The Cyberspace Administration of China ('CAC') has released draft measures that would require many cyber and data security incidents in China to be reported within one hour.
The draft ‘Measures for the Management of Cybersecurity Incident Reporting’ (the ‘Reporting Measures’) standardise the process of cybersecurity incident reporting. The reporting requirement is applicable to organisations that either (i) operate information networks in China, or (ii) offer services through information networks in China.
The one-hour reporting deadline will apply to any incident that is classified in the accompanying Cybersecurity Incident Classification Guide (an annex to the Reporting Measures) as ‘significant’ or higher. ‘Significant’ incidents namely include incidents in which:
- the personal data of more than one million people is leaked
- the general operation of critical information infrastructure is suspended for more than 30 minutes
- the operation of major functions of critical information infrastructure is suspended for more than two hours
- direct economic losses exceed RMB 5 million.
Reports will need to be filed with the local CAC and the competent industrial regulatory authority. If criminal activity is suspected, the incident should additionally be reported to the public security bureau (PSB).
Operators of critical information infrastructure may need to report to other competent authorities.
A template reporting form is annexed to the Reporting Measures. Among other things, the report will need to include:
- a description of the information system and network
- the time of discovery and location of the incident
- impact assessment (including the number of individuals affected and the amount of economic loss)
- protective measures that have been taken and their effect
- the amount, payment method and date of payment of any ransom demanded
- preliminary analysis of the cause of the incident
- proposed further responses.
If the cause or impact of the incident cannot be determined within the first hour, an initial report comprising (1) - (5) should be filed, with the remaining information to be provided within 24 hours.
After the incident has been contained, the organisation will need to submit a comprehensive report to the competent authorities within five working days. This report should contain, among other things, a route cause analysis, a description of rectification measures taken, a damage assessment, as well as an explanation of “lessons learned” and “accountability”.
In their general application, the Reporting Measures impose significantly more burdensome reporting requirements than in the vast majority of other countries we are aware of and will be exceptionally challenging to comply with.
The measures have been proposed under each of the Cybersecurity Law, Data Security Law and Personal Information Protection Law, and appear to be intended as a definitive statement of an organisation’s reporting requirements. Nevertheless, the draft perpetuates the current uncertainty about reporting obligations in relation to incidents that either do not meet the threshold to be classified as a ‘significant’ incident, or which do not affect systems and network infrastructure located within China.
The Reporting Measures are open for public consultation until 7 January 2024.