|
Article 13
|
Upon awareness of the cyber security incident, the specific non-government agency shall complete damage control or recovery operation within the following timeframes, and shall conduct the notification in the manner as designated by the central authority in charge of relevant industry:<br/>1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident.<br/>2. Within thirty-six hours of the awareness of a level-3 or level-4 cyber security incident.<br/>After completion of damage control or recovery operation under the preceding paragraph, the specific non-government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management, and improvement report within one month in the manner as designated by the central authority in charge of relevant industry.<br/>The timeframe of submission of the investigation, management, and improvement report under the preceding paragraph may be extended with the consent of the central authority in charge of relevant industry.<br/>If the central authority in charge of relevant industry deems necessary or deems there is any non-compliance with regulatory requirement, improper matter or other matter to be improved in respect of the damage control or recovery operation under Paragraph 1 and the report submitted under Paragraph 2, they may require the specific non-government agency to give the explanation and make adjustment.<br/>Upon review of the investigation, management, and improvement report on a level-3 or level-4 cyber security incident submitted by the specific non-government agency, the central authority in charge of relevant industry shall submit such report to the competent authority; if the competent authority deems necessary, or deems there is any non-compliance with regulatory requirement, improper matter, or other matter to be improved, it may require the specific non-government agency to give explanation and make adjustment.
|