Threat detection and reportingPolicies and procedures
What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?
Pursuant to the Regulations on Classified Protection of Information Security (effective since 22 June 2007), every information network operating in China is classified into one of five security grades (I-V), and is subject to graduated levels of security protection according to the security grade classification (see question 6 and ‘Updates and trends’).
Describe any rules requiring organisations to keep records of cyberthreats or attacks.
The Cybersecurity Law requires all network operators to implement technical measures to monitor and record network operation status and cybersecurity incidents, and to preserve relevant web logs for at least six months.
Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.
China maintains a centralised reporting programme (see question 17).
Cybersecurity incidents reporting includes the reporting of security incidents and security threats:
- a ‘security incident’ refers to any incident that has already occurred, which is further classified into four grades (ie, ‘extremely serious’, ‘serious’, ‘relatively serious’ and ‘general’); and
- a ‘security threat’ refers any information that relates to potential security threats but has not given rise to actual harm and effect, or certain information about prevention based on incident analysis (classified into Grades I to IV, with Grade I representing the most serious category).
An entity that has a reporting obligation is required to classify the relevant cybersecurity incidents or threats into the proper classifications and report to the MIIT or CNCERT within the time limit specified by law, namely:
- ‘extremely serious’ or ‘serious’ incidents or the existence of Grade I or II security threats must be reported to MIIT and the relevant provincial branch within two hours, with a copy to CNCERT;
- ‘relatively serious’ incidents or the existence of Grade III security threats must be reported to MIIT and the relevant provincial branch within four hours, with a copy to CNCERT;
- the existence of Grade IV security threats must be reported within five business days of the discovery to CNCERT, with a copy to the relevant provincial MIIT branch; and
- ‘general’ security incidents must be reported monthly to CNCERT, with a copy to the relevant MIIT provincial branch.
Incident reporting is required to include the following information:
- basic information about the entity;
- the time when the incident took place;
- a summary of the incident;
- preliminary estimate of harm and effect;
- measures that have been taken; and
- other related information.
Threat reporting is required to include the following information:
- description of the threat information;
- estimation of the potential harm;
- identification of the users and scope of possible effect;
- identification of the entity or person who is aware of such information as of the reporting; and
- recommended responses and measures.
Following the verification of the incident reporting, MIIT or CNCERT is to issue a public notice to the relevant organisations and coordinate various government agencies, industry associations, network operators, research institutes and security organisations, as required.Timeframes
What is the timeline for reporting to the authorities?
See question 28.Reporting
Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.
The new Cybersecurity Law mandates that notification be provided to the data subjects and the competent regulatory authority in accordance with regulations, without providing further detail. Except for the Cybersecurity Law, China has not established any measure requiring the reporting of cybersecurity threats or breaches to others in the industry, to customers or to the general public. See questions 24 and 28.