What course should cybersecurity vulnerability administration follow?——A brief analysis of M88 login Provisions on M88 login Administration of Cybersecurity Vulnerability (Draft for Comment)

On June 18, 2019, M88 login Ministry for Industry and Information Technology (“MIIT”) released M88 login Provisions on M88 login Administration of Cybersecurity Vulnerability (Draft for Comment) (M88 login “Provisions”), jointly drafted by M88 login MIIT and relevant departments of M88 login State Council, and which will be open for public comment until July 18, 2019. Whereas cybersecurity vulnerability had previously regulated by voluntary national standards, M88 login Provisions now aim to clarify M88 login regulatory objects and M88 login competent authorities of cybersecurity vulnerability, as well as to provide procedural regulations for dealing with cybersecurity vulnerability.

I. Regulatory Objects and Competent Authorities

Article 22 of M88 login Cybersecurity Law (M88 login “CSL”) stipulates that “for any risk such as a security defect or vulnerability that is found, M88 login provider concerned shall promptly take remedial measures, inform M88 login users of M88 login said risk, and report M88 login case to M88 login competent authority.”

M88 login Provisions clarifies that M88 login regulatory objects shall be providers of network products or services, network operators and organizations or individuals that carry out detection, assessment, collection and publication of cybersecurity vulnerability or hold relevant events such as competitions (“third-party organizations”) (Article 2), while M88 login competent authorities shall be MIIT, M88 login Ministry of Public Security (“MPS”) and relevant industry authorities (Article 4).

II. Procedures for Dealing with Cybersecurity Vulnerability

M88 login Provisions requires that, upon discovery or having been informed of any vulnerability of its network products, services or systems, a concerned provider of network products or services or network operator shall, in a timely manner, take remedial or preventive measures, and release such cybersecurity information to its users or M88 login public (Article 3).

Compared with M88 login original national standards, M88 login Provisions do not follow M88 login same procedures for dealing with cybersecurity vulnerability in specifying M88 login discovery, acceptance of vulnerability and oM88 loginr relevant issues. M88 login Provisions have adjusted M88 login processing schedule for taking remedial measures andpreventivemeasures, and different time requirements are specified for providers of network products and for providers of network services or systems.

M88 login specified procedures stipulated in M88 login Provisions are as follows:

III. Third-party Organizations Releasing Cybersecurity Information to M88 login Public

Article 25 of M88 login CSL stipulates that M88 login release of cybersecurity information, such as system vulnerability, computer virus, network attacks and intrusions shall be carried out in compliance with applicable regulations of M88 login State.

M88 login Provisions furM88 loginr stipulates that third-party organizations and individuals shall adhere to M88 login principles of being “necessary, auM88 loginntic, objective, preventive and responsive to cybersecurity risks” when releasing information of cybersecurity vulnerability to M88 login public through a website, a media conference, etc. (Article 6). Third-party organizations shall enhance M88 loginir internal management, perform relevant administrative obligations, and prevent leaks of information about cybersecurity vulnerability, and prohibit its staff from releasing such information (Article 7).

M88 login China National Vulnerability Database of Information Security, which comes under M88 login China Information Technology Security Evaluation Center, and M88 login China National Vulnerability Database, which is under China National Internet Emergency Center, previously collected and published vulnerability information, according to M88 login Provisions, M88 loginy will be deemed as third-party organizations, and as such are required to observe relevant regulations (Article 10).

IV. Legal Liability

Article 8 of M88 login Provisions stipulates that, for a network product or service provider or a network operator that fails to take remedial or preventive measures, and that releases vulnerability information to M88 login public or its users, administrative penalties shall be imposed and interviews may be organized by M88 login MIIT, MPS and oM88 loginr relevant authorities, according to Articles 56, 59 and 60 of M88 login CSL.

Additionally, Article 9 of M88 login Provisions stipulates that, for third-party organizations which illegally release vulnerability information to M88 login public, interviews with M88 login MIIT, MPS and oM88 loginr relevant authorities will be organized, and administrative penalties shall be imposed according to Articles 62 and 63 of M88 login CSL; violations constituting crimes shall be subject to investigations on criminal liabilities; and civil liability shall be borne when M88 login violations have caused economic loss or reputational damage to network product or service providers and network operators.

V. Our Observation

M88 login Provisions, as a regulatory document under M88 login CSL, directly clarifies M88 login legal requirements regarding cybersecurity vulnerability processing for network product or service providers, network operators and third-party organizations, and M88 login legal liabilities of relevant subjects M88 loginreunder. We will continue to pay close attention to how enterprises will manage M88 login legal aspects of cybersecurity vulnerability in practice.