Stay in the know
We’ll send you the latest insights and briefings tailored to your needs
The Cybersecurity Administration of China (CAC) recently released a consultation draft of the Administrative Measures on the Reporting of Cybersecurity Incidents (Measures), together with the Guidelines on Grading of Cybersecurity Incidents (Guidelines) and the Reporting Form of Cybersecurity Incident Information (Reporting Form). The drafts are open for public comment until 7 January 2024. Once effective, they will provide much-needed clarity for practitioners and businesses in China on when and how to report a cybersecurity incident.
Cybersecurity incidents are common, but companies have difficulties in practice complying with the reporting obligations in the existing laws and regulations. The current regime lacks specified reporting timelines, practical reporting requirements and designated reporting authorities. In addition, the existing laws and regulations do not specify any reporting thresholds, which means that even a very small incident is required to be reported. Companies are reluctant to report such incidents but do not want to breach the reporting obligation. The new Measures and Guidelines should resolve these issues by providing detailed and quantitative criteria for determining the levels of cybersecurity incident and specifying the detailed timeline and required information for the relevant reports.
Article 25 of the Cybersecurity Law requires network operators to maintain a cybersecurity emergency plan and report cybersecurity incidents to the relevant authorities. Similar provisions can also be found in the Regulations on the Protection of the Security of Critical Information Infrastructure. In addition, the Data Security Law and the Personal Information Protection Law contain similar reporting obligations for cybersecurity incidents involving data breaches and personal information breaches. However, these laws and regulations do not specify the detailed reporting requirements and procedures.
Article 4 of the Measures requires that “Extremely Severe Cybersecurity Incidents”, “Severe Cybersecurity Incidents” and “Relatively Severe Cybersecurity Incidents” (collectively, “Critical Cybersecurity Incidents”) as determined by reference to the Guidelines must be reported to the competent authorities within one hour of occurrence.
The Guidelines divide cybersecurity incidents into four levels, and provide detailed and quantitative criteria for determining each level. Apart from “General Cybersecurity Incidents” which are the mildest, the situations meeting the following or more severe criteria will fall into the scope of Critical Cybersecurity Incidents:
Where a Critical Cybersecurity Incident relates to networks and systems linked to central Party or state governmental departments (and enterprises or institutions administered by them), it must be reported to the institution of that sector responsible for cybersecurity within one hour. For Extremely Severe or Severe Cybersecurity Incidents, that institution is required to further report the incident to the CAC within one hour.
Where it relates to critical information infrastructure, the incident must be reported to the authorities responsible for critical information infrastructure protection and the Public Security Bureau within one hour. Again, for Extremely Severe or Severe Cybersecurity Incidents, those authorities are required to further report up to the CAC and the Ministry of Public Security within one hour.
Any other operators are required to report the incident to the local counterpart of the CAC within one hour, with Extremely Severe or Severe Cybersecurity Incidents needing to be further reported up to the next level CAC within one hour.
In addition, the operator must report the incident to the relevant sector regulator if required, with any suspected crime needing to be notified to the Public Security Bureau.
Article 5 of the Measures and the Reporting Form require the following information to be included in a cybersecurity incident report:
If the cause, impact, or development of the incident cannot be determined within one hour, the initial report should cover first two bullets above, with additional information to be provided within 24 hours. A supplementary report is required if there are significant developments after the initial report.
Within five business days of the incident being resolved, the operator must conduct a thorough analysis of the cause, emergency response measures, risks, liability and accountability, rectification measures and lessons learned. A report summarising the findings must be submitted through the original reporting channel.
Any organisation or individual is encouraged to report Critical Cybersecurity Incidents to the CAC. Additionally, service providers should remind operators to report such incidents. If the operator intends to conceal or refuses to report an incident, the service provider may report it.
If an operator has implemented reasonable and necessary protection measures, reported the incident proactively, followed its emergency plan and used best efforts to minimise the impact, the liability of the operator and relevant responsible persons may be reduced or exempted on a discretionary basis.
Operators who fail to report cybersecurity incidents will be penalised in accordance with the relevant laws and regulations, with severe penalties for situations where an operator delays, omits, falsely reports, or conceals cybersecurity incidents leading to severe consequences.
Cyber security is a high-ranking board agenda item which shows no sign of abating and the regulatory landscape is becoming ever more complex as organisations strive to respond to and mitigate the risks of cyber incidents.
The global cyber and data security team in Herbert Smith Freehills has an unrivalled breadth and depth of expertise and includes specialists from our data privacy, financial services regulatory, corporate crime & investigations, insurance and employment practices, amongst others. Our team advises across the full cyber and data security lifecycle, including before-the-event cyber risk management, incident response and non-contentious transactional and project work.
The contents of this publication are for reference purposes only and may not be current as at the date of accessing this publication. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action based on this publication.
© Herbert Smith Freehills 2024