Newsletter
Summary of the Amendments to the Cyber Security Management Act and the Impact thereof on Agencies
The Cyber Security Management Act (the "CSMA") was promulgated on June 6, 2018 and took effect on January 1, 2019, while the Enforcement Rules of the CSMA and relevant subordinate legislations came into force respectively from January 1, 2019. These laws and regulations have been put in place for nearly three years now. In order to strengthen the security and protection of information and communications and to respond to practical operational needs, the Executive Yuan further amended the Enforcement Rules of the CSMA and its sub-laws, which had been promulgated on August 23, 2021. The following is a summary of the key provisions of the newly amended Enforcement Rules of the CSMA and its sub-laws and an analysis of the impact thereof on the agencies.
Regulatory framework under the CSMA
The CSMA governs the management of information and communications security by government agencies and specific non-government agencies (i.e., critical infrastructure providers, public utilities, and government-sponsored foundations) and the penalties for violations. The Enforcement Rules of the CSMA further define and set forth the specific rules, guidelines, and important terms of the CSMA; the following sub-laws of the CSMA translate the CSMA's higher-level regulatory policies into various enforcement action plans:
1. Regulations on Classification of Cyber Security Responsibility Levels
These Regulations classify the levels of responsibility for information and communications security of government agencies and specific non-government agencies into five levels: A, B, C, D and E, and also regulates the management, technical and awareness and training aspects of each level of government agencies and specific non-government agencies.
2. Regulations on the Notification and Response of Cyber Security Incident
These Regulations specify the measures and time limits that government agencies and specific non-government agencies should take when they become aware of any cyber security incident.
3. Regulations on Audit of Implementation of Cyber Security Maintenance Plan of Specific Non-Government Agency
These Regulations govern the establishment of audit task force, the audit process, and the content of audit reports for the implementation of the cyber security maintenance plan of the specific non-government agencies selected by the competent authority (i.e., the Executive Yuan).
4. Cyber Security Information Sharing Regulations
This Regulations regulate the content, procedures, and methods of analysis, integration, and sharing of information on cyber security (e.g., malicious detection or acquisition activities of information systems, cyber security vulnerabilities, actual damages or potential adverse effect caused by cyber security incidents, etc.) among government agencies, specific non-government agencies and the central authority in charge of the subject industry.
5. Rewards and sanctions for staff of government agencies on information and communications security matters
These rules provide a basis for government agencies to set their own benchmarks for rewards and penalties for their personnel in matters related to information and communications security.
Highlights and potential impact of the newly amended Enforcement Rules of the CSMA and the sub-laws of the CSMA promulgated on August 23, 2021.
1. The Enforcement Rules of the CSMA
This round of amendment mainly revises Item 6 under Article 6, Paragraph 2 under Article 6, and Item 4 under Article 7 of the Enforcement Rules of the CSMA. The amendment to Paragraph 2 under Article 6 of the Enforcement Rules of the CSMA stipulates that a government agency must "obtain the consent of its supervising agency" before the stipulation, amendment and implementation of its cyber security maintenance plan as well as the implementation report thereof may be conducted by another government agency under such supervising agency. Meanwhile, a specific non-government agency must "obtain the consent of the central authority in charge of the subject industry" before the stipulation, amendment and implementation of its cyber security maintenance plan as well as the implementation report thereof may be conducted by such central authority, or a government agency under such central authority, or another specific non-government agency subject to the supervision of such central authority.
Impact of the amendment
This amendment provides the supervising authority of a government agency with the power to decide whether the cyber security matter originally tasked to the government agency can be carried out by another government agency under such supervising authority; also, the central authority in charge of the subject industry of a specific non-government agency with the power to decide whether the cyber security matter originally tasked to the specific non-government agency can be carried out by such central authority, or a government agency under such central authority, or another specific non-government agency subject to the supervision of such central authority. The amendment gives the supervising authority of government agencies and the central authority in charge of the subject industry more power as to the stipulation, amendment and implementation of their cyber security maintenance plan as well as the implementation report thereof in order to supervise the planning and execution of such plan by government agencies and non-government agencies.
2. Regulations on Classification of Cyber Security Responsibility Levels (the "Classification Regulations")
In addition to the clarification of terms in the Classification Regulations (Articles 5 and 7), regarding the information communications systems with access controls and management features procured and installed by each agency either on its own or through a service provider, this amendment stipulates in Article 6 that the cyber security responsible level shall be classified as level C as the cyber security risks involved in such systems require stricter controls.
2.1. Schedules I to VI.
2.1.1. Provisions banning the use of information communications products that could compromise national cyber security are deleted. The competent authorities will liaise with various agencies through the inter-ministerial coordination platform to communicate the restrictions on the use of products that could compromise national cyber security.
2.1.2. Government agencies and critical infrastructure providers with a level A, B or C of cyber security responsibility should implement the vulnerability alert and notification system (VANS); government agencies with a level A or B of cyber security responsibility shall also implement the endpoint detection and response system (EDR).
2.2. Schedule VII.
As the level of cyber security responsibility of the information communications systems with access control and management function is classified as level C in accordance with the post-amendment Article 6 of the Classification Regulations, the technical aspects of cyber security protection set forth in this Schedule (matters to be performed by each agency with a level D of cyber security responsibility) are deleted for such information communications systems "with mail servers".
2.3. Schedule VIII.
Provisions banning the use of information communications products that could compromise national cyber security are deleted. The competent authorities will liaise with various agencies through the inter-ministerial coordination platform to communicate the restrictions on the use of products that could compromise national cyber security.
2.4. Schedule X: Amendments to the provisions of the baseline controls for various information and communications systems protection regarding access control, audit and accountability, business continuity plan, identification and authentication, system and service acquisition, and system and communications protection.
Impact of the amendment
The most significant impact of this amendment on the practical side is the relevant amendments to Schedule X. The following paragraphs explain different aspects of this amendment.
Access Control:
This Amendment imposes a duty on agencies to define the time of inactivity or availability of each system and the usage and conditions of the information and communications system for advanced control measures for account management. Since each agency may have different control measures for different types of official transactions, Schedule X defines the responsibilities of the agency in principle, but the definition of the agency and the appropriateness of the hierarchy of control measures will test the auditing ability of the chief of cyber security of each government agency, the supervising authority, and the competent authority. In addition, there are also uncertain legal concepts such as "overdue" and "inactive" contained in the intermediate control measures. It seems that this amendment's explicit responsibility for the definition of advanced control measures should also be applied to the intermediate control measures in order to avoid doubts about their application caused by the lack of explicit definition on the agencies.
Audit and Accountability ("Event Logs and Accountability" under this amendment)
This amendment change the noun "audit" to "log" and the verb to "record" to differentiate the meaning of the word "audit" in the Cyber Security Management Act and to better align with the purpose of Schedule X to regulate the daily information and communications system protection benchmarks of agencies.
Business Continuity Plan
This amendment provides for advanced and intermediate measures for system backup. Considering the diversity of backup practices (not only for "backup equipment"), provisions on "other means" are added to facilitate flexibility in implementation.
Identification and Authentication
This amendment mainly revises the general level control measures of identity verification management to meet the practical operation requirements, and changes the number of times allowed for the third-point verification failures from three to five.
System and Service Acquisition
In the system development lifecycle requirements phase, the original requirement to verify system security requirements (including confidentiality, availability, and integrity) "by means of checklists" is removed, retaining the flexibility of practical verification of performance. During the deployment and maintenance phase of the system development lifecycle, the original working of "shall pay attention to" version control and change management is amended to "shall perform" version control and change management, highlighting that version control and change management are legal "obligations" rather than mere instructions.
Protection of System and Communications
Regarding the advanced control measures for data storage security, the original reference to "static information" is modified to "critical configuration files of the information communications systems" to specify the subject matter that should be encrypted or stored in other appropriate ways.
3. Regulations on the Notification and Response of Cyber Security Incident
The amendment extends the target of supervision by supervising authorities or competent authorities from "investigation, handling, correction and reports on cyber security incidents after the completion of damage control or restoration operations by government agencies" to "handling of damage control or restoration operations after specific government authorities become aware of the cyber security incidents". In addition, the target of supervision by the central authority in charge of the subject industry of the specific non-government agency shall be extended from "the investigation, handling, correction and report on the cyber security incident after the specific non-government agency has completed the damage control or recovery operation" to "the damage control or recovery operation after the specific non-government agency becomes aware of the cyber security incident". In other words, this amendment enhances the supervision mechanism of the supervising authority or the competent authority of the government agency and the central authority in charge of the subject industry of the specific non-government agency regarding cyber security incidents, and also meets to the requirements of ISO27001, Appendix A16 on the management of cyber security incident.
4. Regulations on Audit of Implementation of Cyber Security Maintenance Plan of Specific Non-Government Agency
This Amendment gives government agencies the flexibility in the schedule of auditing specific non-government agencies and the composition of the audit team. The schedule has been changed from "quarterly" to "annually" for selected specific non-government agencies, unless there are force majeure events that require otherwise; the maximum number of audit team members is no longer set, only "three or more" is required, and the ratio of government agencies' representatives has been revised downward (from no less than one-third to no less than one-fourth).
5. Cyber Security Information Sharing Regulations
This amendment encourages specific non-government agencies to share effective and tangible information to enhance the effectiveness of cyber security by adding an incentive provision in Paragraph 6, Article 3. However, the content and extent of the incentive is not specified. For the central authority in charge of the subject industry, how to achieve the purpose of rewarding specific non-government agencies without crossing the legal boundary of illegally profiting others is yet to be seen.
6. Award and Punishment Regulations on Cyber Security Affairs for the Public Servants
The amendment also includes the chief officer of the personnel in charge of the cyber security operations or the supervising personnel of the supervising authority to be subject to penalty for the ineffective supervision of cyber security operations, in order to properly enforce the cyber security laws and regulations.
The CSMA and its sub-laws elevate the regulations that were originally intended only to instruct and encourage agencies to implement cyber security measures to the regulatory level, and specify the legal effects of non-compliance, which has a certain effect on enhancing the cyber security of government agencies and specific non-government agencies, and also has a certain degree of impact on the establishment of internal cyber security policies and benchmark controls for information and communications systems protection by other non-government agencies. Although the current law only applies to government agencies and specific non-government agencies, it is worth observing whether non-government agencies will be included in the scope of the CSMA in the future as more cyber security incidents have been reported in recent years. In addition, as the ISO 27001 standard, which is an important reference for the CSMA and its related sub-laws, will be revised in early 2022, it is also worth observing whether the CSMA and its related sub-laws will be revised accordingly.