|
Article 13
|
Upon awareness of the cyber security incident, the specific non-government agency shall complete dam-age control or recovery operation within the following timeframes, and shall conduct the notification in the manner as designated by the central competent authority in charge of the relevant sector:<br/>1. Within seventy-two hours of the awareness of a level-1 or level-2 cyber security incident.<br/>2. Within thirty-six hours of the awareness of a major cyber security incident.<br/>After completion of the damage control or recovery operation under the preceding paragraph, the specific non-government agency shall continue the investigation and management of the cyber security incident, and shall submit the investigation, management, and improvement report within one month in the man-ner as designated by the central competent authority in charge of the relevant sector.<br/>The timeframe of submission of the investigation, management, and improvement report under the pre-ceding paragraph may be extended with the consent of the central competent authority in charge of the relevant sector.<br/>The investigation, management, and improvement report mentioned in Paragraph 2 shall include the items specified in Article 12 of the Enforcement Rules of the Act.<br/>Where the central competent authority in charge of the relevant sector deems necessary or deems there is any non-compliance with regulatory requirement, improper matter or other matter to be improved in re-spect of the damage control or recovery operation under Paragraph 1 and the report submitted under Paragraph 2, they may require the specific non-government agency to give the explanation and make ad-justment.<br/>Upon review of the investigation, management, and improvement report on a major cyber security inci-dent submitted by the specific non-government agency, the central competent authority in charge of the relevant sector shall submit such report to the competent authority; where the competent authority deems necessary, or deems there is any non-compliance with regulatory requirement, improper matter, or other matter to be improved, it may require the specific non-government agency to give explanation and make adjustment.
|