Beijing will soon expect Chinese network operators to ‘fess up to serious cyber incidents within an hour of spotting them – or risk penalties for dragging their feet.
From November 1, the Cyberspace Administration of China (CAC) will enforce its new National Cybersecurity Incident Reporting Management Measures, a sweeping set of rules that tighten how quickly incidents must be disclosed.
The rules apply to a broad category of “network operators,” which in China effectively means anyone who owns, manages, or provides network services, and mandate that serious incidents be reported to the relevant authorities within 60 minutes – or in the case of “particularly major” events, 30 minutes.
“If it is a major or particularly important network security incident, the protection department shall report to the national cyber information department and the public security department of the State Council as soon as possible after receiving the report, no later than half an hour,” the CAC states.
The regulations set out a four-tier system for classifying cyber incidents, but reserve their most challenging demands for the highest “particularly major” tier. An incident that falls within this category includes the loss or theft of core or sensitive data that threatens national security or social stability, a leak of more than 100 million citizens’ personal records, or outages that take key government or news websites offline for more than 24 hours.
The CAC also considers direct economic losses of more than ¥100 million (about £10.3 million) enough to trigger the highest classification.
Operators must file their initial report with a laundry list of details: what systems were hit, the timeline of the attack, the type of incident, what damage was done, what steps were taken to contain it, the preliminary cause, vulnerabilities exploited, and even ransom amounts if a shakedown was involved. They also need to include a grim bit of crystal-ball gazing – an assessment of possible future harm, and what government support they need in order to recover.
After the dust settles, a final postmortem must be submitted within 30 days, detailing causes, lessons learned, and where the blame lies.
Anyone caught sitting on an incident or trying to brush it under the carpet can expect to face penalties, with both network operators and government suits in the firing line.
“If the network operator reports late, omitted, falsely reported or concealed network security incidents, causing major harmful consequences, the network operator and the relevant responsible persons shall be punished more severely according to law,” the CAC warns.
Beijing’s cyber cops have rolled out a bunch of reporting channels – hotline 12387, a website, WeChat, email, and more – making it harder for anyone to plead ignorance when their network catches fire.
Compared to Europe’s leisurely 72-hour breach deadline, Beijing’s stopwatch will force many organizations to invest in real-time monitoring and compliance teams that can make a go/no-go call in minutes rather than days.
The introduction of these stringent new reporting rules comes just days after Dior’s Shanghai arm was fined for transferring customer data to its French headquarters without the legally required security screening, proper customer disclosure, or even encryption. ®
Source: China: 1-hour deadline on serious cyber incident reporting • The Register
There must be a huge government department back there waiting to “help out”. I do wonder what shape this kind of “help” will take.
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft