China 1hour deadline on serious cyber incident reporting The Register

pBeijing will soon expect Chinese network operators to fess up to serious cyber incidents within an hour of spotting them or risk penalties for dragging their feetppFrom November 1 the Cyberspace Administration of China CAC will enforce its new National Cybersecurity Incident Reporting Management Measures a sweeping set of rules that tighten how quickly incidents must be disclosedppThe rules apply to a broad category of network operators which in China effectively means anyone who owns manages or provides network services and mandate that serious incidents be reported to the relevant authorities within 60 minutes or in the case of particularly major events 30 minutesppIf it is a major or particularly important network security incident the protection department shall report to the national cyber information department and the public security department of the State Council as soon as possible after receiving the report no later than half an hour the CAC statesppThe regulations set out a fourtier system for classifying cyber incidents but reserve their most challenging demands for the highest particularly major tier An incident that falls within this category includes the loss or theft of core or sensitive data that threatens national security or social stability a leak of more than 100 million citizens personal records or outages that take key government or news websites offline for more than 24 hoursppThe CAC also considers direct economic losses of more than 100 million about 103 million enough to trigger the highest classificationppOperators must file their initial report with a laundry list of details what systems were hit the timeline of the attack the type of incident what damage was done what steps were taken to contain it the preliminary cause vulnerabilities exploited and even ransom amounts if a shakedown was involved They also need to include a grim bit of crystalball gazing an assessment of possible future harm and what government support they need in order to recoverppAfter the dust settles a final postmortem must be submitted within 30 days detailing causes lessons learned and where the blame liesppAnyone caught sitting on an incident or trying to brush it under the carpet can expect to face penalties with both network operators and government suits in the firing lineppIf the network operator reports late omitted falsely reported or concealed network security incidents causing major harmful consequences the network operator and the relevant responsible persons shall be punished more severely according to law the CAC warnsppBeijings cyber cops have rolled out a bunch of reporting channels hotline 12387 a website WeChat email and more making it harder for anyone to plead ignorance when their network catches fireppCompared to Europes leisurely 72hour breach deadline Beijings stopwatch will force many organizations to invest in realtime monitoring and compliance teams that can make a gonogo call in minutes rather than daysppThe introduction of these stringent new reporting rules comes just days after Diors Shanghai arm was fined for transferring customer data to its French headquarters without the legally required security screening proper customer disclosure or even encryption ppSend us newsppThe Register Biting the hand that feeds ITpp
Copyright All rights reserved 19982025

p