24 June, 2019
On June 18, 2019, the Ministry for Industry and Information Technology (“MIIT”) released the Provisions on the Administration of Cybersecurity Vulnerability (Draft for Comment) (the “Provisions”), jointly drafted by the MIIT and relevant departments of the State Council, and which will be open for public comment until July 18, 2019. Whereas cybersecurity vulnerability had previously regulated by voluntary national standards, the Provisions now aim to clarify the regulatory objects and the competent authorities of cybersecurity vulnerability, as well as to provide procedural regulations for for dealing with cybersecurity vulnerability.
I. Regulatory Objects and Competent Authorities
Article 22 of the Cybersecurity Law (the “CSL”) stipulates that “for any risk such as a security defect or vulnerability that is found, the provider concerned shall promptly take remedial measures, inform the users of the said risk, and report the case to the competent authority.”
The Provisions clarifies that the regulatory objects shall be providers of network products or services, network operators and organizations or individuals that carry out detection, assessment, collection and publication of cybersecurity vulnerability or hold relevant events such as competitions (“third-party organizations”) (Article 2), while the competent authorities shall be MIIT, the Ministry of Public Security (“MPS”) and relevant industry authorities (Article 4).
II. Procedures for Dealing with Cybersecurity Vulnerability
The Provisions requires that, upon discovery or having been informed of any vulnerability of its network products, services or systems, a concerned provider of network products or services or network operator shall, in a timely manner, take remedial or preventive measures, and release such cybersecurity information to its users or the public (Article 3).
Compared with the original national standards, the Provisions do not follow the same procedures for dealing with cybersecurity vulnerability in specifying the discovery, acceptance of vulnerability and other relevant issues. The Provisions have adjusted the processing schedule for taking remedial measures and preventative measures, and different time requirements are specified for providers of network products and for providers of network services or systems.
The specified procedures stipulated in the Provisions are as follows:
Procedures / Requirements
Verification / A provider of network products or services and a network operator shall promptly verify the vulnerability upon its discovery or having been informed of such vulnerability in its products, services or systems.
Remedial or Preventive Measures / Remedial or preventive measures shall be undertaken within 90 days for the relevant network products after the verification of the vulnerability. / Remedial or preventive measures shall be undertaken within 10 days for relevant network services or systems after the verification of the vulnerability.
Notification / When it is necessary for a user or technical partner to carry out remedial or preventive measures, the provider of network products, services or systems shall, within 5 days after it has taken measures, release to the public or notify all the potentially affected users or relevant technical partners of the risk of such vulnerability and the remedial or preventive measures that the user or technical partner shall take through customer service, and provide them with the necessary technical support, and such vulnerability shall also be reported to the MIIT’s Information Sharing Platform of Cybersecurity Threat as well.
III. Third-party Organizations Releasing Cybersecurity Information to the Public
Article 25 of the CSL stipulates that the release of cybersecurity information, such as system vulnerability, computer virus, network attacks and intrusions shall be carried out in compliance with applicable regulations of the State.
The Provisions further stipulates that third-party organizations and individuals shall adhere to the principles of being “necessary, authentic, objective, preventative and responsive to cybersecurity risks” when releasing information of cybersecurity vulnerability to the public through a website, a media conference, etc. (Article 6). Third-party organizations shall enhance their internal management, perform relevant administrative obligations, and prevent leaks of information about cybersecurity vulnerability, and prohibit its staff from releasing such information (Article 7).
The China National Vulnerability Database of Information Security, which comes under the China Information Technology Security Evaluation Center, and the China National Vulnerability Database, which is under China National Internet Emergency Center, previously collected and published vulnerability information. According to the Provisions, they will be deemed as third-party organizations, and as such are required to observe relevant regulations (Article 10).
IV. Legal Liability
Article 8 of the Provisions stipulates that, for a network product or service provider or a network operator that fails to take remedial or preventive measures, and that releases vulnerability information to the public or its users, administrative penalties shall be imposed and interviews may be organized by the MIIT, MPS and other relevant authorities, according to Articles 56, 59 and 60 of the CSL.
Additionally, Article 9 of the Provisions stipulates that, for third-party organizations which illegally release vulnerability information to the public, interviews with the MIIT, MPS and other relevant authorities will be organized, and administrative penalties shall be imposed according to Articles 62 and 63 of the CSL; violations constituting crimes shall be subject to investigations on criminal liabilities; and civil liability shall be borne when the violations have caused economic loss or reputational damage to network product or service providers and network operators.
V. Our Observation
The Provisions, as a regulatory document under the CSL, directly clarifies the legal requirements regarding cybersecurity vulnerability processing for network product or service providers, network operators and third-party organizations, and the legal liabilities of relevant subjects thereunder. We will continue to pay close attention to how enterprises will manage the legal aspects of cybersecurity vulnerability in practice.
