China Releases Draft Measures for Cybersecurity Incident Reporting

The Cybersecurity Administration of China (CAC) recently released a consultation draft of the Administrative Measures on the Reporting of Cybersecurity Incidents (Measures), together with the Guidelines on Grading of Cybersecurity Incidents (Guidelines) and the Reporting Form of Cybersecurity Incident Information (Reporting Form). The drafts are open for public comment until 7 January 2024. Once effective, they will provide much-needed clarity for practitioners and businesses in China on when and how to report a cybersecurity incident.

Cybersecurity incidents are common, but companies have difficulties in practice complying with the reporting obligations in the existing laws and regulations. The current regime lacks specified reporting timelines, practical reporting requirements and designated reporting authorities. In addition, the existing laws and regulations do not specify any reporting thresholds, which means that even a very small incident is required to be reported. Companies are reluctant to report such incidents but do not want to breach the reporting obligation. The new Measures and Guidelines should resolve these issues by providing detailed and quantitative criteria for determining the levels of cybersecurity incident and specifying the detailed timeline and required information for the relevant reports.

Background

Article 25 of the Cybersecurity Law requires network operators to maintain a cybersecurity emergency plan and report cybersecurity incidents to the relevant authorities. Similar provisions can also be found in the Regulations on the Protection of the Security of Critical Information Infrastructure. In addition, the Data Security Law and the Personal Information Protection Law contain similar reporting obligations for cybersecurity incidents involving data breaches and personal information breaches. However, these laws and regulations do not specify the detailed reporting requirements and procedures.

Summary of the proposed cybersecurity reporting regime

Classification of cybersecurity incidents

Article 4 of the Measures requires that “Extremely Severe Cybersecurity Incidents”, “Severe Cybersecurity Incidents” and “Relatively Severe Cybersecurity Incidents” (collectively, “Critical Cybersecurity Incidents”) as determined by reference to the Guidelines must be reported to the competent authorities within one hour of occurrence.

The Guidelines divide cybersecurity incidents into four levels, and provide detailed and quantitative criteria for determining each level. Apart from “General Cybersecurity Incidents” which are the mildest, the situations meeting the following or more severe criteria will fall into the scope of Critical Cybersecurity Incidents:

• portal websites of departments of the Party or government at or above city level, or key news websites which (i) cannot be accessed for more than two hours due to attacks or failures or (ii) are tampered with, leading to a large scale spread of illegal and harmful information – this includes information appearing on the home page for more than 30 minutes or on other pages for more than two hours, being forwarded more than 1,000 times through social media platforms or receiving more than 10,000 views or clicks;
• interruption of overall operation of critical information infrastructure for more than 30 minutes, or its main function for more than two hours;
• incidents affecting the work and life of more than 10% of the population in a single city-level administrative region;
• incidents affecting the water, electricity, gas, oil, heating or transportation usage of more than 100,000 people;
• theft or leakage of important data which poses a major threat to national security and social stability;
• leakage of the personal information of more than one million people;
• incidents causing the direct economic losses of more than RMB 5 million; or
• any other cybersecurity incident that poses a major threat to national security, social order, economic development, or public interest, and causes major negative impact.

Double layers of reporting for Critical Cybersecurity Incidents

Where a Critical Cybersecurity Incident relates to networks and systems linked to central Party or state governmental departments (and enterprises or institutions administered by them), it must be reported to the institution of that sector responsible for cybersecurity within one hour. For Extremely Severe or Severe Cybersecurity Incidents, that institution is required to further report the incident to the CAC within one hour.

Where it relates to critical information infrastructure, the incident must be reported to the authorities responsible for critical information infrastructure protection and the Public Security Bureau within one hour. Again, for Extremely Severe or Severe Cybersecurity Incidents, those authorities are required to further report up to the CAC and the Ministry of Public Security within one hour.

Any other operators are required to report the incident to the local counterpart of the CAC within one hour, with Extremely Severe or Severe Cybersecurity Incidents needing to be further reported up to the next level CAC within one hour.

In addition, the operator must report the incident to the relevant sector regulator if required, with any suspected crime needing to be notified to the Public Security Bureau.

Reporting Form for reporting cybersecurity incidents

Article 5 of the Measures and the Reporting Form require the following information to be included in a cybersecurity incident report:

• entity’s name and basic information on the facilities, systems, and platforms where the incident occurred;
• time and place when the incident occurred or was discovered, the incident type, the impact and harm caused, and the measures taken and their effectiveness. For a ransomware attack, the report must also include the demanded ransom amount, payment method and date;
• information on how the situation developed and the potential further impact and harm;
• preliminary analysis of the cause;
• clues for further investigation and analysis, including information on the possible attacker, attack path and existing vulnerabilities;
• countermeasures to be taken and the support needed;
• information on the preservation of the incident scene; and
• other specified information.

If the cause, impact, or development of the incident cannot be determined within one hour, the initial report should cover first two bullets above, with additional information to be provided within 24 hours. A supplementary report is required if there are significant developments after the initial report.

Post-incident report

Within five business days of the incident being resolved, the operator must conduct a thorough analysis of the cause, emergency response measures, risks, liability and accountability, rectification measures and lessons learned. A report summarising the findings must be submitted through the original reporting channel.

Who can report Critical Cybersecurity Incidents

Any organisation or individual is encouraged to report Critical Cybersecurity Incidents to the CAC. Additionally, service providers should remind operators to report such incidents. If the operator intends to conceal or refuses to report an incident, the service provider may report it.

Benefits of reporting

If an operator has implemented reasonable and necessary protection measures, reported the incident proactively, followed its emergency plan and used best efforts to minimise the impact, the liability of the operator and relevant responsible persons may be reduced or exempted on a discretionary basis.

Penalties

Operators who fail to report cybersecurity incidents will be penalised in accordance with the relevant laws and regulations, with severe penalties for situations where an operator delays, omits, falsely reports, or conceals cybersecurity incidents leading to severe consequences.

How Herbert Smith Freehills can help

Cyber security is a high-ranking board agenda item which shows no sign of abating and the regulatory landscape is becoming ever more complex as organisations strive to respond to and mitigate the risks of cyber incidents.

The global cyber and data security team in Herbert Smith Freehills has an unrivalled breadth and depth of expertise and includes specialists from our data privacy, financial services regulatory, corporate crime & investigations, insurance and employment practices, amongst others. Our team advises across the full cyber and data security lifecycle, including before-the-event cyber risk management, incident response and non-contentious transactional and project work.