Measures for the Management of Cybersecurity Incident Reports (Draft for Comments)

On December 8th, the National CAC drafted the " Measures for the Management of Cybersecurity Incident Reports (Draft for Comments)" (hereinafter referred to as the "Draft for Comments"), aiming to standardize the reporting of cybersecurity incidents, reduce losses and hazards caused by cybersecurity incidents, and maintain national security. The upper level legal basis for this management method includes laws and regulations such as the CSL, DSL, PIPL and CII Protection Regulation.

There are a total of fourteen articles in this draft for soliciting opinions, which specify the requirements for reporting objects, reporting deadlines, and reporting content formats of cybersecurity incidents. This article will attempt to analyze the impact of this Draft for Comments on ordinary enterprises, and then provide recommendations for countermeasures.

1. Firstly, it is the reporting object. We see that the responsible parties for reporting cybersecurity incidents are network operators who construct, operate networks or provide services through networks within mainland China. This term for the responsible party is consistent with upper level laws such as the CSL, which means that ordinary enterprises will bear the obligation to report. The responsible parties for overall coordination are the national CAC and local CAC, and different reporting targets are specified for different levels of cybersecurity incidents in Article 4.

The first category refers to various departments of central and state government and their managed enterprises and institutions, which should report to the CAC of their respective departments.

The second category is CIIO, who should report to the protection department (relevant departments of local people's governments at or above the county level) and public security bureau.

The third category is other network operators who should report to the local CAC. This classification accounts for the majority of ordinary commercial enterprises (such as foreign-funded, joint venture, and private enterprises), so it can be clearly stated that ordinary enterprises should report to the local CAC. In addition, if there are industry regulatory authorities, operators should also report in accordance with the requirements of the industry regulatory authorities.

2. In terms of reporting time limit, we have noticed that operators need to follow the "Guidelines for Classification of Cybersecurity Incidents" when a cybersecurity incident occurs. For major, significant, or particularly significant cybersecurity incidents, they should be reported within one hour. So we have compiled the specific definitions of these three corresponding levels based on the Guidelines for Cybersecurity Event Grading. It can be seen that this guideline is based on the "GB/T 20986-2023 Cybersecurity Event Classification and Grading Guidelines" released on May 23, 2023 (officially effective on December 1, 2023), and further provides many more specific and reference conditions. Major, significant, or particularly significant cybersecurity incidents correspond to Level 3, Level 2, and Level 1 events, respectively. As long as an enterprise experiences a level three or higher event, it is necessary to report it to the local network information department within one hour.

From the definition chart of this level, it is not difficult to see that for ordinary commercial enterprises, the two most important conditions to focus on are the number of personal information leaks (over 1 million) and the direct economic losses caused (over 5 million yuan).

3. In terms of the format of the report content, the Draft for Comments is attached with the Cybersecurity Incident Information Report Form. It should be noted that if the cause, impact, or trend of the incident cannot be determined within one hour, the first and second items of Article 5 can be reported first, and other situations can be reported within 24 hours. Therefore:

The content required by the first item, "The name of the unit involved and the basic information of the facilities, systems, and platforms where the incident occurred," needs to be well collected and mastered by the enterprise in advance in order to achieve timely reporting.

At the same time, the second item requires "the time, location, type of event, impact and harm caused by the event, measures taken and effects. For ransomware attacks, it should also include the amount, method, date, etc. of ransom payment"; It also requires enterprises to have the ability to quickly grasp the situation of events.

4. In terms of post event disposal, the Draft for Comments also provides a time limit. "Operators should conduct a comprehensive analysis and summary of the cause of the event, emergency response measures, hazards, responsibility handling, rectification situation, lessons learned, etc. within 5 working days, and form a report to be reported according to the original channel." Therefore, for enterprises, the time of 5 working days is still relatively tight. If there is no good safety governance system It is difficult to provide a good quality report within 5 working days if one has the ability to conduct safety disposal analysis.

5. In terms of punishment for violations. The Draft for Comments does not directly provide specific penalty clauses, but requires the CAC to impose penalties in accordance with relevant laws and administrative regulations. So the conclusion we can easily draw is its superior law, such as Articles 25 and 59 of CSL; Articles 29 and 45 of DSL and Articles 57 and 66 of PIPL will be triggered, and operators, directly responsible supervisors, and other directly responsible personnel will be held legally responsible.

6. In addition to responding to the requirements of the “Draft for comment”,US listed companies in China (including Chinese funded enterprises and subsidiaries of multinational corporations in China) may also need to disclose any identified major cybersecurity incidents within four working days in accordance with SEC listed company cybersecurity rules, including:

• The basic attributes, scope, time, and significant impact of the event;
• The process of evaluating, identifying, and managing significant cybersecurity risks;
• Network security risks, including risks caused by historical security events, whether they have or may have a significant impact on business strategy, operations, and financial conditions;
• Supervision of cybersecurity risks by the board of directors and senior management;
• Assess and manage the management role of major cybersecurity risks;

Based on the above analysis, it is not difficult to see that in response to the requirements of the Draft for Comments, enterprises still need to be proactive and enhance their ability to manage safety incidents before they occur. The Deloitte cybersecurity team has provided specific recommendations as follows:

1. Optimize cybersecurity risk management organization. Clarify roles and responsibilities for cybersecurity risk management, enhance the level of cybersecurity risk governance, and optimize internal collaboration. Ensure consistency and effectiveness from decision-making to management to execution.
2. Establish a comprehensive cybersecurity incident response plan in advance. Including: developing specific cybersecurity incident response plans, rapid identification, evaluation, reporting, and handling processes for incidents; Establish a comprehensive cybersecurity incident monitoring and reporting mechanism to ensure that cybersecurity incidents are reported within the specified time frame
3. Increase technological investment and upgrades. Increase investment in cybersecurity monitoring technology and tools to better prevent and respond to cybersecurity threats, thereby shortening the monitoring and response time of cybersecurity events and meeting the requirement of reporting within one hour.
4. Strengthen internal personnel cybersecurity incident awareness training. Regular training on cybersecurity awareness should be provided to employees to enhance their ability to identify and respond to cybersecurity incidents, thereby minimizing the time from discovery to reporting of security incidents.