Threat detection and reporting

Policies and procedures

What policies or procedures must organisations have in place to protect data or information technology systems from cyberthreats?

The Cybersecurity Law (CSL) requires network operators to adopt security measures (ie, technical and organisational measures) for cybersecurity and data protection, such as:

  • formulate internal security management systems and operation instructions concerning cybersecurity and data protection, and specify the responsibilities of each relevant department;
  • determine a cybersecurity responsible person;
  • adopt technical measures to prevent computer viruses, network attacks, network intrusions and other activities that endanger cybersecurity;
  • monitor and record network operation and cybersecurity events and maintain the cyber-related logs for no less than six months;
  • adopt the rules of data classification and take respective measures according to the data categories; and
  • back up and encrypt important data.

In the event that there is dissemination of prohibited contents online, a massive data breach, loss of evidence for criminal investigation or other serious consequences as a result of a network operator's refusal to take appropriate technical and other necessary measures to protect information security as required by laws and regulations, and to rectify the situation as required by the relevant regulators, the failure may constitute the crime of 'refusal to perform security management obligations for the information network' according to article 286 of the Criminal Law.

The Administrative Measures for the Multi-level Protection of Information Security require that the information system operator or user shall take certain prescriptive measures to ensure the security of the information system according to the grade of information system. The Information Security Technology – Baseline for Classified Protection of Cybersecurity has been implemented since 1 December 2019 to provide further clarity in conjunction with implementing the new draft Regulations on Multi-level Protection System for Cybersecurity. It provides the following security measures:

  • apply access control to the information systems;
  • take measures to protect the physical safety of information systems, such as anti-theft, fireproof and anti-invasion measures;
  • ensure the security of telecommunications;
  • determine the safety parameters and take relevant protection measures accordingly;
  • conduct identity authentication for the access of information systems;
  • perform data backups;
  • set up internal company policies on security management and determine the responsible person or department;
  • provide training to the employees concerning cybersecurity and data protection;
  • grade the information systems and file the grade of the information system with the local police if graded as Level II or above;
  • design a security plan for the information systems;
  • ensure the security of the products and services purchased for the information systems; and
  • prepare a security incident response plan and protocol.

Chapter 4 of the Data Security Law (DSL) stipulates various data protection obligations regarding data processing, as well as the principles of social morality and ethics applicable to data processing activity and development of new technologies. The DSL also reiterates the importance of network protection, implementing the multi-level protection system, training and other technical measures (eg, risk monitoring and contingency measures) and other necessary measures.

Sectoral rules may provide more requirements on the protective measures for cybersecurity and data protection that apply to the network operators in certain sectors, such as banking and financial services.

Describe any rules requiring organisations to keep records of cyberthreats or attacks.

The CSL requires network operators to adopt technical measures to monitor and record network operation status, cybersecurity threat information and security incidents and to keep relevant logs for at least six months. There are other sectoral rules and circulars that require certain network operators in certain sectors to keep the logs for a minimum of one year.

The Information Security Technology – Personal Data Security Specification (PDSS) provides that records of data breach incidents must contain, at a minimum, who discovered the incident as well as when and where the incident was discovered, the categories of personal data affected, the number of affected data subjects, the names of the information systems involved and whether notification was made to the relevant regulators. The PDSS is silent on the retention period of the records of data breach incidents.

Describe any rules requiring organisations to report cybersecurity breaches to regulatory authorities.

There are various laws and measures that require network operators affected by cybersecurity incidents to report the incidents to the relevant regulators, such as the CSL, the Civil Code, the E-commerce Law, the Provisions on the Protection of Personal Data of Telecommunication and Internet Users, and the Security Incidents Emergency Plan, as well as relevant sectoral rules. The threshold for reporting to different regulators is not the same; however, the reporting obligation under different rules is generally triggered by the occurrence or potential occurrence of a cybersecurity incident. The report must be in Chinese, and it must contain at least the following information: the time of occurrence of incident; the scope of the impact and damage; remedial measures that have been taken; the details of the personal data and data subjects involved in the breach; and the contact details of the relevant responsible department or person of the network operator.

Time frames

What is the timeline for reporting to the authorities?

Upon the discovery of a cybersecurity incident, the network operator must immediately report the incident to the relevant regulators. Article 20 of the draft Regulations on the Graded Protection of Cybersecurity provides that a report of any online incidents must be made to the local public security organ within 24 hours. There are also sectoral rules that provide specific timelines for reporting the data breach to the authorities; for example, the new version of the Implementation Measures for the Protection of Rights and Interests of Financial Consumers, which was released by the People's Bank of China (PBOC) on 15 September 2020 and came into force on 1 November 2020, requires banking financial institutions and non-banking payment institutions to report a data breach that may damage financial consumers' life or property immediately to the local branch of the PBOC, and to report a data breach that may cause other negative influence on financial consumers within 72 hours to the local branch of the PBOC.

While there is no specific obligation to continue reporting after the initial report to the relevant regulators, in practice, once the regulators step in to investigate the incident, they will request cooperation and information from time to time until the closure of the investigation.

Reporting

Describe any rules requiring organisations to report threats or breaches to others in the industry, to customers or to the general public.

Network operators have specific obligations to notify the data subjects whose personal data has been breached. There is no specific data breach reporting obligation on a network operator to notify others in the same industry or sector as the reporting obligation is limited to the relevant Chinese authorities, should the cybersecurity incident meet the reporting threshold, and to the affected data subjects. The network operator can communicate with the affected data subjects using any of the following means: email, letter, telephone, in-app push notification and other proper means or announcement on the company website (if it is impractical to notify each of the affected data subjects).

Law Stated Date

Correct On

Give the date on which the information above is accurate.

16 February 2021.