The People’s Bank of China recently released the Draft Administrative Measures for Reporting of Cybersecurity Incidents in the Operational Areas of PBOC for public comment.
Scope of Application
Pursuant to the Draft Administration Measures, financial institutions recognized by the PBOC would be required to report cybersecurity incidents to the PBOC and other relevant competent authorities (e.g., Cyberspace Administration of China). For incidents involving crimes (e.g., the endangerment of computer information systems), such financial institutions also would be required to report incidents to the relevant public security authorities.
Incident Classifications and Reporting Requirements
Covered financial institutions also would be required to classify incidents into four categories – especially significant, significant, large and average.
Incident Reporting Requirements
- Reporting requirements based on entity type
- Incidents occurring in the head office of a national development bank, a policy bank, a state-owned commercial bank, a China Postal Savings Bank or a joint-stock bank would need to be reported to PBOC and incidents occurring in a bank’s branches would need to be reported to a PBOC branch at the bank’s place of domicile.
- Incidents occurring in a unit belonging to PBOC and a financial infrastructure operating organization under PBOC’s management would need to be reported to PBOC.
- Incidents occurring in other financial institutions or their branches would need to be reported to the branch of PBOC at the place of the financial institution’s domicile.
- Incidents occurring in securities, futures, or fund institutions would need to be forwarded by the dispatching organization of the China Securities Regulatory Commission to notify the branch of PBOC at the same level.
- The prefectural branches of PBOC and the branches of municipalities with separate plans would need to promptly report directly to the branches of PBOC in provinces, autonomous regions and municipalities upon reports of incidents of a larger level or above occurring in their jurisdictions. When a branch of PBOC in a province, autonomous region or municipality directly receives a report of an incident of a larger level or above under its jurisdiction, it would need to promptly report the incident to PBOC.
- Large level incidents: For incidents classified as “large level” or above, covered financial institutions would need to submit a brief report within 30 minutes and then submit a more fulsome report within 2 hours.
- Significant level incidents: For incidents classified as “significant level” or above, covered financial institutions also would need to submit a progress report every 2 hours at least until the end of the incident. Important incident updates (e.g., such as upgrading the level of the incident, making progress in the phase of disposal, or discovering new problems) would need to be reported immediately.
- Average level incidents: For incidents classified as “average level” or above, covered financial institutions would need to submit an incident report within 10 business days following containment of the incident, if feasible. If not feasible, covered financial institutions would need to submit an initial report and provide a final report within 40 business days of incident containment.
- Incidents affecting personal information: For incidents involving personal information, covered financial institutions would need to submit an incident report containing the remedial measures enacted to mitigate harm caused by the incident, a sample notice sent to affected individuals, and a description of how individuals may mitigate potential harms. (Reports regarding incidents classified as “large level” or above also would need to contain the above-listed content.)
The Draft Administrative Measures also address the relevant incident reporting channels, incident report content requirements, incident liability and risk communication, and recordkeeping requirements.