China Proposes 1-Hour Deadline for Reporting Major IncidentsCAC Rule Would Require ISPs to Complete Preliminary Analysis Within 24 Hours
The Cyberspace Administration of China released on Friday a proposal to force network operators to report major cybersecurity incidents to authorities within one hour of learning about the incidents - and to provide a detailed analysis in the first 24 hours.
The Measures for the Management of Network Security Incident Reporting regulation will apply to government-owned and private network operators. The deadline for public feedback will expire on Jan. 7.
The draft mandate empowers third-party vendors or network operators to report cybersecurity incidents to Chinese authorities if the network provider fails to acknowledge or report an incident. Individuals and social organizations could also report cybersecurity incidents to provincial authorities directly if the network operator fails to do so.
"If operators delay, omit, report or conceal cybersecurity incidents, resulting in major harmful consequences, the operators and relevant responsible persons shall be severely punished in accordance with the law," it warned, according to a machine translation from the original Chinese.
The draft proposes three tiers of incident classification ranging from significant to very serious. The last category includes incidents affecting "the work and lives" of more than 30 percent of individuals within a province or a disruption affecting the entirety of information infrastructure lasting more than six hours. The regulation also classifies as a major incident the dissemination of "illegal and harmful" information that receives more than 1 million views or clicks when that information was placed online through the hacking of official or key news websites or through online platforms.
CAC said once a network operator experiences a cybersecurity incident, it must report specific details about the incident to public security agencies. Such details include the name of the affected unit and basic information about the facilities, systems and platforms where the incident occurred, time and place when the incident was discovered or occurred, the type of incident, whether a ransom was demanded, and the measures taken.
Organizations also will be required to report within 24 hours details about the incident, such as preliminary analysis of the cause of the incident, the present state of the situation, clues required for further investigation and analysis, and information about further impacts.
"After the incident is handled, the operator shall conduct a comprehensive analysis and summary of the cause of the incident, emergency response measures, hazards, responsibility handling, rectification situations, lessons learned, etc. within 5 working days, and form a report and submit it according to the original channel," CAC added.
The cybersecurity agency said network operators may be exempted from legal action or "punished lightly" if they follow cybersecurity reporting guidelines to the letter and take necessary measures to reduce the impact of cybersecurity incidents.