Taiwan's Legislative Yuan recently in May 2018 passed the Cybersecurity Management Act (the Act, 資通安全管理法), and now awaits its implementation schedule (including effective date), which will be decided by the competent authority for the Act (Administrative Yuan) in the near future.
In addition to government agencies, the Act also requires Providers of Critical Infrastructure (關鍵基礎設施提供者) to establish and maintain a safe, stable and secure cyber environment.
Who is a Provider of Critical Infrastructure?
The Act applies to providers whose tangible or intangible assets, systems and/or internet resources are of high importance because their outage, drop in efficiency or impairment will make a substantial impact on or endanger national security, social and public interests and economic activities. The regulated industries include the following sectors:
- Information Technology and Telecommunications
- Transport and Traffic
- Banks and Finance
- Emergency Rescue and Hospitals
- Central and Local authorities
- High Technology Parks
The central competent authorities for each category of business (各中央目的事業主管機關) after obtaining approvals from the Administrative Yuan, will with written notice, designate certain business operators as Providers of Critical Infrastructure.
What obligations apply?
In general, Providers of Critical Infrastructure will need to (a) implement a Cybersecurity Maintenance Plan (資通安全維護計畫) and (b) notify the central competent authority for its business of any incidents of cybersecurity (資通安全事件).
Cybersecurity Maintenance Plan
Providers of Critical Infrastructure should formulate, revise and implement a Cybersecurity Maintenance Plan to conform with the requirements of its level of cybersecurity responsibility level (資通安全責任等級之要求) decided by the Administrative Yuan and in accordance with the types, quantity of information and nature of the data they keep or process as well as the scale and nature of their cybersecurity system.
In addition, Providers of Critical Infrastructure are required to report the implementation status of their Cybersecurity Maintenance Plan (資通安全維護計畫之實施情形) to their competent authority for inspection. In case of any defects or insufficiency, the Provider of Critical Infrastructure must rectify the defects and submit an improvement report (改善報告).
To deal with potential cybersecurity incidents, the Act requires Providers of Critical Infrastructure to establish a report and response mechanism (通報及應變機制) in advance.
When there is an identified threat to the systems, services or internet status which may affect the operation, availability, integrity, authenticity or confidentiality of its IT system, the Provider of Critical Infrastructure must immediately notify its competent authority after becoming aware of the incident.
In addition, the Provider of Critical Infrastructure should submit a report with details about its investigation, handling and improvement (調查、處理及改善報告) following each cybersecurity incident to the competent authority that oversees its business. In the case of significant incidents, the report should be sent to the Administrative Yuan as well.
The central competent authority for the business can directly impose a fine of TWD 300,000 to 5 million (approx. US$ 10,000 to 168,000) and also order the Provider to rectify the issue within a prescribed period of time when the Provider of Critical Infrastructure fails to issue the required notifications of the cybersecurity incident. If the Provider continues to be negligent about reporting, the fine can be issued on a consecutive basis.
Regarding a violation of the other obligations stipulated in the Act, the competent authority for the business will first order the Provider to remedy the shortcoming within a prescribed time. If the Provider fails to improve before the deadline, fines of TWD 100,000 to 1 million (approx. US$ 3,400 to 33,000) can be imposed on a consecutive basis.