Regulator

Regulator

The role of regulators under the Cybersecurity Act relates to the development of security mechanisms to safeguard CII and enhance the prevention and mitigation of national cyber threats.

Related sections under the Cybersecurity Act

Supervision

Section 9(8)

  • assign the supervision and regulation, including the issuing of regulations, objectives, duties and power, and the operational framework regarding Maintaining Cybersecurity to the Supervising or Regulating Organization, Government Agency, or the Organization of Critical Information Infrastructure.

Section 13(5)

  • determine the duties of Organization of Critical Information Infrastructure and duties of the Supervising or Regulating Organization which should at least determine the duties for the Supervising or Regulating Organization to determine the appropriate standards for each Organization of Critical Information Infrastructure and Government Agency in coping with Cyber Threats;

Section 49

  • The Committee shall have the power to prescribe in a notification the characteristics of the organizations that have a mission or provide services in the following aspects, as an Organization of Critical Information Infrastructure:
    (1) national security;
    (2) substantive public service;
    (3) banking and finance;
    (4) information technology and telecommunications;
    (5) transportation and logistics;
    (6) energy and public utilities;
    (7) public health;
    (8) others as prescribed by the Committee.

    The consideration for the prescription of such mission or services under paragraph one shall be in accordance with the rules prescribed by the Committee, which shall be published in the Government Gazette. The Committee shall consider and review such prescription of the mission or services on a case-by-case basis as appropriate.

Section 53

  • In the operation of Maintaining Cybersecurity of the Organization of Critical Information Infrastructure, the Supervising or Regulating Organization shall examine the minimum cybersecurity standard of the Organization of Critical Information Infrastructure under its supervision. If found that Organization of Critical Information Infrastructure does not comply with the standards, the Supervising or Regulating Organization shall notify the Organization of Critical Information Infrastructure which is below the standards to make correction in order to
    meet the standards without delay. If such Organization of Critical Information Infrastructure neglects or fails to comply within the period prescribed by the Supervising or Regulating Organization, the Supervising or Regulating Organization shall notify the CRC for consideration without delay.

    Upon receipt of notification under paragraph one, if the CRC considers and views that there is such reason and which may cause a Cyber Threat, the CRC may perform the following:
    (1) in case of a Government Agency, the CRC shall notify the chief executive of the agency to exercise executive power to issue an order to the Government Agency orthe Organization of Critical Information Infrastructure to correct and comply with the standards without delay;
    (2) in case of a private organization, the CRC shall notify the chief executive of the organization, the person possessing the computer, and the person monitoring the computer system of the Organization of Critical Information Infrastructure to make correction and comply with the standards without delay. The Secretary-General shall monitor to ensure compliance of paragraph two.

Section 54

  • The Organization of Critical Information Infrastructure shall conduct risk assessment on Maintaining Cybersecurity by having an examiner, including examination in the cybersecurity aspect by the information security auditor, internal auditor or external independent auditor, at least once per year.
    The Organization of Critical Information Infrastructure shall submit a summary report of the operation result to the Office within thirty days after the operation has been finished.

Protection

Section 43

  • The Committee shall prepare a policy and plan for Maintaining Cybersecurity in accordance with section 42 to propose to the Cabinet for approval, which shall be published in the Government Gazette. Once published, Government Agencies, Supervising or Regulating Organizations, and Organizations of Critical Information Infrastructure as determined in the plan on Maintaining Cybersecurity shall take action to be in accordance with such policy and plan.

    In preparing the policy and plan under paragraph one, the Office shall hold a hearing or meeting with the Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure.

Section 44

  • The Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure shall prepare a Code of Practice and standard framework for Maintaining Cybersecurity of each organization in accordance with the policy and plan on Maintaining Cybersecurity without delay.

    The Code of Practice for Maintaining Cybersecurity under paragraph one, at least, shall consist of the following:
    (1) the plan for examining and assessing risks related to Maintaining Cybersecurity by an examiner, internal auditor, or independent external auditor, at least once per year;
    (2) the plan for coping with Cyber Threats.
    For the benefit of preparing the Code of Practice for Maintaining Cybersecurity in paragraph one, the Office, upon the approval of the Committee, shall prepare a Code of Practice and standard framework for the Government Agency, Supervising or Regulating Organization, or Organization of Critical Information Infrastructure to use as a guideline to prepare or exercise as a Code of Practice of the Government Agency, Supervising or Regulating Organization, or Organization of Critical Information Infrastructure. In case such organizations do not yet have or have but incomplete or is not in accordance with the Code of Practice and standard framework, such Code of Practice and standard framework shall be enforced.

Section 45

  • The Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure have a duty to prevent, cope with, and mitigate risks from Cyber Threats in accordance with the Code of Practice and standard framework for Maintaining Cybersecurity of each organization and shall act in order to be in compliance with the Code of Practice and standard framework for Maintaining Cybersecurity in accordance with section 13 paragraph one (4).
    In case the Government Agency, Supervising or Regulating Organization, or Organization of Critical Information Infrastructure could not act or comply in accordance with paragraph one, the Office may grant assistance in the personnel or technological aspects to such organization as requested.

Section 46

  • For the benefit of Maintaining Cybersecurity, the Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure shall notify the name of executive officials and operational officials for the coordination of Maintaining Cybersecurity to the Office.
    In the event there is a change to the officials under paragraph one, the Government Agency, Supervising or Regulating Organization, and Organization of Critical Information Infrastructure shall notify the Office without delay.

Section 52

  • For the benefit of coordination, the Organization of Critical Information Infrastructure shall notify the name and contact information of the owner, the person possessing the computer, and the person monitoring the computer system to the Office, its Supervising or Regulating Organization, and the organization under section 50, within thirty days from the date the Committee prescribes the notification in accordance with section 49 paragraph two and section 50 paragraph two, or from the date the Committee issues a final judgement in accordance with section 51, as the case may be; the owner, the person possessing the computer, and the person monitoring the computer system shall at least be a person responsible for the management of such Organization of Critical Information Infrastructure.
    In case there is any change to the owner, the person possessing the computer and the person monitoring the computer system in accordance with paragraph one, notice of change to the relevant organizations under paragraph one shall be given not less than seven days in advance, unless there is reasonable cause which is inevitable, it shall be notified without delay.

Coping

Section 57

  • In the event of a Cyber Threat significantly occurring to the system of the Organization of Critical Information Infrastructure, the Organization of Critical Information Infrastructure shall report to the Office and the Supervising or Regulating Organization and cope with the Cyber Threats as prescribed in Part 4, the CRC may prescribe criteria and method of the reporting.

Section 58

  • In the case there is or may be a Cyber Threat to an information system that is under the responsibility of a Government Agency or an Organization of Critical Information Infrastructure, such organization shall examine its related information, computer data, and the computer system, including the surrounding circumstances to assess whether a Cyber Threat has occurred. If the examination results show that there is or may be a Cyber Threat, the organization shall prevent, cope with, and mitigate the risks from such Cyber Threat in accordance with the Code of Practice and standard framework in Maintaining Cybersecurity and shall notify the Office and its Supervising or Regulating Organization without delay.
    In case the agency or organization, or any person, finds an obstacle or issues in preventing, coping with, or mitigating the risks from a Cyber Threat, such agency, or organization or person may request assistance from the Office.

Section 59

  • When it appears to the Supervising or the Regulating Organization, or when the Supervising or the Regulating organization is notified of an incident in accordance with section 58, the Supervising or Regulating Organization in cooperation with the organization under section 50 shall gather information, examine, analyze the situation, and evaluate the effects related to the Cyber Threat and shall perform the following:
    (1) support and grant assistance to the Government Agency or Organization of Critical Information Infrastructure under the supervisor or regulation and cooperate and coordinate with the Office to prevent, cope with, and mitigate the risks from the Cyber Threat;
    (2) notify the Government Agency or Organization of Critical Information Infrastructure under its supervision or regulation, including other relevant Government Agencies or Organizations of Critical Information Infrastructure without delay.