China sets new rules on security vulnerability of network products
China Data Protection Alert
China’s Ministry of Industry and Information Technology (MIIT), Cybersecurity Administration of China (CAC) and Ministry of Public Security (MPS) jointly published the Provisions on Administration of Security Vulnerability of Network Products (Provisions), which will be in force as of September 1, 2021. The Provisions have established rules for the detection, collection, publication and other activities in relation to the security vulnerability of network products. We hereby summarize the Provisions as follows:
1. Scope of Application
The Provisions are applicable for the suppliers of network products (both hardware and software), the network operators and the cybersecurity platforms or “white hat”, who are organizations or individuals who conduct the detection, collection, publication of security vulnerability of network products and other related activities. There are specific rules and requirements laid down for all the three types of entities/individuals.
It is worth mentioning that, according to the Cybersecurity Law of China, the “network operator” means any entity that owns or manages a network or network service provider. Considering that most companies are using networks formed by computers and other types of terminals and equipment in their business and internal management, those companies are at least fall within the scope of network operator thus would be subject to the Provisions.
2. Compliance Obligations
(1) General Obligation
The Provisions requires that all the three types of entities shall set up communication channel to receive report of security vulnerability of network products, and shall keep the log of received information on security vulnerability for at least 6 months. This is a specific requirement that expanded the rules under the Cybersecurity Law, which require network operators to keep network log for at least 6 months.
(2) Suppliers’ Obligations
Under the Provisions, suppliers of network products are required to fulfill the following obligations to ensure the timely fixing and reasonable publication of security vulnerability, and proper guidance to the users of products to adopt preventive measures:
- Evaluation & Notification: Upon detection of the vulnerability, immediate measures shall be taken and verification on the vulnerability shall be performed. In case upstream products or parts have vulnerability, it shall notify the upstream supplier immediately.
- Reporting: To report to MIIT’s Network Security Threat Information Sharing Platform (https://www.cstis.cn/) within 2 days upon detecting the vulnerability.
- Fixing: To timely fix the vulnerability and inform the users the security risk and the way to fix the vulnerability, and provide necessary technical support.
(3) Obligations for Cybersecurity Platforms
The Provisions have also established detailed requirements on the way the cybersecurity platforms should publish the security vulnerability the discovered. For example, they are generally required not to publish such information before there is a way to fix the vulnerability, they shall not publish details of the vulnerability, any publication during the time period of important event shall be subject to government approval, etc.
3. Penalties. The Provisions have also clarified the specific legal basis for the administrative penalties.
(1) MIIT and MPS will have the power to impose penalties on the network product suppliers if they fail to adopt measures for fixing or reporting the vulnerability. A fine up to CNY 500,000 may be given to the supplier and a fine up to CNY 100,000 may be given to the responsible person.
(2) In case a network operator fails to take measures to fix security vulnerability or adopt preventive measures, a fine up to CNY 100,000 may be given to the network operator and a fine up to CNY 50,000 may be given to the responsible person.
Considering that most companies could be considered as network operators and thus would need to comply with the Provisions, we suggest companies should start reviewing the technical and organizational measures on related to cybersecurity and make adjustments according to the new compliance rules.