On December 8, 2023, the Cyberspace Administration of China issued the draft Administrative Measures for Reporting Cybersecurity Incidents which aim to standardize the reporting of cybersecurity incidents, mitigate the losses and harm caused by cybersecurity incidents, and maintain national cybersecurity.
If the cybersecurity incident is categorized as “major,” “severe” or “extremely severe,” network operators must report the incident within one hour.
On December 8, 2023, the Cyberspace Administration of China (“CAC”) issued the draft Administrative Measures for Reporting Cybersecurity Incidents (“Draft Measures”) for public comment. The Draft Measures aim to standardize the reporting of cybersecurity incidents, mitigate the losses and harm caused by cybersecurity incidents, and maintain national cybersecurity.
Applicability
The Draft Measures apply to all network operators that develop and operate networks or provide services through networks within China. Network operators must report any cybersecurity incidents causing harm to network and information systems or the data contained therein to different authorities depending on the relevant network operator classification:
Network operators whose network or system is controlled by national authorities, as well as enterprises and institutions under their management, should report to the divisions in charge of cyberspace administration;
Critical Information Infrastructure Operators (“CIIOs”) should report to the relevant governmental authorities (e.g., a telecom network operator would report to the Ministry of Industry and Information Technology) and public security authorities; and
Other network operators should report to their local CAC.
In some instances, network operators may be required to report incidents to the relevant governmental authorities. In cases of suspected crime, network operators should also report to public security authorities.
Requirements
The Draft Measures require the network operator to complete a cybersecurity incident report (using a template), which should include, at minimum: (1) the name of the network operator and facilities, systems, and platforms where the incident occurred; and (2) the time, location, type of incident, impact and harm caused by the incident, and any measures already taken. In case of a ransomware attack, the report should also include (3) the demanded amount, method, and date of ransom; (4) additional developments and potential further impact and harm; (5) preliminary analysis of the cause of the incident; (6) clues needed for further investigation and analysis, including but not limited to possible attacker information, attack path, and existing vulnerabilities; (7) countermeasures to be taken and requests for support; (8) protection status of the incident site; and (9) any other circumstances that should be reported.
The Draft Measures categories cybersecurity incidents into four levels: (1) general; (2) major; (3) severe; and (4) extremely severe, with the criteria for each level specified in the Guidelines for the Classification of Cybersecurity Incidents. If a cybersecurity incident is categorized as major, severe or extremely severe, the network operator must report the incident within one hour. If the cause, impact or outlook of the incident can’t be determined within one hour, the network operator may first report the information specified in (1) and (2) in the preceding paragraph and supplement the report with the additional information within 24 hours.
After responding to the cybersecurity incident, network operators must conduct a comprehensive analysis and summary of the incident’s cause, impact, and emergency response measures within five business days. Upon completion, the report must be submitted to the relevant authorities.
Next Steps and Implications for U.S. Higher Education Institutions
Although the Draft Measures are still in draft form, we suggest that any U.S. institution that provides services through networks in China (e.g., U.S. universities offering online programs in China or U.S. institutions offering remote testing via the web to candidates in China) develop an emergency response plan for cybersecurity incidents based on the requirements in the Draft Measures. If handling personal information of individuals in China, institutions are also required to create an emergency response plan for personal information security incidents under the Personal Information Protection Law.