Chapter III. The notification and response of cyber security incident of the specific non-government agency |
| Article 11 | Upon awareness of the cyber security incident, the specific non-government agency shall conduct the notification of the cyber security incident within one hour in the manner as designated by the central competent authority in charge of the relevant sector.
In case of the change to the level of the cyber security incident under the preceding paragraph, the spe-cific non-government agency shall continue the notification as provided for in the preceding paragraph.
When the notification conducted in the manner as specified in Paragraph 1 is prevented for any cause, the specific non-government agency shall conduct the notification in another appropriate manner within the timeframes prescribed under the same paragraph, and note the cause of unable notification from be-ing conducted in the required manner.
After the eliminating of the cause for unable notification from being conducted in the manner as required under Paragraph 1, the specific non-government agency shall supplement the notification in the same manner. |
|
| Article 12 | After the specific non-government agency has completed the notifications of cyber security incident, the central competent authority in charge of the relevant sector shall complete verification of the level of such cyber security incident within the following timeframes, and may change its level according to the review results:
1. Within eight hours after receipt of the notification of a level-1 or level-2 cyber security incident.
2. Within two hours after receipt of the notification of a major security incident.
Once the central competent authority in charge of the relevant sector completes the review of a cyber security incident as required above, it must, within one hour, send the review findings, the grounds for the decision, and any other necessary information to the competent authority using the method specified by that competent authority.
Upon receipt of the documentation under the preceding paragraph, the competent authority may review the level of the cyber security incident, and may change its level. However, where it is deemed neces-sary, or where the agencies under the preceding paragraph fail to notify of the required review results, the competent authority may directly review such cyber security incident and may change its level. |
|
| Article 13 | Upon awareness of the cyber security incident, the specific non-government agency shall complete dam-age control or recovery operation within the following timeframes, and shall conduct the notification in the manner as designated by the central competent authority in charge of the relevant sector:
1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident.
2. Within thirty-six hours of the awareness of a major cyber security incident.
After completion of the damage control or recovery operation under the preceding paragraph, the specific non-government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management, and improvement report within one month in the man-ner as designated by the central competent authority in charge of the relevant sector.
The timeframe of submission of the investigation, management, and improvement report under the pre-ceding paragraph may be extended with the consent of the central competent authority in charge of the relevant sector.
The investigation, management, and improvement report mentioned in Paragraph 2 shall include the items specified in Article 12 of the Enforcement Rules of the Act.
Where the central competent authority in charge of the relevant sector deems necessary or deems there is any non-compliance with regulatory requirement, improper matter or other matter to be improved in re-spect of the damage control or recovery operation under Paragraph 1 and the report submitted under Paragraph 2, they may require the specific non-government agency to give the explanation and make ad-justment.
Upon review of the investigation, management, and improvement report on a major cyber security inci-dent submitted by the specific non-government agency, the central competent authority in charge of the relevant sector shall submit such report to the competent authority; where the competent authority deems necessary, or deems there is any non-compliance with regulatory requirement, improper matter, or other matter to be improved, it may require the specific non-government agency to give explanation and make adjustment. |
Info |
| Article 14 | The central competent authority in charge of the relevant sector shall provide necessary support or assis-tance in respect to the notification and response of cyber security incident implemented by the specific non-government agency under its authority, where circumstances so require.
The competent authority shall provide necessary support or assistance in respect of the response opera-tion of the cyber security incident implemented by the specific non-government agency, where circum-stances so require.
After the specific non-government agency becomes aware of a major cyber security incident, its Cyber Security Officer shall convene the meetings to discuss relevant matters, and may request relevant agen-cies to provide assistances. |
|