04 July 2017

How to prepare an emergency response plan for cybersecurity incidents like Petya

This article was written by Susan Ning (partner), Wu Han (senior associate) Zhao Yangdi (associate) and Li Yuanshan (associate).

Cybersecurity incidents on the rise

Ransomware attacks have become more frequent, causing data leaks, network disruptions and severe financial losses worldwide. The latest Norton Cybersecurity Insights Report indicated that China faces the severest cybercrimes among emerging markets. In 2014, more than 240 million Chinese consumers fell victim to cybercrimes, resulting in ¥700 billion of economic losses. 

In response, the Office of the Central Leading Group for Cyberspace Affairs (“CLGCAO”) published the Notice of the Emergency Response Plan for Cybersecurity Incidents (the “Emergency Response Plan”) on 10th January 2017, and officially released the Emergency Response Plan on 27th June 2017. The CLGCAO aims to safeguard information security and maintain cyber sovereignty by establishing and consolidating the National Emergency Response Mechanism on Cybersecurity Incidents in all provinces, municipalities, and autonomous regions. 

Following the WannaCry attack in May which affected more than 150 countries, and a variant of the Petya virus in June, businesses with interests in China should:

  • understand the CLGCAO’s national-level emergency measures;  
  • strictly comply with each provision of the Cybersecurity Law of the People’s Republic of China (the “Cybersecurity Law”); and 
  • have robust regulatory systems and emergency plans in place to respond to cybersecurity incidents.

In this article, we provide an overview of: 

  • the Emergency Response Plan’s structure; 
  • the basic legal obligations for companies under the Cybersecurity Law and relevant regulations in preventing and responding to cybersecurity incidents; and 
  • how to implement an effective cybersecurity incident response.

1. Introduction to the Emergency Response Plan

Framework  Specific Content  
Scope of Cybersecurity Incidents   Cybersecurity incidents include: malware, network attacks, the destruction of information, information content security breaches, facilities faults, disasters and more.  
Levels of Cybersecurity Incident  Cybersecurity incidents are divided into four levels according to the severity of the disturbance to key network and information systems, and the level of threat to national security and social stability:
• particularly serious cybersecurity incidents
• serious cybersecurity incidents
• important cybersecurity incidents
• general cybersecurity incidents.  
Institutional Structure and Duties   • Governing Body: Office of the Central Leading Group for Cyberspace Affairs.
• Administrative Body: Office of the National Cybersecurity Emergency Response (the “Emergency Response Office”), (an office under the CLGCAO)
• Duties of Departments and Local Offices: Any department or institution directly under the Communist Party of China (CPC) Central Committee and offices for cybersecurity affairs at the provincial level should be responsible for the prevention, control, reporting, and emergency disposal regarding cybersecurity incidents of the network and information system in its own section, industry or administrative region. 
Monitoring and Early Warning  Each provincial office for cybersecurity affairs should actively monitor security on their local network and information systems. The security monitoring systems should include early warnings (including an alert and response plan), and investigation and analyses capabilities. 
Emergency Response  When a cybersecurity incident occurs, entities should immediately initiate their emergency response plan and report the breach in a timely manner. All offices and departments in relevant regions should immediately execute plans to control the situation and identify hidden risks. Relevant offices should also initiate emergency investigative and analysis processes, preserve evidence, and report on findings.

Any incident which is preliminarily defined as a ‘serious’ or ‘particularly serious’ cybersecurity incident should be immediately reported to the Emergency Response Office.  
Investigation and Assessment   The investigation and assessment of a cybersecurity incident should be finished within 30 days after the emergency response ends.  
Prevention  All offices and departments at the provincial level should strengthen prevention strategies, organise emergency plan drills regularly, conduct cybersecurity education sessions, and provide professional skills training to enhance preventative measures. 
Safeguard Measures   All offices departments at the provincial level should public promote relevant laws, regulations, and policies to help prevent cybersecurity incidents through media and other promotion methods, as well as organising educational activities increase the public’s basic knowledge of cybersecurity. 

2. Network operator duties in cybersecurity incidents 

In general, the legal duty of network operators when facing cybersecurity incidents can be categorised as regular preventative work, emergency measures for incidents, and post incident review and summary.

(2)Regular preventative work

Both the Cybersecurity Law and the Emergency Response Plan provide regulations for regular preventative work for network operators. Regulations include:

A. Cybersecurity levels protection

Network operators should follow cybersecurity levels protection requirements (in Article 21 of the Cybersecurity Law) to fulfill security protection duties and prevent network disruptions and data breaches, d. In particular, network operators should: 

  • identify a director for cybersecurity who is responsible for the implementation of cybersecurity protection, as well as the business response plans, 
  • take technical measures to prevent activities that endanger network security (e.g.  computer viruses, cyber-attacks, and network intrusions) 
  • supervise and record network operation status and cybersecurity incidents and keep relevant network logs pursuant to requirements 
  • classify data for backup and encryption.

B. Network products and services must abide by national standards

Network products and services must abide by mandatory national standards. Important network products and services purchased by entities that affect national security should pass cybersecurity exams pursuant to the Measures on Security Examination for Network Products and Services (Trial Implementation) in Article 22 of the Cybersecurity Law. 

C. Consistent security maintenance

Network operators should provide consistent security maintenance for its products or services. Such maintenance must not be discontinued within the prescribed term or the term agreed upon by the parties.

D. Emergency plan for cybersecurity incidents

Network operators should develop an emergency plan for cybersecurity incidents to ensure a prompt response to security breaches as system bugs, computer viruses, network attacks and intrusions. An emergency plan may include a response team and their responsibilities, a data breach notification mechanism, strategies for response, internal decision makers etc.

E. Duty of timely remedies and report

When a network operator finds any risk such as security defects or bugs, it should take remedial actions immediately by informing users and reporting the case to the relevant authority as required. 

F. Regular examination and assessment of risk by the operator of a key information infrastructure

At least once a year, operators of key information infrastructure should conduct examinations and assessments of its cybersecurity risks either internally or independently via a cybersecurity service provider. It should submit  results and improvement measures to the relevant authorities in charge of the security of the key information infrastructure. 

(2)Emergency measures for security incidents

In the event of a cybersecurity incident, network operators should initiate their emergency plan, take remedial actions, and report the case to the competent authority as required. 

In accordance with the Emergency Response Plan, when cybersecurity incidents occur, a network operator should report the case to their local cyber administration to allow the relevant authority to initiate emergency response processes. If an incident occurs on a public computer information system, users should report it to their local public security branch at or above the county level within 24 hours. 

Similarly, the Emergency Response Plan requires the Emergency Response Office to coordinate cross-departmental and cross-regional emergency responses, as well as organise and instruct the national cybersecurity emergency response technical support team.

(3) Summary and compliance requirements after cybersecurity incidents

As the Emergency Response Plan provides a summary and assessment mechanism, companies should keep open communication with administrative departments to assist with the completion of an investigation report, which includes a summary of the cause, nature, and severity of the security incident, along with proposed improvement measures. We also suggest that companies should review their internal cybersecurity systems and standards comprehensively to as a preventive measure.

3. How should the companies deal with cybersecurity incidents?

In general, companies should:

  •  Treat all cybersecurity incidents as potentially severe. It is important that to undertake a complete assessment and not deal with incidents hastily or based on initial judgment. 
  • Take measures to control the situations after incidents occur, and evaluate the possibility of further breaches or data leaks.
  • Make an initial evaluation of the impact and severity level of the cybersecurity incident promptly, inform competent authorities and data owners affected, and take measures to prevent further breaches or data leaks.
  • Actively cooperate with investigations by competent authorities, and consult with authorities before publishing details of an incident.
  • Preserve evidence that can be used to find the cause and nature of the incident, as well as the remedial actions which should be taken.
  • Ensure an appropriate and full record of the incident is taken, especially actions taken to control and mitigate damages of incident.  

Key steps in an early response plan for cybersecurity incidents

Step 1: Contain, assess and identify

  • Take measures to contain the breach 
  • Undertake a preliminary assessment 
  • Identify parties to be notified.

Step 2: Evaluate the risks and decide on immediate actions


  • The type of the data leaked 
  • The context of the data leaked 
  • The cause and extent of the data leaked 
  • The risk of serious harm to the affected individuals caused by the data leak. 

Step 3: Fulfill notification duties

  • Decide on appropriate notification procedure
  • Identify information to include in the formal notification.

With Trojans, phishing sites, DDOS attacks and other non-traditional cybersecurity threats on the rise, increasing,  Network operators and businesses face serious challenges when protecting their information systems, networks and user data.

To reduce compliance risk and ensure your company is protected from cyber intrusions, we suggest enhancing software security and ensuring that the hardware used in network systems for daily operations is up to date. Companies should also set up an integrated emergency response plan and educate employees on cybersecurity risks. 

When cybersecurity incidents occur, companies should promptly take action, seek professional advice, fulfill notification duties according to relevant laws and regulations, cooperate with official investigations, and try to reduce risks and damages.  After cybersecurity incidents occur, companies should actively fix system bugs, strengthen network security and improve internal response mechanisms. They must also ensure their security systems and standards comply with relevant laws and regulations.

Cybersecurity incidents can occur suddenly and unexpectedly. If your company faces an intrusion or cyber incident, we can provide urgent assistance to help with your response.

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

A Guide to Doing Business in China

We explore the key issues being considered by clients looking to unlock investment opportunities in the People’s Republic of China.

Doing Business in China
Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Data is the new oil. It's valuable, but if unrefined it cannot really be used. It has to be changed into gas, plastic, chemicals, etc to create a valuable entity that drives profitable activity

    08 November 2021

    The manner in which China will regulate data security in the automotive industry has become much clearer.

    24 August 2021

    In 2021, China finally ended mandatory animal testing for most types of cosmetics products. However, it is not only rabbits that have reason to rejoice.

    17 August 2021

    A number of offices operated by international organizations in China have been recently visited by Chinese Public Security Bureau (PSB) officers for operating in a non-compliant manner.

    11 August 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.