News

China’s CAC and MIIT undertake parallel consultations on draft measures for cyber incident reporting

Image
Image

On 8 December 2023, the Cyberspace Administration of China (the “CAC”) published draft Administrative Measures for Cybersecurity Incidents Reporting (the “Draft CAC Measures”). The following weekend, on 16 December 2023, the Ministry of Industry and Information Technology (“MIIT”) separately published a consultation draft Emergency Response Plan for Data Security Incidents in the Field of Industry and Information Technology (the “Draft MIIT Response Plan”).

Both documents aim to answer an increasingly complex question in the field of cyber security regulation – what are an organization’s cyber incident reporting requirements in China?  

Why Two Reporting Standards?

Some of the confusion arising from the parallel drafts can be explained by the fact that the CAC and the MIIT have overlapping but separate regulatory mandates.  The CAC is China’s cyber security regulator, having general authority over cyber security and data protection matters.  The MIIT is China’s industry and technology regulator, having a jurisdiction that includes regulating the technology and telecommunications industries.  Herein lies an important distinction.  The Draft MIIT Response Plan would apply only to MIIT-regulated businesses.  Another important distinction is that the Draft MIIT Response Plan is not just focused on incident reporting.  The Draft MIIT Response Plan would task the regulator with classifying each reported incident and issuing risk warnings which are colour-coded red, orange, yellow or blue based on the severity.  It also outlines the procedures the MIIT would follow in collecting information from industry sources and activating emergency response plans.  The objective of the Draft MIIT Response Plan is therefore to facilitate coordinated cyber incident response across the entire technology and telecommunications sector.  The initial regulatory notification by the MIIT-regulated business is just the first step in the activity the Draft MIIT Response Plan aims to regulate.

The Draft CAC Measures apply to a much broader range of businesses, drawing from requirements under the Cyber Security Law (the “CSL”), the Data Security Law (the “DSL”) and the Personal Information Protection Law (the “PIPL”), all of which are laws of general application.  The Draft CAC Measures would therefore apply to any “network operator” operating networks in mainland China or providing services through such networks.  Network operators are defined in very broad terms under the CSL, encompassing any business that operates ICT infrastructure in mainland China (including any MIIT-regulated business).    

Implementation of the Draft CAC Measures and Draft MIIT Response Plan by their respective regulators would continue the complex status quo of cyber incident notification in China, which involves assessing the possibility of parallel notifications to each of the CAC and the MIIT, as well as the possibility of being required to notify the Public Security Bureau (the “PSB”) (if the incident involves criminal activity) and potentially other regulators and government agencies having jurisdiction over the impacted organization or field of activity.

A quick recap of cybersecurity incident reporting obligations in China: the current regulations

As matters stand, incident reporting obligations in respect of cybersecurity incidents are scattered amongst several laws.  The key reporting obligations are found in the CSL, DSL and PIPL –  all of which provide, to varying degrees of detail, that cybersecurity incidents should be immediately reported to relevant competent authorities.  The CAC’s Regulation on Network Data Security Management, published in draft on 14 November 2021, promised greater precision, proposing a reporting threshold of 100,000 impacted data subjects in respect of incidents involving personal data and a direction that the “immediate” notification meant basic notification of the reportable incident within eight hours followed by the submission of an investigation report within five working days after the incident has been addressed.  The Regulation on Network Data Security Management has never been finalized. 

In addition to official notifications, where the incident gives rise to any actual or potential data leakage, distortion, or loss of personal data, the PIPL requires that impacted individuals should also be notified.  

In the absence of specific guidelines on reporting timelines and thresholds, many organizations have been struggling to understand precisely how, where and by when they are required to report cybersecurity incidents.  The Draft CAC Measures and the Draft MIIT Measures set out notification thresholds and details as to the content and timeframe for notifications, which will at least bring some greater clarity.  Organizations subject to both sets of rules would, however, likely wish  for closer alignment between the two documents in relation to notification thresholds in particular.  As discussed below, alignment is not complete in this regard.

The Draft CAC Measures

What incidents must be reported?

The Draft CAC Measures are accompanied by Guidelines for Classification of Cybersecurity Incidents (the “CAC Classification Guidelines”), which establish the framework to classify cybersecurity incidents into one of four types: (i) Extremely Major Cybersecurity Incidents, (ii) Major Cybersecurity Incidents, (iii) Large Cybersecurity Incidents, and (iv) General Cybersecurity Incidents.  The Draft CAC Measures prescribe a reporting timeline of one hour for reports concerning Extremely Major Cybersecurity Incidents, Major Cybersecurity Incidents and Large Cybersecurity Incidents (collectively, “Critical Cybersecurity Incidents”), while the Measures do not provide any reporting period for General Cybersecurity Incidents, suggesting that  these incidents need not be reported at all.

The CAC Classification Guidelines provide key criteria to help entities accurately classify cybersecurity incidents, among others, if any of the following criteria is triggered, the incident may constitute a Critical Cybersecurity Incident.

Cybersecurity Incident Classification

Threshold for Data Subjects Impacted by Leakage of Personal Information

Threshold for Direct Economic Loss

Dissemination of Illegal and Harmful Information

Information Appearing on web site homepage (hours)

Information Appearing on other web site pages (hours)

Number of times the information has been forwarded through social media platforms

Number of times the information has been viewed or clicked

Extremely Major

≥ 100 million

≥ RMB100 million (USD 14 million)

≥ 6

≥ 24

≥ 100,000

≥ 1 million

Major

≥ 10 million

≥ RMB20 million (USD 3 million)

≥ 2

≥ 12

≥ 10,000

≥ 100,000

Large

≥ 1 million

≥ RMB5 million (USD700k)

≥ 0.5

≥ 2

≥ 1,000

≥ 10,000

 

Which authorities should be notified?

The Measures provide that in most cases incidents should be reported to the local branch of the CAC.  If the impacted organization is considered to be an operator of critical information infrastructure under the CSL, reports should be made to relevant authority responsible for that infrastructure and to the PSB.

In addition, if there is an industry regulating authority, the organization should make reports in compliance with the authority’s relevant requirements.  If any crime is suspected, the organization should report to the PSB.

What information is required to be reported?

The Draft CAC Measures include a template Cybersecurity Incident Information Reporting Form, which prescribes the following:

  1. Initial Report: If the cause, impact or trend of the incident cannot be determined within the first hour following the incident, an initial report covering the following details should be made within that hour:
  • the name of the entity and the description of the system or platform in relation to which the incident occurred; and
  • the time and location of discovery of the incident, the type of incident, the impact and harm that has been caused and the measures that have been taken and their effect. In respect of ransomware attacks, the amount, method and date of the ransom payment request should also be reported.

The other information requested under the Cybersecurity Incident Information Reporting Form should be provided within 24 hours, specifically:

  • details of how the incident developed and potential further impact and damage;
  • preliminary analysis of the cause of the incident;
  • areas identified for further investigation and analysis, including the possible identity of any threat actor, the means of attack, existing vulnerabilities and so forth;
  • further incident response measures to be taken and any requests for support; and
  • measures taken to protect the site of the incident.  

Given the immediate challenges organizations typically face getting to grips with the facts in the moments after a cyber incident has been detected, a one hour initial notification window appears unrealistic and risks creating “notification fatigue”, with rushed, incomplete reports being filed for incidents that may well prove to be immaterial once they are more fully understood.  Presumably, an organization would need to determine that there is a reasonable risk that the reporting thresholds for Critical Cybersecurity Incidents set out in the CAC Classification Guidelines have been exceeded, but this is not clear from the draft. 

  1. Ongoing Updates: New developments and the progress made in ongoing investigations should be reported as they arise.
  2. Post-Incident Summaries: Organizations are required to conduct a comprehensive post-incident analysis to summarize the causes, mitigation measures, lessons learned and so forth, and submit the summary within five working days.
What are the responsibilities of service providers?

Where a service provider engaged by an organization finds that a Critical Cybersecurity Incident has occurred impacting its customer, the service provider is obliged to notify its customer and report any incident in which their  customer intentionally conceals or refuses to report an incident.

The Draft MIIT Response Plan

What incidents must be reported?

The Draft MIIT Response Plan requires notification of incidents in which data has been tampered with, destroyed, leaked or unlawfully accessed or unlawfully used with the effect of causing harm to national security, the public interest or the legitimate rights and interests of individuals or organizations.

Like the Draft CAC Measures, the Draft MIIT Measures categorizes cyber incidents in four tiers.  While the basic thresholds for notification based on the number of impacted data subjects is the same as the Draft CAC Measures, the Draft MIIT Response Plan adds a threshold for the leakage of sensitive personal information, increases the direct economic loss threshold and replaces the thresholds for dissemination of illegal and harmful information with thresholds based on disruption to facilities and operations:

Cybersecurity Incident Classification

Threshold for Data Subjects Impacted by Leakage of Personal Information

Threshold for Data Subjects Impacted by Leakage of Sensitive Personal Information

Threshold for Direct Economic Loss

Threshold for Disruption to Business Processing Activity or Interruption to Facilities or Operations

 
 

Interruption of Operations or Serious Abnormality of Critical Networks (hours)

Major Radio Interference

(hours)

 

RED - Extremely Major

≥ 100 million

≥ 10 million

≥ RMB1 billion (USD 140 million)

≥ 24

≥ 24

 

ORANGE - Major

≥ 10 million

≥ 1 million

≥ RMB100 million (USD 14 million)

≥ 12

≥ 12

 

YELLOW - Large

≥ 1 million

≥ 100,000

≥ RMB50 million (USD 7 million)

≥ 8

≥ 8

 

 

Which authorities should be notified?

The data handlers in the field of industry and information technology ("IIT Data Handlers”) are required to assess the incident and immediately make notification to their local MIIT supervisory office, which will in turn escalate and share information internally based on provisions of the Draft MIIT Measures dealing with MIIT’s internal governance.

Unlike the Draft CAC Measures, the Draft MIIT Measures do not set out any specific reporting timeframes for IIT Data Handlers.

What information is required to be reported?

The Draft MIIT Measures also attach a report format and the reporting information required, which includes basic incident information, impacted data, impacted scope and suggested remediation.

The Draft MIIT Measures require IIT Data Handlers to submit a report on the investigation of the cause, means and provenance of the incident, an assessment of the impact and loss caused and a summary of lessons learned and recommendations for improvement within 10 working days after incident response work has been completed.

Looking Forward

The parallel consultations on the Draft CAC Measures and Draft MIIT Measures mark a pivotal moment in China’s cybersecurity landscape.  The drafts demonstrate a concerted effort to develop a fully integrated cyber incident reporting structure that isn’t just focussed on typically seen reporting thresholds concerning volumes of personal data and impacts on critical infrastructure, but instead broadens the reporting obligations to cover any and all operators of ICT infrastructure in mainland China and triggers reporting specifically for cyber incidents involving the dissemination of information considered illegal and harmful.

Organizations will no doubt welcome greater clarity on the specifics of incident reporting and response. In this regard, quantifiable reporting thresholds, clear timeframes and directions as to the content of incident reports are a positive development.  However, the narrow windows for reporting under the Draft CAC Measures are unlikely to be seen as much of an improvement on the statutory obligations to make “immediate” notifications, raising challenges for businesses in China as they do elsewhere.    The proposed one hour reporting window is more stringent than the reporting obligation in the vast majority of other countries.  

At the same time, the drafts would create a de minimus for reporting, which would at least be helpful in respect of smaller incidents expected to fall below the thresholds fixed for “Large” or “Yellow-coded” incidents.  The drafts are also silent on incidents that do not affect systems and network infrastructure located in mainland China, suggesting that there is a territorial focus to the policy.

As cyber incidents increasingly become a challenge globally, any improvement in clarity on reporting obligations is an important development.  The parallel developments by the CAC and MIIT will be closely watched, as they will create important compliance obligations for businesses in China going forward.

 

Authored by Mark Parsons, Sherry Gong, and Tong Zhu.

Search

Register now to receive personalized content and more!