The draft rules provide new standards for categorising cybersecurity incidents based on severity, enhance incident reporting efficiency, and introduce added flexibility for punishments.
The CSRC (China Securities Regulatory Commission) has issued a consultation paper seeking feedback on new rules for reporting, investigating and handling cybersecurity incidents in the securities and futures industry.
The draft rules improve the classification of information systems in the securities and futures industry, the classification of network security incidents, lines of accountability, and incident handling mechanisms.
Currently, there is no unified classification of information systems in the securities and futures industry based on their importance. Under the changes, the types of information systems are classified into five categories according to the degree to which they could cause damage to “national financial security, social order, and investors’ legal rights and interests”.
To date, security events have only been qualitatively described through terms such as “full interruption” and “partial interruption”. The new rules introduce a new method for quantitatively describing abnormalities in system service capabilities, as well as a unified network security incident classification method.
“Combining information system categories, information system service capacity degradation and the duration of network security events, a unified network security event classification standard is given,” the CSRC said. “At the same time, for network security incidents such as data leakage, settlement error, and release of bad information, grading standards are given based on the amount of data and the degree of impact.”
To address the current low efficiency of incident reporting (currently done by phone with a supplementary incident report), a new incident reporting platform is being introduced, through which “immediate” reporting will be required for any information system malfunction or cybersecurity event.
In order to improve the efficiency of emergency response, organisations are required to preliminarily classify incidents, which was not previously required in initial incident reports. For events that may constitute particularly serious or major cybersecurity incidents, incident handling reports will be required at least once every 30 minutes until normal operations resume.
The new rules also introduce additional specificity and flexibility in relation to punishments for cybersecurity incidents, to encourage industry innovation and ensure penalties are commensurate with the actual impacts of incidents.
In particular, security incidents with relatively small adverse effects may be lightly classified, such as if they have occurred within one year of the launch of an independently developed information system, if normal services are restored quickly without affecting the rights and interests of investors, or if affected systems provide services to less than 50 investors or have an average daily transaction volume of less than 50 transactions.
The draft rules, available here, are open for comment until 11 January 2021.