Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

Yes, China has published and formulated comprehensive national standards concerning cybersecurity and data protection. See below for more details.

How does the government incentivise organisations to improve their cybersecurity?

There is currently no specific monetary reward from the government to incentivise organisations to improve their cybersecurity. Protecting cybersecurity and data is an obligation for each network operator.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

China has published various national standards and technical guidelines on cybersecurity and data protection, which mainly include GB standards (mandatory national standards that are compulsory for companies to adopt), GB/T standards (recommended national standards that are not compulsory for companies to adopt) and technical guidelines. These national standards and technical guidelines cover various issues related to cybersecurity and data protection. For example, the PDSS provides various recommended rules on the protection of cybersecurity and personal data.  

In general, the national standards and technical guidelines are made by the National Information Security Standardisation Technical Committee and are often published jointly by the Administration of Quality Supervision, Inspection and Quarantine and the State Administration of Standardisation. Various national standards can be found at www.tc260.org.cn. However, these national standards are published in Chinese and there is no official translation of them.

Are there generally recommended best practices and procedures for responding to breaches?

China has released various rules on responding to data breaches and security incidents. In addition to relevant laws and regulations (eg, the CSL and the National Emergency Response Plan for Security Incidents), there are also recommended rules for responding to data breaches and security incidents. For example, the PDSS provides relevant recommended rules on responding to and managing personal data breaches, in particular on notifying competent supervisory authorities and the affected data subjects.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

China supports cooperation between network operators in the collection, analysis and reporting of cybersecurity information and the response to emergencies for the purpose of improving their capabilities for cybersecurity protection. If the draft Measures for the Administration of Publishing Cyberthreat Information are brought into force in their current form, the publication of cyberthreat information would be subject to prior reporting to relevant regulators, and the publication of cyberthreat information must not contain certain prohibited contents. The National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT), established in 2001, is a national cybersecurity emergency response agency established under the CAC. The CNCERT initiated the establishment of the National Vulnerability Database, with information provided by various telecoms operators, cybersecurity companies and internet services providers. The database aims to proactively monitor cyberthreats and incidents, and provide information for network operators to take preventive measures against cybersecurity incidents.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

Other than the private sector giving comments on draft measures that are released for public consultation, the most common avenue of cooperation between government and the private sector is during the drafting of national standards on cybersecurity and data protection. Several members of the National Standardisation Committee (such as TC260) will select a national standard and join a working group to initiate research and the drafting of the national standard. As a member of TC260, our experience has been that the private sector’s comments and opinions are very much welcome and accepted, and the process of making various national standards is generally very collaborative.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance for cybersecurity breaches in China is available, and it is common practice for companies in China to have it.

Law Stated Date

Correct On

Give the date on which the information above is accurate.

19 December 2019