Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

In addition to laws and regulations, China publishes and maintains comprehensive national standards addressing cybersecurity as well as information security requirements. See question 15.

How does the government incentivise organisations to improve their cybersecurity?

China has not established any formal government programmes expressly intended to incentivise organisations to improve cybersecurity preparedness. However, the Cybersecurity Law contains general principles that provide that the government is to prepare plans and increase investment to support key industries and network security technology projects, support network security technology research and development, and encourage relevant enterprises or organisations to provide certification, testing and risk assessment services. The Chinese government is also obliged to organise network security training to promote the awareness of the general public.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

National standards and technical guidance documents have been published under the umbrella of ‘Information Security Technology’, including GB Standards, GB/T Standards and technical guidance (GB/Z guidance). These standards and technical guidance cover a wide range of cybersecurity-related subjects, including, for example, encryption specifications, security standards for cloud computing, online banking, industrial control systems and e-government. An example is the recently released draft Information Security Technology - Guidelines for Data Cross-Border Transfer Security Assessment, which propose substantially more detailed guidance with respect to the implementation of a security assessment programme (see ‘Update and trends’). A complete library of PRC national standards is accessible via the following URL www.sac.gov.cn/was5/web//outlinetemplet/gjbzcx.jsp.

Principal information security technology standards and guidance applicable in China are codified as ‘TC260’ standards, which are formulated by the NISSTC and jointly published by the SAC and the AQSIQ. Key TC260 standards may be accessed at the website of the NISSTC at: www.tc260.org.cn. However, no English language versions of the TC260 standards are available on this site.

Are there generally recommended best practices and procedures for responding to breaches?

Guidance with respect to best practices and procedures for responding to cybersecurity breaches may be found at the Information Technology - Security Techniques - Information Security Incident Management Guide (GB/Z 20985-2007), which is largely based on the international standard ISO/IEC TR 18044:2004 (Information technology - Security techniques - Information security incident management), with relevant revisions. This guidance provides an overview of information security incident management and the processes and recommendations on response activities, which generally encompass the steps listed below:

  • initial detection and reporting the occurrence of the information security incident;
  • collection of information to assess and determine whether the circumstances constitute an information security incident;
  • responding to the incident by taking immediate action and, if the incident is not under control, to seek crisis assistance;
  • communication of incident details to internal and external persons and organisations;
  • conducting forensic analysis;
  • recording completed steps and decisions for further analysis; and
  • once an information security incident has been resolved:
    • conducting further forensic analysis and identify lessons to be learned from the handling of such incident; and
    • making improvements to existing policy and processes.
Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

Pursuant to the Cybersecurity Law, China supports cooperation among network operators in such areas as collection, analysis and reporting of cybersecurity information and emergency disposal, assigning responsibility to relevant industrial organisations for establishment of coordinating mechanisms and implementing regulations (see question 9). However, China has not as of yet established any specific programmes for promoting the voluntary sharing of information about cyberthreats. Affected entities and individuals are required to report cyberthreat information to competent regulatory authorities, which may release a public report and provide recommendations for addressing such threats.

China maintains a centralised reporting programme, pursuant to which all telecommunication authorities, telecommunication business operators, domain name registrars and administrators, and the Internet Society of China are all required to report cybersecurity incidents (eg, malware, defacement, backdoor intrusion, phishing, vulnerability, information destruction, denial of service attack, abnormal domain, router hijacking, unauthorised access, spam, mixed cyber­security incidents and other cybersecurity incidents) to the tele­communications regulatory authority or to the National Computer Network Emergency Response Technical Team/Coordination Centre of China (CNCERT). Following verification of the incident reporting, CNCERT will issue a public notice to the relevant organisations and coordinates the involvement of relevant government agencies, industry associations, network operators, research institutes and security organisations, as required (see question 28).

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The Cybersecurity Law prescribes a general principle whereby the government shall support enterprises, research institutions, universities and other organisations to participate in the formulation of national standards and industrial standards for network security. Private enterprises, research institutions, universities and other organisations are often involved in the process of developing security standards. Experts from the relevant industry may be invited to participate in the technical committee to draft and review such security standards and, in some cases, draft standards are released to the public to solicit comments.

Insurance

Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Cybersecurity insurance is available in China; however, it is a relatively new product and only a limited number of insurers offer insurance with coverage for losses from cyberattack, data loss and other cybersecurity-related events.