Cabinet demands reports on cyber security incidents

Taipei, Feb. 2 (CNA) The Cabinet has instructed designated entities in eight key infrastructure categories to report any cyber security incidents they encounter to their governing central authorities, Chien Hung-wei (簡宏偉), director of the cyber security department under the Executive Yuan, said Tuesday.

If they fail to abide by the instruction to report such incidents, they will face a fine of up to NT$5 million (US$178,571), Chien said.

The instruction was issued amidst increasing concern over the possibility of a rising number of cyber attacks, Chien said.

The directive was made based on the Cyber Security Management Act, as a way to make the appropriate responses to such incidents, he added.

Chien said the eight categories of critical infrastructure providers refer to the energy, water resources, communications, transportation, financial and emergency medical care industries, as well as central and local governments and high-tech science parks.

The act, which took effect in 2018, is aimed at building a sound environment for national cyber security to safeguard national security and protect public interests.

Under the terms of the act, key critical infrastructure providers in the eight industries must submit to the central authorities implementation plans on how they plan to maintain cyber security.

Chien said that in 2020, the governing authorities of the eight infrastructure industries began efforts to designate the required entities, in both the public and private sectors, to report any cyber incidents they discover.

Those that fail to do so, Chien said, will face fines ranging between NT$300,000 and NT$5 million, adding that the fines can be repeated if violators fail to correct their conduct before a set time.

Chien said the requirement for these critical infrastructure providers to follow the procedure is similar to cyber security management rules implemented in the European Union, the United States, Singapore and Japan.

While Chien did not name the actual entities designated in the eight critical infrastructure industries, the local media has reported that the number of the entities designated by the authorities is in the dozens.

According to the reports, the designated entities include state-owned Taiwan Power Co., state run gasoline supplier CPC Corp., Taiwan, the Taiwan Railways Administration, the Taiwan High Speed Rail Corp., Chunghwa Telecom Co., National Taiwan University Hospital, Mega Financial Holding Co. and Taiwan Water Corp.

In addition, Taiwan Mobile Co., Far EasTone Telecommunications Co., Hsinchu Science Park, Central Taiwan Science Park and Southern Taiwan Science Park are included, according to the reports.

Among the recent prominent cyber attacks, Taiwan Mobile's Amazing A32 phone model was found by the Criminal Investigation Bureau in January to contain malware implanted during the manufacturing process, which could allow identity theft, among other issues, as it would give fraudsters remote access to the phone.

Taiwan Mobile was ordered to fix the security breach on its Amazing A32 phone model by the National Communications Commission soon after the flaw was found.