Why Two Reporting Standards?
Some of the confusion arising from the parallel drafts can be explained by the fact that the CAC and the MIIT have overlapping but separate regulatory mandates. The CAC is China’s cyber security regulator, having general authority over cyber security and data protection matters. The MIIT is China’s industry and technology regulator, having a jurisdiction that includes regulating the technology and telecommunications industries. Herein lies an important distinction. The Draft MIIT Response Plan would apply only to MIIT-regulated businesses. Another important distinction is that the Draft MIIT Response Plan is not just focused on incident reporting. The Draft MIIT Response Plan would task the regulator with classifying each reported incident and issuing risk warnings which are colour-coded red, orange, yellow or blue based on the severity. It also outlines the procedures the MIIT would follow in collecting information from industry sources and activating emergency response plans. The objective of the Draft MIIT Response Plan is therefore to facilitate coordinated cyber incident response across the entire technology and telecommunications…
