|
Article 13
|
Upon becoming aware of a cyber security incident, a specific non-government agency shall, within the following timeframes, complete damage-control or recovery operations and notify in the manner prescribed by the central competent authority in charge of the relevant sector:<br/>1. Within 72 hours after becoming aware of a level 1 or level 2 cyber security incident.<br/>2. Within 36 hours after becoming aware of a major cyber security incident.<br/>After completing the damage-control or recovery operations under the preceding paragraph, the specific non-government agency shall continue the investigation and handling of the cyber security incident and shall submit an investigation, handling, and corrective action report within one month in the manner designated by the central competent authority in charge of the relevant sector.<br/>The timeframe for submission of the investigation, handling, and corrective action report under the preceding paragraph may be extended with the consent of the central competent authority in charge of the relevant sector.<br/>The investigation, handling, and corrective action report referred to in Paragraph 2 shall include the matters specified in Article 12 of the Enforcement Rules of the Act.<br/>Where the central competent authority in charge of the relevant sector deems it necessary, or finds any non-compliance with regulatory requirements, impropriety, or other matter requiring correction in the damage-control or recovery operations under Paragraph 1 or in the report submitted under Paragraph 2, it may require the specific non-government agency to provide explanations and make adjustments.<br/>Upon reviewing the investigation, handling, and corrective action report on a major cyber security incident submitted by the specific non-government agency, the central competent authority in charge of the relevant sector shall submit the report to the competent authority. Where the competent authority deems it necessary, or finds any non-compliance with regulatory requirements, impropriety, or other matter requiring correction, it may require the specific non-government agency to provide explanations and make adjustments.
|