By Susan Ning, Han Wu, Yangdi Zhao, Yuanshan Li King & Wood Mallesons’ Commercial & Regulatory group
The newest Norton Cybersecurity Insights Report indicates that China is faced with the severest attack of cybercrimes among the countries in the emerging markets. In 2014, over 240 million Chinese consumers became the victims of cybercrimes, and the total economic losses came up to CNY 700 billion. Regarding the increasingly rampant cyber-attacks and cybercrimes, the Office of the Central Leading Group for Cyberspace Affairs (“CLGCAO”) published the Notice of the Emergency Response Plan for Cybersecurity Incidents (the “Emergency Response Plan”) on 10th January 2017, and officially released the Emergency Response Plan on 27th June 2017. CLGCAO shows its determination to respond to cyber-attacks, safeguard information security, and maintain cyber sovereignty by establishing and consolidating the National Emergency Response Mechanism on Cybersecurity Incidents in all provinces, municipalities, and autonomy regions. The companies should not only understand the national level emergency measures of the CLGCAO, but also strictly comply with each provision of the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”), and construct regulatory systems and emergency plans from the ex ante, interim, and ex post perspectives to respond to potential cybersecurity incidents.
This article will briefly introduce the structure of the Emergency Response Plan, and summarize the basic legal obligations of the companies mainly under the Cybersecurity Law and relevant regulations in preventing and responding to cybersecurity incidents. It will also provide experienced instructions on implementing the material steps for responding to cybersecurity incidents.
Introduction to the Emergency Plan
Duty of network operator when facing cybersecurity incidents
1. Regular preventive work
Both the Cybersecurity Law and the Emergency Response Plan provide regulation for regular preventive work of network operator of cybersecurity incidents. To be specific:
(1) Cybersecurity levels protection
Network operator should follow the requirement of cybersecurity levels protection to fulfill security protection duty, protect network from disruption, destroy or unauthorized visit, prevent network data from leaking, stealing, or distorting. Specially, network operator should identity director for cybersecurity, implement cybersecurity protection responsibility, take technical measures to prevent activities that endanger cybersecurity, such as computer virus, network attack, and network intrusion, take technical measures to supervise and record network operation status and cybersecurity incidents and keep relevant network log in record pursuant to requirements, and take measures of data classification, important data backup and encryption. 
(2) Network products and services should conform to national standards
Network products and services should conform to mandatory requirements of national standards. Important network products and services purchased by network and information system that relate to national security should pass cybersecurity examination pursuant to the Measures on Security Examination for Network Products and Services (Trial Implementation). 
(3) Consistent security maintenance
A provider of network products or services should provide consistent security maintenance for its products or services. Such maintenance shall not be discontinued within the prescribed term or the term agreed upon by the parties. 
(4) Emergency plan for cybersecurity incidents
A network operator should develop an emergency plan for cybersecurity incidents to promptly respond to security risks as system bug, computer virus, network attacks and intrusions.  An emergency plan may include responsible person, data leakage notification mechanism, remedies, internal responsibility decision, and etc.
(5) Duty of timely remedies and report
When a network operator finds any risk such as security defect or bug in network products or services provided, the network operator should take remedial actions immediately, inform the users, and report the case to the competent authority as required. Besides, in case of disclosure, damage or loss of personal information, the network operator shall take remedial actions immediately, inform the users, and report the case to the competent authority as required. 
(6 )Regular examination and assessment of risk by the operator of a key information infrastructure
In addition, at least once a year, the operator of a key information infrastructure should conduct examination and assessment of its cybersecurity and potential risks by itself or entrusting a cybersecurity service provider, and submit the examination and assessment results as well as improvement measures to the competent authorities in charge of the security of the key information infrastructure. 
2. Emergency measures for security incidents
In case of an incident that threatens cybersecurity happens, including leakage, damage, and loss of personal information, a network operator should develop an emergency plan for cybersecurity incident promptly, take corresponding remedial actions, and report the case to the competent authority as required. 
Pursuant to the Emergency Response Plan, when security incident happens, a network operator should report the case to local cyberspace administration to allow relevant authority to initiate emergency response work. Besides, regarding cases happened in computer information system, users concerned should report to local public security organ at or above the county level within 24 hours. 
Similarly, the Emergency Response Plan requires that the Emergency Response Office to be in charge of coordination work of cybersecurity emergency response cross-department and cross-region and routine work of command department, as well as organize and instruct national cybersecurity emergency response technical support team to compete technical support work for emergency response work.
3. Summary and compliance work after security incidents happen
As the Emergency Response Plan provides summary and assessment mechanism by cyberspace administration, companies might need to keep communication with administrative department to assist the latter to finish investigation report, which includes summary of cause, nature, and influence of security incident and to propose improvement measures. Furthermore, we suggest that companies should review internal cybersecurity system and standards comprehensively to take preventive measures.
- Take full attention of all cybersecurity incidents. Do not deal with incidents hastily based on initial judgment that the incident has limited impacts, in case to be unprepared after complete assessment.
- Take measures to control situations after incidents happen, and evaluate possibility of further invasion or leakage.
- According to specific situation of incidents, take initial evaluation of impacts and severity level of cybersecurity incident promptly, inform competent authorities and data object affected, and take measures to prevent further invasion or leakage.
- Actively cooperate with investigation by competent authorities, and consult competent authorities before publishing details of incidents.
- Preserve evidence that can be used to decide cause and nature of incident and remedies should be taken.
- Guarantee appropriate and full record of incident is taken, especially remedies taken to control and mitigate damages of incident.
Key steps to respond to cybersecurity incident at the early stage
Step 1: take measures to contain the breach and do a preliminary assessment
- Take measures to contain the breach
- Do a preliminary assessment
- Identify parties to be notified
Step 2: evaluate the risks associated with the incident and decide measures that should be taken immediately
- The type of the data leaked
- The context of the data leaked
- The cause and extent of data leakage
- The risk of serious harm to the affected individuals caused by data leakage
Step 3: fulfill notification duty of cybersecurity incident
- Decide notification procedure
- Decide what information should be included in the notification
At present, while Trojan horses, zombie network, phishing website and other non-traditional cybersecurity threats keep growing, and Distributed Denial of Service (DDOS Attack), Advanced Persistent Threat (APT Attack) and other new-type network attacks increase, threats to cybersecurity emerge endlessly and potential risks of network infrastructure exist. Information system of company faces threats all the time and company confronts serious challenges when protecting cybersecurity and user data security.
To ensure cybersecurity of company, as well as to reduce compliance risk of company in cybersecurity incident, we suggest company enhance security of software and hardware of network system during daily operation, set up integrated emergency response plan and relevant mechanism for cybersecurity incident, and strength internal cybersecurity knowledge skills training for employees. When cybersecurity incident happens, company should take measures promptly, seek for professional advice, fulfill duties according relevant laws and regulations, positively cooperate with competent authority’s investigation, and try its best to reduce risks and damages and mitigate potential legal responsibility of company. After cybersecurity incident, company should actively fix system bugs, strength network system security from perspective or technology and institution improve and perfect internal response mechanism of security incident, ensure relevant security system and standard conform with relevant national laws and regulations, thereby prevent security incident and data leakage in the future.
Cybersecurity usually involves sudden incident. If a company facing an emergency, we have an urgent assistance service mechanism to help the company go through the difficulties at the first moment.
 Sina Technology, Global Attack of Network Ransomware: Virus Weapon from US. Published on 14th May 2017, http://tech.sina.com.cn/i/2017-05-14/doc-ifyfekhi7587061.shtml?cre=zlpc&mod=f&loc=3&r=9&doct=0&rfunc=100.
 Sina Technology, Petya Attack is from Ukraine Financial Technology Websites, and Outbreaks after a five-day lurk. Published on 28th June 2017, http://tech.sina.com.cn/roll/2017-06-28/doc-ifyhmtrw4313782.shtml?source=cj&dv=2.
 NetEase News, Chinese Consumers Suffered a Loss of 700 Billion RMB Because of Cybercrime in 2014, Published on 1st December 2015, http://news.163.com/15/1201/10/B9OBIPOR00014AED.html.
 Article 21 of the Cybersecurity Law.
 Article 22 of the Cybersecurity Law.
 Article 22 of the Cybersecurity Law.
 Article 25 of the Cybersecurity Law.
 Article 22 and Article 41 of the Cybersecurity Law.
 Article 38 of the Cybersecurity Law.
 Article 25 of the Cybersecurity Law.
 Article 14 of the Regulations on the Security Protection of Computer Information System.