Explore more
China
Government Structure
Do they designate a lead cyber security agency within the government? Yes: the Cyberspace Administration of China.
Is oversight provided on a centralized or sectoral basis? Sectoral. The CAC interviews representatives of operators and indicates when their practices are not in line with policy; the MIIT issues notifications to carry out administrative checks on security in telecommunications and internet entities; local telecommunications authorities notify entities that fail to implement security obligations; and authorities for various industries supervise privacy violations, e.g., the People's Bank of China in the banking industry. See Hongquan Yang, Privacy Data Protection and Cybersecurity Law Review (2019) at pg.130-31.
Designation of Critical Infrastructure
Which sectors do they designate as critical information infrastructure? At least seven sectors: public communication and information services, power, traffic, water resources, finance, public service, e-government. See Hongquan Yang at pg. 133.
How do they designate within these sectors? Unclear. As of yet, China has not passed sufficient regulations to fully define which sectors fall under CII, much less how they designate within these sectors. However, it looks likely to be the whole sector. Yang, Hongquan, China, 133.
Security Measures
Are there mandatory security measure requirements for CI, other than privacy/data protection laws? The CSL defines a number of strict data localization rules and other regulations for, in particular, CII. Further requirements are tiered by risk level. See Hongquan Yang at pg. 127-28.
Does it take a risk-based approach? Yes. CII, considered the highest risk, has the most extensive security requirements. The Specification's standards around personal information protection are also risk-based. The draft Multi-Level Protection Scheme (MLPS) defines different risk levels based on the potential damage to Chinese society. See Dan Swinhoe, China’s MLPS 2.0: Data grab or legitimate attempt to improve domestic cybersecurity?, CSO (Oct. 18, 2019).
Do the security measures enable the use of international standards? Not directly.
Are security measures NIST CSF compatible? (Possible to comply through this approach?) An entity can comply with both; however, Chinese law requires significant action above and beyond the NIST CSF, especially as it relates to data localization and government action. See Dan Swinhoe, China’s MLPS 2.0: Data grab or legitimate attempt to improve domestic cybersecurity?, CSO (Oct. 18, 2019).
Do they include prescriptive or technology-based security measures? Likely yes. High-risk data must be managed under infrastructure and network approved by the Chinese government, which would likely be technology-biased. See Simone McCarthy, Will China’s revised cybersecurity rules put foreign firms at risk of losing their secrets?, South China Morning Post (Oct. 13, 2019).
Incident Reporting
Are there mandatory incident reporting requirements? Yes. The Cybersecurity Law requires reporting on incidents in which personal information is leaked, lost, or distorted. Cybersecurity Law of the People’s Republic of China (CSL), Article 42 (Effective June 1, 2017). Furthermore, the Regulation for the Protection of Computer Information Systems requires reporting any case arising from a computer system within 24 hours. Regulations on Safeguarding Computer Information Systems, Article 14 (Feb. 1996).
Are there clear thresholds above which an incident should be reported? No, thresholds are not clear.
How do they determine the timeline within which an incident must be reported? The Regulation for the Protection of Computer Information Systems requires within 24 hours, but it is less clear of the timeline under the CSL.
Threat Information Sharing
Have they established a national threat information sharing entity? China established China National cyber Threat Intelligence Collaboration (CNTIC) in 2017 but there is little public information available about it. CNTIC was supposed to be administered by the Ministry of Industry and Information Technology, MIIT. See Jian Jie, China’s first cyber threat intelligence sharing platform expected to further upgrade nation’s cyber defense, People's Daily Overseas New Media (Jan. 18, 2019).
Does this entity share information out to industry, as well as receiving information? Unclear.
Is threat information sharing mandatory for any private sector entity? Unclear, at least as it relates to non-incidents. This may change with new drafts of related regulations.
Government Access Requirements
Are there requirements to provide government officials physical access to facilities? The Regulation on Internet Security Supervision and Inspection by Public Security Organs requires allowing on-site inspection, at which at least two local police officers and local agency staff must be present. Inspectors have full access to the data and the hardware, and can copy any data they find.
Are there requirements to cede control of facilities in an emergency situation? Likely yes, given the requirement to allow physical access to facilities and access to data.
Are there requirements to provide source code or other decryption capabilities? Article 18 of the Anti-Terrorism Law requires telecom and internet providers to provider decryption and other support and assistance for prevention and investigation of terrorist activities. See Glyn Moody, China’s new anti-terror law: No backdoors, but decryption on demand, Ars Technica (Dec. 29, 2015).
Localization Requirements
Are there requirements to establish a local presence - either officer or personnel? Currently, de jure localization requirements focus on data localization but for practical purposes, businesses need a local presence in office or personnel.
Are there requirements to localize data? Yes: The CSL requires the localization of CII data, and particular industries have also passed data localization restrictions, including banking, insurance, credit investigation, mail, medicine, taxis, map services, and civil aviation. See Hongquan Yang at pg. 131-313.
Penalties
Are there financial penalties outlined? If so, what for and what is the maximum penalty? Yes: Penalties for violating the Law are clearly stated, and include a maximum fine of up to RMB1,000,000. See Overview of China’s Cybersecurity Law (Feb. 2017).
Are there criminal penalties outlined? If so, what for and what is the maximum penalty? Penalties for violating the Law are clearly stated, and include: the suspension of business activities and/or the closing of businesses or the revocation of licences. See Overview of China’s Cybersecurity Law (Feb. 2017).
Effective Dates
What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Cybersecurity Law (CSL) was enacted by the Standing Committee of the National People's Congress on November 7, 2016 and was implemented on June 1, 2017. See English translation.
Japan
Government Structure
Do they designate a lead cyber security agency within the government? Yes: NISC (National center of Incident readiness and Strategy for Cybersecurity). See Cybersecurity Policy at 4, 50-51.
Is oversight provided on a centralized or sectoral basis? Centralized with sectoral intermediaries. See Cybersecurity Policy at Annex 4-2, 61.
Designation of Critical Infrastructure
Which sectors do they designate as critical information infrastructure? 14 Sectors: Information and communications; finance; aviation; airports; railway; electric power supply; gas supply; government and administration; medical; water; logistics; chemical industries; credit cards; and petroleum industries. See Summary of Cyber Security Policy (Revised July 25, 2018).
How do they designate within these sectors? Within sectors, the Cybersecurity Policy designates applicable CI operators. See Cybersecurity Policy, Annex 1, 54. These operators are subject to change when the Cybersecurity Policy is revised.
There are examples of critical information systems within each sector and under applicable operator, see id., but those examples are not exclusive. CI services are defined as "Services and/or a set of procedures provided by CI operators necessary to utilize those services that are designated as those to be protected in particular for each CI sector, taking into account the extent of their impact on national life and economic activities." Id. at Annex 5, 63.
Security Measures
Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes. "Safety principles" are broken into those 1) prescribed by law; 2) recommended by law; 3) stipulated by industrial organizations; and 4) stipulated by CI operators themselves. Legal requirements are sector-specific. See Guidelines for Establishing Safety Principles, 2.
Does it take a risk-based approach? Yes. The Guidelines for Safety Principles instruct CI operators to analyze their specific security risks, risk attitude, and risk tolerance, among other factors, to determine an appropriate way to manage their security. See Guidelines for Establishing Safety Principles, 11-12.
Do the security measures enable the use of international standards? Yes. The Guidelines for Safety Principles specifically reference ISO/IEC 27000 and IEC 62443-2-1 as security management standards. See Guidelines for Establishing Safety Principles, 12.
Are security measures NIST CSF compatible? (Possible to comply through this approach?) The Guidelines for Safety Principles specifically reference, for example, the Framework for Improving Critical Infrastructure Cybersecurity from NIST as a reference providing security management measures. See Guidelines for Establishing Safety Principles, 12.
Do they include prescriptive or technology-based security measures? No.
Incident Reporting
Are there mandatory incident reporting requirements? Generally, yes. Relevant laws by sector require some incident reporting, including, for example, reporting suspension of business under Article 28 of the Telecommunications Business Act. See Cybersecurity Policy, Annex 2, page 55.
Are there clear thresholds above which an incident should be reported? It depends on the sector. As above, incident reporting requirements are dictated by sector-specific laws. These reports are generally described as reporting "outages." See Cybersecurity Policy, Annex 2, 55.
How do they determine the timeline within which an incident must be reported? Varies by sector.
Threat Information Sharing
Have they established a national threat information sharing entity? Yes: NISC (National center of Incident readiness and Strategy for Cybersecurity). See Cybersecurity Policy, 4, 50-51.
Does this entity share information out to industry, as well as receiving information? Yes, if the Cabinet Secretiariat determines information falls under the following:
"(i) Cases where the obtained information is regarding a security hole, program bug, etc. and it is recognized that serious problems related to said information may occur at other CI operators
"(ii) Cases where there is a cyber-attack or advance notice of such an attack, where there are predicted damages from a disaster, or where it is otherwise recognized that the information poses a risk to the critical information systems of other CI operators
"(iii) Other cases where information sharing is considered to be effective for CI operators' cybersecurity measures."
See Cybersecurity Policy, 52.
Is threat information sharing mandatory for any private sector entity? CI operators are to report events in any of the following circumstances:
"(i) Cases where the relevant event requires a report to responsible ministries for CI under laws and regulations
"(ii) Cases where stakeholders recognize the relevant event's serious impact on national life and CI services, and where the relevant CI operator considers it appropriate to share information of said event
"(iii) Other cases where the relevant CI operator considers it appropriate to share information on the relevant event."
See Cybersecurity Policy, 50.
Government Access Requirements
Are there requirements to provide government officials physical access to facilities? No.
Are there requirements to cede control of facilities in an emergency situation? No.
Are there requirements to provide source code or other decryption capabilities? No.
Localization Requirements
Are there requirements to establish a local presence - either officer or personnel? No.
Are there requirements to localize data? No.
Penalties
Are there financial penalties outlined? If so, what for and what is the maximum penalty? Not generally applicable, but there may be sectoral.
Are there criminal penalties outlined? If so, what for and what is the maximum penalty? Not generally applicable, but there may be sectoral.
Effective Dates
What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Cybersecurity Policy was first enacted on April 18, 2017 and was revised July 25, 2018. The Guidelines for Safety Principles went into effect on April 4, 2018.
Singapore
Government Structure
Do they designate a lead cyber security agency within the government? Yes. The Cyber Security Agency of Singapore (CSA).
Is oversight provided on a centralized or sectoral basis? Centralized. The Cybersecurity Act of 2018 (the "Act") confers on the Commissioner of Cybersecurity broad oversight, advisory, and investigatory authority. The Act also authorizes the Commissioner to appoint existing regulators to serve as Assistant Cyber Commissioners for their respective sectors. See Cybersecurity Act 2018, Part 4.
Designation of Critical Infrastructure
Which sectors do they designate as critical information infrastructure? 11 Sectors. Energy, Info-communications, Water, Healthcare, Banking and Finance, Security and Emergency Services, Aviation, Land Transport, Maritime, Government, Media. See Cybersecurity Act 2018, First Schedule.
How do they designate within these sectors? The Commissioner of Cybersecurity is responsible for designating a computer or computer system as a CII. See Cybersecurity Act 2018, Part 7.
Security Measures
Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes. The owner of a CII must perform an audit of compliance with CCI requirements in the Cybersecurity Act 2018 every 2 years. See Cybersecurity Act 2018, Part 15.
Does it take a risk-based approach? Yes. See Cybersecurity Act 2018, Part 6.
Do the security measures enable the use of international standards? Yes. "The government has publicly stated that, in the implementation of the Cybersecurity Act, it will take reference from internationally recognized standards when developing codes of practice and standards of performance for different sectors." See Drew & Napier LLC, Cybersecurity in Singapore, Lexology (Apr. 29, 2019).
Are security measures NIST CSF compatible? (Possible to comply through this approach?) While the Act does not provide detailed standards, the Act does authorize the Commissioner to issue "codes of practice or standards of performance for the regulation of the owners of critical information infrastructure." See Cybersecurity Act 2018, Part 11.
Do they include prescriptive or technology-based security measures? The Cybersecurity Act is on its face technology-neutral but gives the Commissioner broad authority to issue codes of practice and standards of performance to ensure the cybersecurity of CII.
Incident Reporting
Are there mandatory incident reporting requirements? Yes. For CIIs, the owner must notify the Commissioner of Cybersecurity of the occurrence "within the prescribed period." See Cybersecurity Act 2018, Part 14.
Are there clear thresholds above which an incident should be reported? Yes. CII's must notify the Commissioner of the occurrence of the following; (1) the unauthorized hacking of a CII; (2) the installation or execution of unauthorized software or code on a CII; (3) man-in-the-middle attacks, session hijacks or other unauthorized interception of communication between a CII and an authorized user; and (4) denial-of-service attacks. See CSA Incident Reporting; See also Cybersecurity Act 2018, Part 14.
How do they determine the timeline within which an incident must be reported? The prescribed period is set out in Regulation 5 of the CII Regulations, which requires a CII owner to notify the Commissioner of the occurrence of a prescribed cybersecurity incident in the required form within two hours after becoming aware of the occurrence, and provide supplemental details within 14 days of the initial submission. See Cybersecurity Act 2018, Part 5.
Threat Information Sharing
Have they established a national threat information sharing entity? No. There is currently no governmental body that coordinates national threat information sharing. CSA has worked with other agencies, like the Financial Services Information Sharing and Analysis Centre (FS-ISAC), in the past to keep up to date on threat information. See Aaron Tan, Singapore to bolster threat intelligence sharing in financial sector, ComputerWeekly (July 18, 2018).
Does this entity share information out to industry, as well as receiving information? N/A
Is threat information sharing mandatory for any private sector entity? N/A
Government Access Requirements
Are there requirements to provide government officials physical access to facilities? Yes. If the incident is classified as severe, the Commissioner or other authorized official may, after "giving reasonable notice," enter the premises where the CII is located. See Cybersecurity Act 2018, Part 20.
Are there requirements to cede control of facilities in an emergency situation? No.
Are there requirements to provide source code or other decryption capabilities? No.
Localization Requirements
Are there requirements to establish a local presence - either officer or personnel? No.
Are there requirements to localize data? No.
Penalties
Are there financial penalties outlined? If so, what for and what is the maximum penalty? Yes. A CII owner that fails to comply with the reporting requirements of the Cybersecurity Act 2018 may be liable for a fine up to $100,000. A CII owner that fails to comply with the auditing/risk assessment requirements of the Cybersecurity Act 2018 may be liable for up to $25,000 (or more if the offense is continuing). Additionally, any owner which does not comply with the Commissioner's cybersecurity exercises may be liable for a fine up to $100,000. See Cybersecurity Act 2018, Part 14.
Are there criminal penalties outlined? If so, what for and what is the maximum penalty? Yes. A CII owner that fails to comply with the reporting requirements of the Cybersecurity Act 2018 may be imprisoned for up to 2 years. A CII owner that fails to comply with the auditing/risk assessment requirements of the Cybersecurity Act 2018 may be imprisoned for up to 12 months. See Cybersecurity Act 2018, Parts 14- 15.
Effective Dates
What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Cybersecurity Act of 2018 was published on March 16, 2018.
India
Government Structure
Do they designate a lead cyber security agency within the government? Yes. The National Critical Information Infrastructure Protection Centre (NCIIPC).
Is oversight provided on a centralized or sectoral basis? Sectoral. The basic responsibility for protecting CII system shall lie with the agency running that CII. See NCIIPC, About Us; NCIIPC, Guidelines for Identification of Critical Information Infrastructure, August 2019.
Designation of Critical Infrastructure
Which sectors do they designate as critical information infrastructure? Critical Sectors are defined as sectors which are critical to the nation and whose incapacitation or destruction will have a debilitating impact on national security, economy, public health or safety. See NCIIPC, Guidelines for Identification of Critical Information Infrastructure (August 2019.
How do they designate within these sectors? Individual. The appropriate government department may, by notification in the Official Gazette, declare any computer resource which directly or indirectly affects the facility of a CII to be a "Protected System." See NCIIPC, Guidelines for Identification of Critical Information Infrastructure (August 2019).
Organizations have to make decisions on how to audit their IT infrastructure to determine what is critical and non-critical. See NCIIPC, Standard Operating Procedure (June 2017).
Security Measures
Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes. Every Protected System must form an Internal Audit team to conduct an internal cyber securty audit every 6 months. They also must conduct an external audit by a private or government auditor every year, or whenever there is an upgrade or change in IT infrastructure/application/system software. See NCIIPC, Standard Operating Procedure (June 2017).
Does it take a risk-based approach? Yes. A Vulnerability/Threat/Risk (VTR) assessment of enterprise wide cyber architecture must be part of the corporate planning/strategy. The resulting residual risk must have clear and unambiguous sign off from senior management. See NCIIPC, Guidelines for Protection of Critical Information Infrastructure, (January 2015).
Do the security measures enable the use of international standards? Yes. International standards and guidelines were adapted to achieve efficient Information Security Infrastructure (specifically cites ISO27001 ISMS and NERC-CIP). See NCIIPC, Standard Operating Procedure (June 2017).
Are security measures NIST CSF compatible? (Possible to comply through this approach?) Generally, yes. While it is not clear that NCIIPC has adapted its framework to the NIST Framework alone, the NCIIPC does require organizations to "evaluate correctness, consistency and completeness of their Security Policies with respect to standards such as . . . National Institute of Standards and Technology." See NCIIPC, Framework for Evaluating Cyber Security in Critical Information Infrastructure.
Do they include prescriptive or technology-based security measures? No. The framework is, on its face, technology neutral. The identification and assessment of CII is based on outcome-based parameters.
Incident Reporting
Are there mandatory incident reporting requirements? It depends on the sector. There are no generally applicable requirements under the NCIIPC Framework, but there are sectoral requirements.
The Indian Computer Emergency Response Team ("CERT") Rules, which were issued under the IT Act, impose mandatory notification requirements on service providers, intermediaries, data centers and corporate entities, upon the occurrence of certain cybersecurity incidents. See 2014 Information Technology Rules, §§ 70(b)(6)-(7), 12(1)(a). See also Ministry of Electronics and Information Technology, Report and Contribute to a Secure and Safe Digital India (2013).
Are there clear thresholds above which an incident should be reported? Not generally, but it depends on the sector. Under the IT Act, "Cyber Security Incident" is defined as "any real or suspected adverse events, in relation to cybersecurity, that violate any explicitly or implicitly applicable security policy, resulting in unauthorized access, denial of service or disruption, unauthorised use of compute resources for processing or storage of information or changes to data, and information without authorisation." See 2014 Information Technology Rules, § 70(h).
How do they determine the timeline within which an incident must be reported? Under the IT Act, incidents must be reported to CERT "as early as possible to leave scope for action." See 2014 Information Technology Rules, § 12(1)(a).
Threat Information Sharing
Have they established a national threat information sharing entity? Yes. The NCIIPC. See NCIIPC, Guidelines for Protection of Critical Information Infrastructure, (January 2015).
Does this entity share information out to industry, as well as receiving information? Yes. The NCIIPC receives feedback from NCII constituents and adjusts controls and guidelines. See NCIIPC, Guidelines for Protection of Critical Information Infrastructure, (January 2015).
Is threat information sharing mandatory for any private sector entity? No. See NCIIPC, Guidelines for Protection of Critical Information Infrastructure, (January 2015).
Government Access Requirements
Are there requirements to provide government officials physical access to facilities? No. However, organizations must allow the government to perform systematic technical audits of IT infrastructure. See NCIIPC, Standard Operating Procedure (June 2017).
Are there requirements to cede control of facilities in an emergency situation? No.
Are there requirements to provide source code or other decryption capabilities? Yes, under the IT Act, the Central Government may, for secure use of the electronic medium and for promotion of e-governance and e-commerce, prescribe the modes or methods for encryption. Furthermore, "[t]he subscriber or intermediary or any person in charge of the computer resource shall, when called upon by any agency which has been directed under sub section (1), extend all facilities and technical assistance to intercept or monitor or decrypt the information, as the case may be." See Information Technology Act, § § 69(3)(a), 84 A.
Localization Requirements
Are there requirements to establish a local presence - either officer or personnel? No.
Are there requirements to localize data? Only for payment systems. The Reserve Bank of India promulgated rules in 2018 that required that data collected be localized within six months. See Kalika Likhi, India’s data localization efforts could do more harm than good, Atlantic Council (Feb. 1, 2019).
Penalties
Are there financial penalties outlined? If so, what for and what is the maximum penalty? Yes. There are several penalties listed in the Information Technology Act. Some are applicable here. Entities are required to pay damages as compensation for failure to protect data, not to exceed five crore rupees. There are also penalties for failure to furnish information to authorities. See Information Technology Act, §§ 43A, 44.
Are there criminal penalties outlined? If so, what for and what is the maximum penalty? Yes. There are several offenses listed in the Information Technology Act. Only a few are applicable here. Failure to provide interception/monitoring/decryption access to computer to government officials when they determine it is in the interest of India can result in imprisonment up to 7 years. Failure to supply information to NCIIPC when asked can result in imprisonment for up to 1 year or a fine. See Information Technology Act, § § 69, 70B.
Effective Dates
What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Information Technology Act was notified on October 17, 2000. It was amended on February 5, 2009.
Indonesia
Government Structure
Do they designate a lead cyber security agency within the government? The draft legislation designates the National Cyber and Encryption Agency (Badan Siber dan Sandi Negara, "BSSN"). See Draft Law Concerning Cyber Security and Resilience (Draft Cyber Law), Article 1, Paragraph 18.
Is oversight provided on a centralized or sectoral basis? Centralized. Under the draft legislation, the BSSN is empowered to provide general cybersecurity oversight. See, e.g., Draft Cyber Law, Article 16.
Designation of Critical Infrastructure
Which sectors do they designate as critical information infrastructure? The draft law includes critical information infrastructure as part of a broader category of "national cyber infrastructures," which also include national digital infrastructures, electronic-based government administration infrastructures, and other electronic system infrastructures in accordance with the laws and regulations. These sectors are to be designated by regulations under the BSSN. See Draft Cyber Law, Article 12, paragraphs 1-4.
How do they designate within these sectors? Designation within sectors is to be determined by the BSSN. See Draft Cyber Law, Article 10, paragraph 4.
Security Measures
Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes. Every "cyber security and resilience provider" must mitigate "cyber threat risks" to protect the "object of cyber security" by taking seven specific steps outlined in the law, as well as under "specific standards set by BSSN" yet to be determined. See Draft Cyber Law, Articles 12-13. Additionally, Article 14 prescribes specific steps in responding to a cyber incident or cyber attack, and Article 16 requires compliance with "specific standards set by BSSN" yet to be determined in these threat responses.
Does it take a risk-based approach? Yes. Cyber threats will be placed into four categories: no hazard, low hazard, medium hazard, and high hazard, to be defined by regulation. See Draft Cyber Law, Article 15.
Do the security measures enable the use of international standards? No. Indonesia's cybersecurity draft legislation is very prescriptive, and directs compliance with strict steps outlined in the law itself, see Draft Cyber Law, Articles 12 and 14, and "specific standards set by BSSN," see Draft Cyber Law, Articles 13, 15-16.
Are security measures NIST CSF compatible? (Possible to comply through this approach?) No. The requirements of the draft legislation are specific and stringent, and therefore incompatible with NIST CSF. See, e.g., Draft Cyber Law, Articles 12(2), 13(1), 14(2).
Do they include prescriptive or technology-based security measures? Yes. While it is not yet clear whether the framework is technology-biased as the full regulations have yet to be written, the security measures are prescriptive. See, e.g., Draft Cyber Law, Articles 12(2), 13(1), 14(2).
Incident Reporting
Are there mandatory incident reporting requirements? Yes.
Are there clear thresholds above which an incident should be reported? Yes. Every "cyber incident" or "cyber attack" must be reported. See Draft Cyber Law, Article 14(2). A "cyber incident" is defined as a "Cyber Threat causing a Cyber electronic system to malfunction," Article 1(5), and a "cyber attack" is defined as a "Cyber Threat causing an object of Cyber security to be inoperable, in part or in whole, and/or temporarily or permanently," Article 1(6). A "Cyber Threat" is defined as "all attempts, activities, and/or actions, whether domestic or foreign, considered and/or proven to possibly weaken, harm, and/or impair Indonesia’s Cyber Interest." Article 1(4).
How do they determine the timeline within which an incident must be reported? As of yet, there is no timeline required under the draft legislation. See Draft Cyber Law, Article 14(2)(b).
Threat Information Sharing
Have they established a national threat information sharing entity? No. While entities are required to report incidents and attacks to BSSN, there is no requirement or indication of broader threat information sharing. See Draft Cyber Law, Article 14(2)(b).
Does this entity share information out to industry, as well as receiving information? N/A
Is threat information sharing mandatory for any private sector entity? No. Incident and attack reporting is mandatory, but there is no mandate for broader information sharing. See Draft Cyber Law, Article 14(2)(b).
Government Access Requirements
Are there requirements to provide government officials physical access to facilities? Not specifically. However, the draft legislation provides that BSSN has the authority to "conduct investigations, prosecutions, and impose administrative sanctions," Draft Cyber Law, Article 44(f), and "perform assessment, testing, penetration of electronic system access security, and/or audit of Cyber Security and Resilience," Article 44(g), which could be interpreted to require access for these purposes.
Are there requirements to cede control of facilities in an emergency situation? No. There is not a specific requirement that entities cede control of facilities in emergencies in the draft legislation.
Are there requirements to provide source code or other decryption capabilities? No. There is not a specific requirement to provide source code or decryption to the government in the draft legislation; however, implementing regulations would provide further security requirements to entities. Additionally, under a separate regulation, a private electronic service operator (ESO) must provide access to its system and data for supervision and law enforcement purposes. See GR 71/2019 Article 21; see also Agus Ahadi Deradjat, Indonesia Issues Important New Regulation on Electronic (Network and Information) Systems, Lexology (Oct. 30, 2019).
Localization Requirements
Are there requirements to establish a local presence - either officer or personnel? No. The draft legislation does not require a local presence.
Are there requirements to localize data? No as to the draft legislation, but in some cases as to electronic information systems generally. A private electronic service operator (ESO) may only locate its data and/or system outside of Indonesia if the location does not diminish supervision by state ministries or law enforcement, and the entity provides access to the system and data for supervision and law enforcement purposes. See GR 71/2019 Article 21; see also Agus Ahadi Deradjat, Indonesia Issues Important New Regulation on Electronic (Network and Information) Systems, Lexology (Oct. 30, 2019).
Penalties
Are there financial penalties outlined? If so, what for and what is the maximum penalty? Yes. The draft legislation contemplates the imposition of an administrative fine if the legislation's standards in mitigation and incident response are not met, see Draft Cyber Law, Article 22, if a certified cyber device is not used, see Article 23, if a cyber security provider operates without a license or accreditation, see Articles 24-25, or if a professional organization issues a certificate of professional competency without accreditation, see Article 26, if but it does not specify the amount.
Are there criminal penalties outlined? If so, what for and what is the maximum penalty? No. While the draft legislation does contain a criminal section, it indicates criminal sanctions for causing interference or malfunctioning of national cyber infrastructures, or for creating or distributing a device to do so, not for failing to meet cybersecurity requirements. See Draft Cyber Law, Articles 68-72.
Effective Dates
What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? Currently, Indonesia's key cybersecurity law is in a draft stage only.
South Korea
Government Structure
Do they designate a lead cyber security agency within the government? Yes. The National Cyber Security Center, which is a center of the National Intelligence Service. The Center works closely with the Korea Internet & Security Agency (KISA), which is sub-organization within the Ministry of Science and ICT.
Is oversight provided on a centralized or sectoral basis? Sectoral. CIIs are overseen by the central administrative agencies which designated them as CIIs. See Act on the Protection of Information and Communications Infrastructure, Article 5-8.
Designation of Critical Infrastructure
Which sectors do they designate as critical information infrastructure? Under PICIA, the law provides a nonexhaustive list of what is considered critical infrastructure: "The term 'information and communications infrastructure' means electronic control and management system related to the national security, administration, defense, public security, finance, communications, transportation, energy, etc. and information and communications network under Article 2 (1) 1 of the Act on Promotion of Information and Communications Network Utilization and Information Protection, etc." See Act on the Protection of Information and Communications Infrastructure, Article 2(1).
How do they designate within these sectors? The heads of central administrative agencies have the authority to designate CIIs within their jurisdiction by considering 5 criteria listed in Act on the Protection of Information and Communications Infrastructure, Article 8, Section (1). The Minister of Security and Public Administration may designate information and communications infrastructure of an organization managed and supervised by the head of a local government as critical information and communications infrastructure, in consultation with the head of the local government, or revoke such designation. Act on the Protection of Information and Communications Infrastructure, Section (4).
Security Measures
Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Yes. The head of a management organization is required to formulate and implement measures to protect critical information and communications infrastructure. These developed measures must be submitted to the relevant head of a central administrative agency. Any necessary measures required will be prescribed by Presidential Decree. See Act on the Protection of Information and Communications Infrastructure, Article 5.
Does it take a risk-based approach? Yes. Heads of a management organizations are required to analyze and evaluate the vulnerabilities of critical information and communications infrastructure on a regular basis (as prescribed by Presidential Decree) and must take these evaluations into account when formulating security measures. See Act on the Protection of Information and Communications Infrastructure, Article 5, Article 9.
Do the security measures enable the use of international standards? While the Act on the Protection of Information and Communications Infrastructure does not specify whether organizations may comply using international standards, Article 26 of the Act provides that the Government "shall ascertain international trends concerning the protection of information and communications infrastructure and promote international cooperation." See Act on the Protection of Information and Communications Infrastructure, Article 26.
Are security measures NIST CSF compatible? (Possible to comply through this approach?) The Act on the Protection of Information and Communications Infrastructure provides very broad guidelines that may enable the use of NIST CSF, but NIST has not identified Korea as a compatible jurisdiction. See International Resources, Adaptations, NIST.
Do they include prescriptive or technology-based security measures? No.
Incident Reporting
Are there mandatory incident reporting requirements? Yes. When the head of a management organization "recognized that the occurrence of intrusion incidents has led to the disturbance, paralysis or destruction" of CIIs, the head must report to the relevant agency. See Act on the Protection of Information and Communications Infrastructure, Article 13.
Are there clear thresholds above which an incident should be reported? No.
How do they determine the timeline within which an incident must be reported? There is no mandatory timeline within which an incident must be reported pursuant to national guidelines.
Threat Information Sharing
Have they established a national threat information sharing entity? Yes. When the head of a management organization "recognized that the occurrence of intrusion incidents has led to the disturbance, paralysis or destruction" of CIIs, the head must report to the relevant agency. See Act on the Protection of Information and Communications Infrastructure, Article 13.
Does this entity share information out to industry, as well as receiving information? Yes. "NCSC and related organizations…can check the posted information and take responsive measures," indicating the NCSC also receives information.” See NSCS Annual Review 2019, 19.
Is threat information sharing mandatory for any private sector entity? No.
Government Access Requirements
Are there requirements to provide government officials physical access to facilities? No. The Committee may establish a Countermeasures Headquarters to provide support and for taking emergency measures. Any further matters concerning the "organization and operation of the Countermeasure Headquarters" are prescribed by Presidential Decree. See Act on the Protection of Information and Communications Infrastructure, Article 15.
Are there requirements to cede control of facilities in an emergency situation? Unclear. Pursuant to Article 7, "specialized institutions prescribed by Presidential Decree" may "provide technical support" where the Chairperson of the Committee believes that inadequate measures to protect critical information and communications infrastructure of a specific management organization are likely to cause harm to national security and the economy and society as a whole and therefore issues an order to supplement such measures." See Act on the Protection of Information and Communications Infrastructure, Article 7. However, "the Director of the National Intelligent Service shall not provide technological support to any information and communications infrastructure which stores personal information, such as financial information and communications infrastructure..." Id.
Are there requirements to provide source code or other decryption capabilities? No.
Localization Requirements
Are there requirements to establish a local presence - either officer or personnel? Yes. The Aug. 30, 2018 Amendment to the Network Act requires certain offshore information communication service providers which do not have an address or place of business in Korea, to appoint a local representative responsible for Korean data privacy compliance. See Yulchon LLC, Amendments to the Network Act Coming into Effect in 2019, Lexology (Jan. 8, 2019).
Are there requirements to localize data? Yes. Under the current IT Networks Act, the transfer of Korean personal information by an IT service provider from Korea to an offshore country requires specific user consent. (As an exception, it suffices to disclose offshore transfers, typically in a privacy policy, insofar as the transfers are both “necessary” for the carrying out of the services and designed to enhance the user’s convenience.) An August 30, 2018 amendment to the Network Act applies these same restrictions to onward transfers that take place after the initial offshore transfer of personal information. Korean regulators will be able to impose restrictions on the transfer of Korean PI to offshore IT service providers – online/connected services and goods – if and to the extent that those businesses’ home jurisdictions restrict the transfer of PI overseas. See Kwang Hyun RYOO at al., Korean data law amendments pose new constraints for cross-border online services and data flows, Lexology.
Penalties
Are there financial penalties outlined? If so, what for and what is the maximum penalty? Yes. Any person who "disturbs, paralyzes, or destroys" CIIs can be punished by a fine up to 100 million won. Any person who "divulges any confidential information secret" can be fined up to 50 million won. Individuals may also be subject to administrative fines, up to 10 million won. See Act on the Protection of Information and Communications Infrastructure, Article 28.
Are there criminal penalties outlined? If so, what for and what is the maximum penalty? Yes. Any person who "disturbs, paralyzes, or destroys" CIIs can be punished by up to 10 years imprisonment with labor. Any person who "divulges any confidential information secret" can be punished for up to 5 years imprisonment with labor. See Act on the Protection of Information and Communications Infrastructure, Article 28.
Effective Dates
What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Act on the Protection of Information and Communications Infrastructure was enacted on January 26, 2001 and last amended on Mar. 23, 2013. The Act on Promotion of Information and Communications Network Utilization and Information Protection (Network Act) was enacted on and last amended on August 30, 2018.
New Zealand
Government Structure
Do they designate a lead cyber security agency within the government? Yes. The National Cyber Security Centre (NCSC), which is part of the Government Communications Security Bureau (GCSB).
Is oversight provided on a centralized or sectoral basis? Sectoral. The agency head endorses and is accountable for information security within their agency. See Section 3.1.1., New Zealand Information Security Manual (NZISM).
Designation of Critical Infrastructure
Which sectors do they designate as critical information infrastructure? N/A
How do they designate within these sectors? N/A
Security Measures
Are there mandatory security measure requirements for CI, other than privacy/data protection laws? Generally no. New Zealand has a voluntary framework, with guidance such as the New Zealand Information Security Manual (NZISM). See NCSC Guidance (last visited Dec. 22, 2019). However, the Telecommunications (Interception Capability and Security) Act 2013 (TICSA) establishes certain obligations for telecommunications network operators. For example, TICSA creates the obligation for network operators to notify the GCSB of proposals (proposed decisions, courses of action or changes) in regard to certain parts of their network. Section 48, TICSA (2013).
Does it take a risk-based approach? Yes.
Do the security measures enable the use of international standards? Yes. The NZISM is consistent with a wide variety of risk management, governance, assurance and technical standards, including the ISO/IEC 2700x series, as well as IETF, OASIS, NIST and other recognized standards bodies. See NZ Information Security Manual, GCSB (last visited Dec. 12, 2019).
Are security measures NIST CSF compatible? (Possible to comply through this approach?) Yes. See NZ Information Security Manual, GCSB (last visited Dec. 12, 2019).
Do they include prescriptive or technology-based security measures? No.
Incident Reporting
Are there mandatory incident reporting requirements? No.
Are there clear thresholds above which an incident should be reported? N/A
How do they determine the timeline within which an incident must be reported? N/A
Threat Information Sharing
Have they established a national threat information sharing entity? Yes. The National Cyber Security Centre.
Does this entity share information out to industry, as well as receiving information? Yes
Is threat information sharing mandatory for any private sector entity? The Directors-General of the NZSIS and GCSB can only compel production of specified business records in accordance with a business records approval, granted by the Minister responsible for that agency and a Commissioner of Intelligence Warrants. An agency can only request specific information on a case-by-case basis by reference to an identified individual or thing (such as a phone number or IP address). The regime does not permit ‘bulk’ data access. See Fact Sheet No. 13: The Intelligence and Security Act 2017: Information sharing, Department of Prime Minister and the Cabinet.
Government Access Requirements
Are there requirements to provide government officials physical access to facilities? No.
Are there requirements to cede control of facilities in an emergency situation? No.
Are there requirements to provide source code or other decryption capabilities? No.
Localization Requirements
Are there requirements to establish a local presence - either officer or personnel? No.
Are there requirements to localize data? No.
Penalties
Are there financial penalties outlined? If so, what for and what is the maximum penalty? No.
Are there criminal penalties outlined? If so, what for and what is the maximum penalty? No.
Effective Dates
What are the effective dates and dates of enactment of the country's key cybersecurity statutes/regulations? The Intelligence and Security Act 2017, which sets out the functions, powers and duties of the GCSB, went into effect on March 28, 2017. The Telecommunications Interception Capability and Security Act (TICSA), which establishes obligations for New Zealand's telecommunications network operators in interception capability and network security, was enacted in 2013 and later updated on November 12, 2018.