Background. Recently, cyber security incidents at home and abroad have occurred frequently, and the harm caused by incidents has become more and more significant. Taking data breaches as an example, according to IBM's 2023 Cost of a Data Breach Report, the average cost of a global data breach climbed again in 2023, reaching $4.45 million, the highest ever.
Cyber security incident reporting is an important starting point for the emergency management of cyber security incidents for the countryFor network operators, it is an important part of their cyber security incident management lifecycle. Recently, the Cyberspace Administration of China (CAC) issued the Administrative Measures for Cybersecurity Incident Reporting (Draft for Comments) (hereinafter referred to as the "Measures"), which is a milestone in standardizing the management of cybersecurity incident reporting.
Against this backdrop, we summarize and analyze the definitions, classifications, reporting obligations, legal liabilities and other issues involved in the Measures, and provide suggestions for prevention and response to cybersecurity incidents based on relevant regulations, standards, industry practices, as well as our practical experience in assisting in handling cybersecurity incidents.
I. Connotation and Extension: Definition and Classification of Cybersecurity Incidents.
Article 12 of the Measures defines a cybersecurity incident as "an incident that causes harm to the network and information system or the data therein due to human reasons, software and hardware defects or malfunctions, natural disasters, etc., and has a negative impact on society". This definition follows the definition of the National Cybersecurity Incident Emergency Plan (implemented on January 10, 2017, hereinafter referred to as the "Emergency Plan").
In addition, the classification of cybersecurity incidents in the "Preliminary Incident Type" section of Annex 2 "Cybersecurity Incident Information Report Form" also follows the standards for the classification of cybersecurity incidents in the Emergency Plan. If further traced, the classification standard is actually based on the information security incident classification standard stipulated in the 2007 edition of the Information Security Technology - Information Security Incident Classification and Grading Guide (GB Z 20986-2007, hereinafter referred to as the "Old Guide"). Under these classification standards, network information security incidents are divided into seven categories: harmful program incidents, network attack incidents, information sabotage incidents, information content security incidents, equipment and facility failures, catastrophic incidents and other incidents.
It is worth mentioning that the Information Security Technology - Guidelines for the Classification and Grading of Cyber Security Incidents (GB T 20986-2023, hereinafter referred to as the "New Guidelines", which replaced the Old Guidelines) implemented on December 1, 2023, supplements and adjusts the definitions, classification and grading standards of cybersecurity incidents. The New Guidelines define a cybersecurity incident as "an event that causes harm to the network and information system or the data and business applications therein and has a negative impact on the state, society and economy due to human reasons, network attacks, network vulnerabilities, software and hardware defects or failures, force majeure and other factors". In terms of the classification of cybersecurity incidents, the New Guidelines add three new categories of cybersecurity incidents (i.e., "illegal operation incidents", "security security incidents" and "abnormal behavior events") to 10 categoriesThe New Guidelines also rename "information breach incidents" to "data security incidents" and "catastrophic events" to "force majeure events".In addition, the New Guidelines have made additional adjustments to the relevant event subcategories. The definition and classification criteria of cyber security incidents are fundamental to the reporting of cyber security incidents and even the management of the whole life cycle of incidents. It remains to be seen the connotation and extension of cybersecurity incidents, and the coordination between the Measures and the New Guidelines.
Second, the severity of the matter - the classification of network security incidents.
In the aftermath of a cybersecurity incident, it is important to carefully determine and take adequate and appropriate measures to respond to a cybersecurity incident – both inadequate and over-responsive can cause financial and reputational damage to the organization. Therefore, on the basis of incident classification, for specific types of incidents, it is necessary to take corresponding proportional response measures according to the severity of the incident.
Cybersecurity incident classification is to classify cybersecurity incidents into different levels according to the severity of the incident (such as the importance of the affected object, the severity of the harm, etc.). Organizations are required to respond proportionately to incidents at a specific level and meet reporting obligations, among other things. In addition to reporting to regulators, organizations need to be mindful of reporting obligations to stakeholders such as affected individuals, customers, and insurance companies.
Annex 1 of the Measures, the Guidelines for the Classification of Cybersecurity Incidents, divides cybersecurity incidents into four levels: particularly major cybersecurity incidents, major cybersecurity incidents, major cybersecurity incidents, and general cybersecurity incidents, which also follows the grading standards of the Emergency Plan (without referring to the grading standards of the New Guidelines), and further enriches and refines the grading examples on the basis of them. For example, in the case of personal information leakage, the criterion for reaching the threshold of "particularly serious cybersecurity incident" is "leakage of personal information of more than 100 million people".The criterion for meeting the threshold for a "major cybersecurity incident" is "leaking the personal information of more than 10 million people";The criterion for reaching the threshold of "large cybersecurity incident" is "leakage of personal information of more than 1 million people". These quantitative threshold standards are actually the same as the quantitative thresholds corresponding to the incident classification standards under the 2017 Emergency Plan for Public Internet Network Security Emergencies (hereinafter referred to as the "Emergency Plan of the Ministry of Industry and Information Technology") issued by the Ministry of Industry and Information Technology.
The following table provides a summary comparison of the cybersecurity incident classification standards of the Measures and the Emergency Plan.
3. Reporting by level - the obligation to report network security incidents.
On the basis of the classification of cybersecurity incidents, Articles 4-9 of the Measures put forward the following reporting requirements:
Fourth, the punishment is moderate - the legal responsibility for not reporting in accordance with the law.
Article 1 of the Measures stipulates the legal liability for failure to perform the obligation to report cybersecurity incidents:
Those who fail to report network security incidents in accordance with the Measures will be punished by the CAC in accordance with relevant laws and administrative regulations. In this regard, Article 59 of the Cybersecurity Law[2] and Article 45 of the Data Security Law[3] have clearly stipulated the relevant penalties for failure to perform the obligation to report network data security incidents, and the punishment targets involve the entity where the incident occurred and the relevant responsible persons
Where operators report network security incidents late, omitted, falsely reported, or conceal them, causing major harmful consequences, the operators and relevant responsible persons are to be given heavier punishments in accordance with law;
When a network security incident occurs, the operator has taken reasonable and necessary protective measures, actively reported it in accordance with the provisions of these Measures, and at the same time handled it in accordance with the relevant procedures of the plan, and made the greatest efforts to reduce the impact of the incident, and may exempt or lightly pursue the responsibility of the operator and the relevant responsible persons in light of the circumstances.
5. Take precautions and make up for the dead - prevention and response to cybersecurity incidents.
1) Bringing the area to the point - the cyber security incident management life cycle.
Beyond reporting, there are many aspects to the cybersecurity incident management lifecycle. Just as the circumstances that can be exempted or mitigated under the Measures above, when suffering from a cybersecurity incident, only by comprehensively managing the incident can the crisis be successfully overcome. Taking the ISC2 (International Information Systems Security Certification Alliance) CISSP (Certified Information Systems Security Professional) incident management process as an example, which is widely recognized in the field of global network, information, software and infrastructure security, it breaks down incident management into 7 steps, including:1detection;2.response;3.Inhibition mitigation;4.Reporting;5.Recovery ;6.Remediation;7.Lessons learned, where the results of the lessons learned phase are used in turn to improve detection methods and prevent future security incidents (as shown in the following diagram).
Specifically:1Detection, which is typically achieved by deploying network security technologies, such as intrusion detection and prevention systems (IDPS), anti-virus and anti-malware programs, etc.
2.Response, which includes investigating, assessing, and gathering evidence about security incidents.
3.Mitigation is designed to contain the development of an incident and limit the scope of the incident. Containment typically includes isolating the attacked system from other systems, disconnecting or temporarily shutting down the attacked system, and disconnecting the network.
4.Reporting, which involves notifying management of the incident within the organization, as well as reporting the incident to regulators, as well as stakeholders such as affected individuals, customers, insurance companies, etc.
5.Recovery, which aims to restore the system to its pre-attack normal operating state. Recovery is a test of an organization's data backup, system configuration, and change management.
6.Remediation, which involves identifying and analyzing the root cause of the incident, and then taking targeted action to prevent the incident from happening again. For example, if root cause analysis identifies that a system is not patched up to date, remediation will include performing patch management, among other things.
7.Lessons learned to review and improve your organization's incident management processes, including: If the attack was achieved by evading detection, your organization should improve your intrusion detection system;If the response takes too long, identify the cause, improve the organization's emergency response plan, and more.
Standards and practices for incident management in cybersecurity may vary, but they basically cover the same elements. It is recommended that organizations establish and improve the network security incident management process based on their own actual conditions.
2) Take precautions and make up for the dead - prevention of network security incidents.
If there is no foresight, there will be near-term worries. A cybersecurity incident can be a crisis for an organization: an organization's business continuity is under immediate strain, it can suffer significant financial and reputational damage, it needs to respond appropriately at short notice, report to regulators, and so on. Therefore, it is advisable for organizations to prepare for the next cybersecurity incident. In this regard, based on relevant regulations, standards, good industry practices, and our practical experience in assisting in the handling of cybersecurity incidents, we recommend the following aspects.
1.Establish and improve network security management systems and adopt network security technical protection measures, such as:
Develop and enforce network security policies, including encryption, access control, backup and recovery, and more
Deploy extended detection and response (XDR), security information and event management (SIEM) solutions, and more
Conduct regular security assessments of network systems to discover and fix potential security risks.
2.Formulate and improve emergency response plans for cyber security incidents, including:
Refer to the RACI model to clarify the roles and responsibilities involved in incident response within the organization, involving CIO, DPO, IT, legal affairs, public relations, etc
Draw an incident response flow chart to visualize the main nodes and overall process of incident response, so as to facilitate efficient execution by all parties in the incident response process
Define your organization's own incident classification and classification tools for your organization to notify and report to regulators, as well as stakeholders such as affected individuals and customers, based on regulatory requirements, service level agreements, etc.;
Prepare a detailed incident response manual, including: conditions for initiating the plan, composition of the emergency response team, reporting obligations, emergency resource guarantee, post-event education and training, etc.;Also, consider developing contingency guidelines for specific types of important incidents (e.g., ransomware incidents, etc.), system-specific responses.
3.Conduct regular training on emergency plans for network security incidents for relevant personnel, and conduct drills for emergency plans (such as once a year), including: desktop drills, simulation drills, actual combat drills, etc.
4.Regularly re-evaluate the original emergency response plan for network security incidents, revise and improve it.
5.In view of the urgency and professionalism of responding to cybersecurity incidents, consider seeking support from third-party security, lawyer, and public relations teams as soon as possible, rather than after a cybersecurity incident.
Special statement: Dentons strictly abides by the obligation to protect the client's information, and the content of the client's project involved in this article is taken from public information or obtained the client's consent. The content and opinions expressed in this article are for reference only and do not represent any position of Dentons, nor should they be regarded as issuing any form of legal advice or recommendation. If you need to ** or quote any content of the article, please send a private message to communicate the authorization and indicate ** at the beginning of the article**. You may not ** or use any of the content in such articles without authorization.