People's Bank of China requires financial institutions to report graded cybersecurity incidents affecting its supervised business networks and data

The People's Bank of China issued new measures governing the reporting of cybersecurity incidents in business areas under its supervision, requiring financial institutions to report relevant incidents to the central bank or its local branches. The framework updates the prior bank computer security incident reporting regime and is intended to align reporting expectations with China’s cybersecurity, data security, personal information protection, and critical information infrastructure rules. Reportable incidents include those arising from human factors, cyberattacks, vulnerabilities, hardware or software defects or failures, or force majeure that harm networks built, operated, maintained or managed by financial institutions, or data processed by them, within the People’s Bank of China business domain. Incidents outside the People’s Bank of China business domain do not need to be reported under the measures, and matters involving state secrets are handled under separate rules. The measures define the covered business domain to include, among others, monetary and credit, macroprudential, cross-border RMB, interbank markets, financial sector statistics, payment and settlement, RMB issuance and circulation, treasury management, credit reporting and credit rating, and anti-money laundering. Incident severity is classified into four levels, using baseline grading rules aligned with the national standard GB/T 20986-2023, and reporting procedures and deadlines are differentiated by institution type, organisational level, and business scale, with separate timing requirements for initial, ongoing, and post-incident reports. The package also adds expectations on reporting where accountability is being determined, specifies circumstances for mitigated or exempted responsibility treatment, and sets out cooperation requirements for inspections and the applicable liability framework for non-compliance, including accountability arrangements for central bank staff. The measures also establish information-sharing and coordinated handling arrangements with other competent authorities and financial regulators, and require institutions to follow any separate reporting rules applicable to other departments. Follow-up work described by the central bank includes policy outreach, implementation guidance, and prompting firms to refine internal grading standards and reporting responsibilities, alongside more standardised enforcement.