Chapter III. Reporting and Response of Cyber Security Incidents by Specific Non-Government Agencies |
| Article 11 | A specific non-government agency shall, within one hour after becoming aware of a cyber security incident, report the matter in the manner designated by the central competent authority in charge of the relevant sector.
Where the level of the cyber security incident changes under the preceding paragraph, the specific non-government agency shall continue to update the report in accordance with the preceding paragraph.
Where reporting cannot be made in the manner specified in Paragraph 1 for any reason, the specific non-government agency shall report in another appropriate manner within the prescribed timeframe and state the reason why it was unable to report in the prescribed manner.
After the reason for being unable to report in the manner required under Paragraph 1 has been eliminated, the specific non-government agency shall report the matter retroactively in the prescribed manner. |
|
| Article 12 | After a specific non-government agency has completed reporting of a cyber security incident, the central competent authority in charge of the relevant sector shall complete its review of the incident level within the following timeframes, and may change the level based on the review results:
1. Within eight hours after receipt of a report of a level 1 or level 2 cyber security incident.
2. Within two hours after receipt of a report of a major cyber security incident.
After completing the review under the preceding paragraph, the central competent authority in charge of the relevant sector shall, within one hour, submit the review results, the basis for the review, and other necessary information to the competent authority in the manner specified by the competent authority.
Upon receipt of the information under the preceding paragraph, the competent authority may review the incident level and change it accordingly. However, where it deems it necessary, or where the central competent authority in charge of the relevant sector fails to report the review results as required, the competent authority may directly review the cyber security incident and change its level. |
|
| Article 13 | Upon becoming aware of a cyber security incident, a specific non-government agency shall, within the following timeframes, complete damage-control or recovery operations and notify in the manner prescribed by the central competent authority in charge of the relevant sector:
1. Within 72 hours after becoming aware of a level 1 or level 2 cyber security incident.
2. Within 36 hours after becoming aware of a major cyber security incident.
After completing the damage-control or recovery operations under the preceding paragraph, the specific non-government agency shall continue the investigation and handling of the cyber security incident and shall submit an investigation, handling, and corrective action report within one month in the manner designated by the central competent authority in charge of the relevant sector.
The timeframe for submission of the investigation, handling, and corrective action report under the preceding paragraph may be extended with the consent of the central competent authority in charge of the relevant sector.
The investigation, handling, and corrective action report referred to in Paragraph 2 shall include the matters specified in Article 12 of the Enforcement Rules of the Act.
Where the central competent authority in charge of the relevant sector deems it necessary, or finds any non-compliance with regulatory requirements, impropriety, or other matter requiring correction in the damage-control or recovery operations under Paragraph 1 or in the report submitted under Paragraph 2, it may require the specific non-government agency to provide explanations and make adjustments.
Upon reviewing the investigation, handling, and corrective action report on a major cyber security incident submitted by the specific non-government agency, the central competent authority in charge of the relevant sector shall submit the report to the competent authority. Where the competent authority deems it necessary, or finds any non-compliance with regulatory requirements, impropriety, or other matter requiring correction, it may require the specific non-government agency to provide explanations and make adjustments. |
Info |
| Article 14 | The central competent authority in charge of the relevant sector shall, as circumstances require, provide necessary support or assistance with respect to the reporting and response operations for cyber security incidents carried out by the specific non-government agencies under its jurisdiction.
The competent authority shall, as circumstances require, provide necessary support or assistance for the response operations for cyber security incidents carried out by specific non-government agencies.
After a specific non-government agency becomes aware of a major cyber security incident, its Chief Information Security Officer shall convene a meeting to discuss relevant matters and may request relevant agencies to provide assistance. |
|