The Cyber Security Management Act Enforcement Rules (the “Enforcement Rules”) define reporting requirements, duties regarding subcontracting, the content of information security policies, major security incidents, and responses to security incidents. The Enforcement Rules were issued by Taiwan’s Executive Yuan under authority delegated to the executive branch by the Legislature in the Cyber Security Management Act. Please see this article summarizing the Act itself. Here, we outline several points in the Enforcement Rules that companies should be aware of.

Improvement Reports

Article 3 of the Enforcement Rules lists the required content of an improvement report following a cyber security audit that discovers deficiencies.

Subcontracting Standard of Care

Article 4 defines the standard of care with respect to subcontracting in considerable detail. In total, there are nine factors that must be considered when using subcontractors to develop or maintain information systems. For example, the contractor must require independent third party certification or do its own security testing for a customized system if the subcontract is worth more than NT$10 million (approx. US$330,000). Enforcement Rules §4(1)(3).

Information Security Policies

Information Security Policies must cover a total of 13 topics including core services and be filed with the appropriate agency. Enforcement Rules §6. Core services are defined in Article 7 by reference to the companion Regulations for Classification of Cyber Security Regulations (the “Classification Regulations”). For example, a service is a core service if it involves nationwide services to members of the public. Enforcement Rules §7(1)(4); Classification Regulations §4(3).

Reporting Security Incidents and Significant Security Incidents

Article 8 of the Enforcement Regulations sets out requirements for reporting security incidents while Article 10 defines significant security incidents as Level 3 and Level 4 Security Incidents as defined in Article 2 of the Regulations for Reporting and Responding to Cyber Security Incidents (the “Cyber Security Incident Reporting Regulations”). For example, a security incident that results in an interruption to core operations in critical infrastructure that cannot be restored within a tolerable period is considered a significant security incident because it is a Level 4 Security Incident. Enforcement Regulations §8; Cyber Security Incident Reporting Regulations §2(4)(3).

The Enforcement Rules came into effect on 1 January 2019.