity incidents, reduce loss and harm caused by such incidents and safeguard national cybersecurity1.
They apply to network operators that build and/or operate networks and/or provide services through networks in Mainland China (hereafter, “Network Operators”)2 and are triggered by incidents that endanger network security (i.e. incidents causing harm to the network and/or information system and/or the data within), whether due to human causes, software and/or hardware defects or failures, natural disasters etc., and negatively impact the society3.
They impose extensive and stringent reporting obligations, supported by penalties for Network Operators and their responsible persons for breach. These reporting obligations presuppose that Network Operators have existing comprehensive cybersecurity incident response capabilities that allow them to discover, report and effectively deal with cybersecurity incidents in a timely manner. Multi-national Network Operators will need to carefully consider the Draft Measures, the circumstances in which the reporting obligations are triggered, the likelihood of their occurring and the implications on their Mainland operations. The consultation period comes to an end on 7 January 2024.
Overview
Under the Draft Measures, network operators are required to promptly initiate emergency plans4 on the occurrence of network security incidents5. They are also required to report within one (1) hour network security incidents that are classified as Relatively Serious Cybersecurity Incidents (较大网络安全事件), Serious Cybersecurity Incidents (重大网络安全事件), Extremely Serious Cybersecurity Incidents (特别重大 网络安全事件), i.e. when:
- important networks and information systems suffer large system losses, resulting in system interruptions, significantly affecting system efficiency and business processing capacity;
- state secret information, important and sensitive information and important data are lost or stolen, tampered with or counterfeited, posing a more serious threat to national security and social stability; or
- other network security incidents pose a more serious threat to national security, social order, economic construction and public interests, and cause more serious impact.
For more details on the classification, consider the classification guidelines circulated with the Draft Measures: Annex 1 Cybersecurity Incident Classification Guidelines). The reporting processes and procedures differ depending on the nature of the Network Operators, their networks and the data within, with different reporting requirements applying to government bodies and institutions and/or enterprises managed by them, Network Operators that operate critical information infrastructures and other Network Operators. A summary of the reporting processes and procedures6 is set out below:
Network Operators that have an industry supervisory department must report to the relevant department according to its requirements.
Network Operators must also report to the public security organs at the same time if there is a suspicion that a crime has been committed.
Reports have to be made in accordance with the Cybersecurity Incident Information Reporting Form (see sample circulated with the Draft Measures: Annex 2: Cybersecurity Incident Information Reporting Form) and cover a wide range of information, including information about the incident (e.g. where and when it occurred and/or was discovered, the type of incident, its impact, the harm caused, measures taken and their effectiveness), information on how the situation is developing and/or trending and any anticipated further impact and harm, the likely cause, further countermeasures to be taken and support required, measures undertaken to protect the incident scene and clues that assist further investigation and analysis7.
1 Article 1 of the Draft Measures.
2 Article 2 of the Draft Measures.
3 Article 12 of the Draft Measures.
4 The Emergency Response Plan for Cybersecurity Incidents 2017 (国家网络安全事件应急预案), issued by the Office of the Central Cyberspace Affairs Commission on 27 June 2017.
5 Article 4 of the Draft Measures.
6 Article 4 of the Draft Measures.
7 Article 5 of the Draft Measures.
Where Network Operators are unable to determine the likely cause, the impact or how the situation is developing and/or trending etc. within the one (1) hour reporting window, they have to do so and report on such matters within the next 24 hours8. Timely updates of new information and/or developments discovered during the investigation process are also required9.
On the disposal of the incident, Network Operators must also submit a report containing a comprehensive analysis and summary of the cause of the incident, the emergency response measures adopted, the threats encountered, the responsibilities of, the remediation undertaken, and the lessons learned etc. within five working days of the disposal.10
The Draft Measures also include certain provisions to encourage reporting and proactive management of cybersecurity incidents. These provisions:
- require service providers that discover Relatively Serious Cybersecurity Incident, Serious Cybersecurity Incident, Extremely Serious Cybersecurity Incident in Network Operators’ networks and/or systems to inform the Network Operators and remind them to report the incidents in accordance with the Draft Measures, and allow them to report the incidents to the local cybersecurity department or the national cybersecurity department if the Network Operators intentionally conceal the incident and/or refuse to report11.
- specify that penalties are to be imposed on Network Operators under relevant laws and administrative regulations for failing to report in accordance with the Draft Measures, and that severe penalties are to be imposed on Network Operators and their responsible persons under relevant laws for late reporting, misreporting, omitting details or concealment that gives rise to significant harmful consequences1 . The Draft Measures do not specify the applicable laws and administrative regulations.
- specify that exemptions from liability and/or leniency may be offered to Network Operators and their responsible persons for taking reasonable and necessary measures to protect their networks, reporting incidents in accordance with the Draft Measures, effectively disposing of incidents in accordance with the procedures of their emergency response plan, and doing their best to reduce the impact of the incident.13
Implications for multi-national network operators
The reporting obligations under the Draft Measures, if implemented in their existing form, assume the existence of effective real time capability to manage and dispose of cybersecurity incidents while reporting on the same within very short time frames. It is currently unclear whether there will be any significant change in the Draft Measures or time lag in implementing them once the consultation period closes on 7 January 2023.
We recommend that Multi-national Network Operators proactively prepare for the introduction of cybersecurity reporting obligations, including:
- considering the Draft Measures, the circumstances in which the reporting obligations are triggered and the likelihood of their occurring;
- understanding how the reporting obligations and the broader cybersecurity requirements underpinning them impact your operations in Mainland China;
- reviewing your cybersecurity incident response capabilities;
- ensuring your cybersecurity incident response strategy, plan and team are capable of effectively discovering network security incidents, deploying emergency response measures, assessing the harm and impact and mitigating the damage, identifying the cause(s), addressing them and remediating the identified weaknesses in a timely manner; and
- ensuring that you are well placed to meet the extensive reporting obligations within the stringent reporting timelines.
iThe consultation period will close on 7 January 2024