The Cyberspace Administration of China (CAC) released a draft for soliciting opinions on the management of cybersecurity incident reporting on Friday.

The cybersecurity incident reporting regime established by the draft aims to standardize the reporting process to minimize losses and maintain national cybersecurity, aligning with China's Cybersecurity Law, Data Security Law, and PIPL.

They apply to network operators in China who must report incidents endangering network security. Reports should include details such as the incident's location, time, type, impact, measures taken, and ransom demands for cyberattacks, among others. If an incident's cause or impact is unclear, initial information must be reported within one hour, with a full report due within 24 hours. Operators are also required to submit a comprehensive analysis within five working days post-incident. Comments on the draft can be sent to the CAC by January 7, 2024.

While copying the EU’s GDPR in its data protection law, China is studying US cybersecurity protection practices. The establishment of a cybersecurity reporting system is evidence.

On March 15, 2022, US President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 . The Act stipulated two mandatory reporting obligations for critical infrastructure entities in the event of cyber incidents and payment due to ransomware attacks. The enactment of the Act is not only a further promotion of the US's comprehensive strengthening of critical infrastructure security protection since 1996, but also a new layout for the US to respond to the modernization needs of the cyber security situation in the Russia-Ukraine conflict.

The draft for comment is only available in Chinese. Here is the translation. Please understand it’s not an official translation; all faults are mine.

Measures for the management of cyber security incident reports

(draft for comment)

Article 1: In order to standardize the reporting of cyber security incidents, reduce losses and harm caused by cyber security incidents, and protect cyber security, these measures are formulated in accordance with the Cyber Security Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China, the CII Security Protection Regulations and other laws and regulations.

Article 2: Network operators who build or operate networks or provide services through networks within the territory of the People's Republic of China shall report incidents that endanger cyber security in accordance with the provisions of these Measures.

Article 3: The national cyberspace administration department is responsible for overall coordination of cyber security incident reporting affairs and related supervision and management. Local cyberspace administration departments are responsible for overall coordination of cyber security incident reporting affairs and related supervision and management within their respective administrative regions.

Article 4: Operators shall promptly activate emergency plans for disposal when a cyber security incident occurs. According to the "Guidelines for Grading Cyber Security Incidents", when a relatively large, significant or particularly significant cyber security incident occurs, it shall be reported within 1 hour.

If the network and system are affiliated to various departments of the central and state organs and their managed enterprises and institutions, the operator shall report to the cyber affairs agency of the department. If a major or particularly significant cyber security incident occurs, the cyber affairs agency of each department shall report to the national cyber affairs agency within one hour after receiving the report.

If the network and system are CII, the operator shall report to the protection department and the public security organ. If a major or particularly significant cyber security incident occurs, the protection department shall report to the national cyberspace administration and the public security department of the State Council within one hour after receiving the report.

Other network and system operators shall report to the local cyberspace administration department. If a major or particularly significant cyber security incident occurs, the local cyberspace administration department shall report it to the higher-level cyberspace administration department within one hour after receiving the report.

If there is an industry regulatory authority, the operator should also report in accordance with the requirements of the industry regulatory authority.

If a suspected crime is discovered, the operator shall report it to the public security organ at the same time.

Article 5: Operators shall report incidents in accordance with the Cyber Security Incident Information Reporting Form, including at least the following contents:

(1) The name of the unit where the incident occurred and the basic information of the facilities, systems, and platforms where the incident occurred.

(2) The time, location, type of event, impact and harm caused by the discovery or occurrence of the incident, measures taken and their effects. For Ransomware attacks, the amount, method, date, etc. of the ransom payment request should also be included.

(3) The development trend of the situation and the possible further impact and harm;

(4) Preliminary analysis of the cause of the event.

(5) Further investigation and analysis of the required leads, including possible attacker information, attack paths, existing vulnerabilities, etc.

(6) Proposed further response measures and requests for support;

(7) Protection of the scene of the incident;

(8) Other situations that should be reported.

Article 6: If the cause, impact or trend of the incident cannot be determined within one hour, the first and second items of Article 5 can be reported first, and other situations can be reported within 24 hours.

After the incident report, if there are new important situations or phased progress in the investigation, relevant stakeholders should report in a timely manner.

Article 7: After the event being dealt with, the operator shall conduct a comprehensive analysis and summary of the cause of the event, emergency response measures, harm, responsibility distribution, rectification, lessons learned, etc. within 5 working days, and form a report to be reported through the original channels.

Article 8: When an organization or individual providing services to an operator discovers that an operator has a large, significant or particularly significant cyber security incident, it shall remind the operator to report the incident in accordance with the provisions of these Measures. If the operator intentionally conceals or refuses to report, it may report to the local network information department or the national network information department.

Article 9: Social organizations and individuals are encouraged to report major, significant or particularly significant cyber security incidents to the cyberspace administration.

Article 10 Where an operator fails to report a cyber security incident in accordance with these Measures, the cyberspace administration department shall impose penalties in accordance with relevant laws and administrative regulations.

If an operator delays, omits, falsely reports or conceals a cyber security incident, causing significant harm, the operator and relevant responsible persons shall be punished severely according to law.

Where a relevant department fails to report a cyber security incident in accordance with these Measures, its superior authority shall order it to make corrections, and the directly responsible person in charge and other directly responsible personnel shall be punished according to law. Where a crime is suspected, criminal responsibility shall be investigated according to law.

Article 11: When a cyber security incident occurs, the operator has taken reasonable and necessary protective measures, reported proactively in accordance with the provisions of these Measures, and disposed of it in accordance with the relevant procedures of the plan, and made every effort to reduce the impact of the incident. The responsibility of the operator and relevant responsible persons may be exempted or lightly punished as appropriate.

Article 12: Cyber security incidents as mentioned in these measures refer to events that cause harm to networks and information systems or their data due to human factors, software and hardware defects or failures, natural disasters, etc., and have a negative impact on society.

Article 13: Reports of cyber security incidents involving national secrets shall be handled in accordance with the provisions of relevant departments.

Article 14 These Measures shall come into force on XXX.

Attachment 1: Cyber security incident grading guidelines

Attachment 2: Cyber Security Incident Information Report Form