Article 1 In order to standardize the reporting, investigation and handling of information security incidents in the securities and futures industry and reduce the occurrence of information security incidents, these Measures are formulated in accordance with the Securities Law, the Securities Investment Fund Law, the Regulations on the Supervision and Administration of Securities Companies, the Regulations on the Administration of Futures Trading and the Measures for the Administration of Information Security in the Securities and Futures Industry. Article 2 An information security incident in the securities and futures industry refers to an event in which the information system of the securities and futures industry operates abnormally or the data is damaged or leaked, which damages the legitimate rights and interests of investors or adversely affects the securities and futures market. Article 3 After an information security incident happens to the subject responsible for information security in the securities and futures industry, it shall report, investigate and handle it in accordance with the provisions of these Measures. The responsible subjects mentioned in the preceding paragraph include institutions that undertake the functions of the securities and futures market, institutions that undertake the operation of information technology infrastructure in the securities and futures industry, and other core institutions of the securities and futures market and their subordinate institutions (hereinafter referred to as core institutions), as well as securities and futures operating institutions such as securities companies, futures companies, fund management companies and securities and futures service institutions (hereinafter referred to as operating institutions). Article 4 Core institutions and business institutions shall report information security incidents in a timely, accurate and complete manner, and shall not delay reporting, omit reporting, make false reports or conceal them. Article 5 The investigation and handling of information security incidents shall adhere to the principles of seeking truth from facts, respecting science, being objective and fair, and being timely and reliable. Article 6 The core institutions and operating institutions that have information security incidents should conduct internal investigations into the incidents, investigate their responsibilities and take corrective measures. Article 7 The China Securities Regulatory Commission and its dispatched offices shall, in accordance with the provisions of these Measures, investigate and handle information security incidents of core institutions and operating institutions. Article 8 The core institutions, operating institutions, software and hardware products or technical service providers related to information security incidents shall cooperate with the China Securities Regulatory Commission, its dispatched offices and the institutions where the incidents occurred to investigate and handle the incidents.

Chapter II Classification of Events

Article 9 According to the extent to which information security incidents damage the legitimate rights and interests of investors or adversely affect the securities and futures markets, events can be divided into particularly major events, major events, major events and general events. Article 10 Particularly important events refer to information security events that cause particularly serious damage to the legitimate rights and interests of investors or have particularly serious impact on the securities and futures markets. A particularly important event refers to an event that meets one of the following circumstances: (1) The trading, communication and market release system of a stock exchange cannot be started or interrupted normally more than 20 minutes before the opening of the market, or the proportion of affected business departments or marketing units reaches more than 20%, or the number of securities whose trading is interrupted only reaches more than 20%. (two) the trading business system of the futures exchange is completely interrupted, which affects the trading time for more than 2 hours; The settlement and delivery business system is interrupted, which affects the normal opening of the next trading day. (3) China Securities Depository and Clearing Corporation's registration and settlement system is paralyzed, and it can't be restored in a short time, and the date of restoration is unpredictable, which has a significant impact on the company's entire business or the whole market. (4) The centralized trading system or online trading system of securities companies and futures companies with110,000 or more effective customers were all interrupted, which affected the trading time for more than 2 hours. (5) The settlement systems of securities companies and futures companies with more than 1 10,000 effective customers failed to complete the settlement of the previous trading day before the market opened, or there were major errors in the settlement data, which affected the normal trading of investors. (6) There is a serious failure in the fund sales, accounting or registration system, and the backup system is not expected to be restored within 8 hours, which will affect the normal subscription and redemption of funds by investors with more than 654.38+100,000 people on the same day or subsequent trading days. (7) The data of investors with more than 6,543,800+million people is damaged or wrong, which affects the normal trading on the current day or subsequent trading days. (8) Data disclosure of investors with more than 6,543,800 people. (nine) other events that have a particularly serious impact on the legitimate rights and interests of investors and the securities and futures market. Article 11 Major events refer to information security events that cause serious damage to the legitimate rights and interests of investors or have a serious impact on the securities and futures markets. Major events refer to events that meet one of the following circumstances and do not reach a particularly major level: (1) The trading, communication and market release system of the stock exchange is interrupted for more than 65,438+00 minutes, or the proportion of affected business departments or marketing units exceeds 65,438+00%, or the number of securities whose trading is interrupted exceeds 65,438+00%; (two) the trading business system of the futures exchange is completely interrupted, which affects the trading time for more than 30 minutes; (3) The failure of the registration and settlement system of China Securities Depository and Clearing Corporation affects the normal opening of the market or business development on the next trading day, which may lead to the failure of a business in the whole market on that day; (4) The centralized trading system or online trading system of securities companies and futures companies with more than 654.38+million effective customers is completely interrupted, which affects the trading time for more than 30 minutes; (5) The settlement systems of securities companies and futures companies with more than 654.38 million effective customers failed to complete the settlement of the previous trading day before the market opened, or there were major errors in the settlement data, which affected the normal trading of investors; (6) There is a serious failure in the fund sales, accounting or registration system, and the backup system is not expected to be restored within 4 hours, which will affect the normal subscription and redemption of funds by investors with more than 65,438+10,000 people on the same day or subsequent trading days; (7) The data of investors with more than 65,438+10,000 people is damaged or wrong, which affects the normal trading on the same day or subsequent trading days; (8) Data disclosure of investors with more than 6,543,800 people; (nine) other events that have a serious impact on the legitimate rights and interests of investors and the securities and futures market. Article 12 Major events refer to information security events that cause great damage to the legitimate rights and interests of investors or have a great impact on the securities and futures markets. A major event refers to a situation that meets one of the following circumstances and does not reach a major event: (1) The trading, communication and market release system of the stock exchange is interrupted, and the proportion of affected business departments or marketing units reaches more than 5%, or the number of securities whose trading is interrupted reaches more than 5%; (2) The trading business system of the futures exchange is completely or partially interrupted, which affects the trading time for more than 3 minutes; (3) The registration and settlement system of China Securities Depository and Clearing Corporation failed, which did not affect the normal trading of the market, but one or several businesses were interrupted or delayed for more than 4 hours (excluding) and returned to normal within the same day, which affected some participants; (4) The centralized trading system or online trading system of securities companies and futures companies is completely or partially interrupted, which affects the trading time for more than 5 minutes; (5) All or part of the third-party depository system and margin financing and securities lending system of the securities company stop operating, affecting the business hours for more than 30 minutes, and all or part of the bank transfer system of the futures company stops operating, affecting the business hours for more than 30 minutes; (6) The settlement systems of securities companies and futures companies with the number of effective customers less than 65,438+10,000 failed to complete the settlement of the previous trading day before the market opened, or the settlement data was incorrect, which affected the normal trading of investors; (7) There is a serious failure in the fund sales, accounting or registration system, and the backup system is not expected to be restored within 2 hours, which will affect the normal subscription and redemption of funds by investors with less than 654.38+ 10,000 people on the same day or subsequent trading days; (8) The on-site quotation or on-site trading system of the branch of a securities company or the business department of a futures company that provides on-site trading services fails, which affects the trading time for more than 2 hours; (9) The data of investors with less than 6,543,800+people is damaged or wrong, which affects the normal trading on the current day or subsequent trading days; (10)65438+ data leakage of investors with less than 10,000 people; (eleven) other events that have a significant impact on the legitimate rights and interests of investors and the securities and futures market. Article 13 General events refer to information security events that damage the legitimate rights and interests of investors or affect the securities and futures markets. A general event refers to an event that meets one of the following circumstances and does not reach a major event: (1) The trading, communication and market release system of the stock exchange is interrupted, and the proportion of affected business departments or marketing units is less than 5%, or the number of securities whose trading is interrupted is less than 5%; (2) The trading business system of the futures exchange is completely or partially interrupted, which affects the trading time for less than 3 minutes; (3) The registration and settlement system of China Securities Depository and Clearing Corporation failed, which did not affect the normal trading of the market, but one or several businesses were interrupted or delayed for more than 2 hours (excluding) and returned to normal within the same day, which affected some participants; (4) The centralized trading system or online trading system of a securities company or futures company is completely or partially interrupted, which affects the trading time for less than 5 minutes; (5) All or part of the third-party depository system and margin financing and securities lending system of the securities company stop operating, affecting the business hours for less than 30 minutes, and all or part of the bank transfer system of the futures company stops operating, affecting the business hours for less than 30 minutes; (6) The on-site quotation or on-site trading system of the branch of a securities company or the business department of a futures company that provides on-site trading services fails, which affects the trading time for less than 2 hours; (seven) other events that affect the legitimate rights and interests of investors and the securities and futures market. Article 14 The term "above" in this chapter includes this number, and "below" does not include this number. The "number of effective customers" mentioned in this chapter shall be based on the number of qualified accounts at the end of the month before the information security incident reported by securities companies and futures companies to the China Securities Regulatory Commission and its dispatched offices. A qualified account refers to an account with true, accurate and complete account opening information, true investor identity, clear asset ownership relationship and compliance with relevant regulations.

Chapter III Event Report

Fifteenth core institutions and operating institutions should establish a network and information security risk monitoring and early warning system, find hidden risks should be verified as soon as possible, take necessary preventive measures, if there is a major situation should be timely early warning report. The early warning report shall include: the basic situation of the incident (including the time, place and course of early warning), the possible impact scope and consequences, the preventive measures and relevant suggestions that have been taken, and related matters that need to be coordinated by relevant departments and units. Article 16 The core institutions and operating institutions shall establish an information security emergency response mechanism, handle information security incidents in a timely manner, restore the normal operation of the information system as soon as possible, protect the scene of the incident and relevant evidence, and make emergency reports according to the following requirements: (1) After a major failure of the important information system of the core institutions that may cause or has caused transaction interruption and serious slowness, it shall be reported immediately, at least once every 30 minutes, until the information system resumes normal operation; If there is any important situation, you should report it immediately. (2) If the centralized trading system of a securities or futures company breaks down, which may or has caused trading interruption and serious slowness, it shall be reported immediately, at least once every 30 minutes, until the information system resumes normal operation. If there is any important situation, you should report it immediately. (3) If other information system failures of core institutions and operating institutions affect the normal business operation of investors, and the normal business operation cannot be resumed within 30 minutes in principle, they should be reported immediately, at least once every 1 hour, until the business and information systems resume normal operation; If there is any important situation, you should report it immediately. (4) Core institutions and operating institutions shall immediately report the damage or leakage of investors' data. Before the incident is resolved, if there is any important situation, they shall immediately report it. (five) the core institutions and operating institutions involved in computer crimes, should immediately report, before the incident is resolved, if there is any important situation, should immediately report. Article 17 When making emergency reports, core institutions and operating institutions should first make telephone reports and then submit written information security incident reports (see Annex). The contents include: time, place, brief process, preliminary assessment of the scope of influence, preliminary assessment of the degree of influence, preliminary assessment of the number of people affected, preliminary assessment of economic losses, preliminary assessment of consequences, preliminary assessment of causes, preliminary assessment of the nature of the incident, measures and effects taken, relevant matters requiring assistance from relevant departments and units, reporting unit, issuer and reporting time, contact person and contact information, and other contents related to this incident. Article 18 The core institutions and operating institutions shall, within 5 working days after the emergency response of information security incidents is completed and the system resumes normal operation, organize internal investigations to accurately find out the course, causes and losses of the incidents, find out the nature of the incidents, identify and investigate the responsibilities of the incidents, put forward rectification measures, and form an incident summary report. The contents of the event summary report shall include: (1) the basic situation of the event, including the time, place, course, influence scope, influence degree and loss of the event; (two) emergency response, including the report of the incident, the measures taken and the effect; (three) the investigation of the incident, including the cause of the incident, the level of the incident, the determination of responsibility and the conclusion; (four) the handling of the incident, including the problems exposed by the incident and the corrective measures taken, as well as the accountability. If it is temporarily impossible to determine the cause, responsibility and conclusion of the incident, it shall submit a preliminary analysis report of the incident, find out the cause as soon as possible, identify and investigate the responsibility of the incident, take corrective measures, and submit an incident supplementary report within 30 working days after the emergency response of the incident is over and the system resumes normal operation. Article 19 After receiving the information security notification from China Securities Regulatory Commission and its dispatched offices on system vulnerabilities, security risks and product defects, the core institutions and operating institutions shall immediately verify the situation, take necessary measures and make an incident summary report as required. The contents of the incident summary report shall include: the basic situation of the incident, the scope and consequences that may or have been caused, the preventive measures taken and relevant suggestions. Article 20 The core institution or operating institution shall report to relevant institutions in accordance with the following provisions: (1) The core institution shall make an early warning report, an emergency report and an incident summary report to the China Securities Regulatory Commission. (2) If an information security incident in the core institution affects other institutions, it shall promptly notify the relevant institutions of the emergency. (3) An operating institution shall make an early warning report, an emergency report and an incident summary report to the dispatched office of the China Securities Regulatory Commission at its domicile, and its branches shall make an early warning report, an emergency report and an incident summary report to the dispatched office of the China Securities Regulatory Commission at its domicile. The event summary report shall also be copied to China Securities Industry, Futures Industry or Securities Investment Fund Association. (4) When an information security incident affecting the securities and futures trading business occurs in an operating institution, it shall simultaneously make an emergency report and an incident summary report to the relevant securities and futures exchanges; When the securities registration and settlement business is affected, an emergency report and an event summary report shall be submitted to China Securities Registration and Settlement Company at the same time; When the refinancing business is affected, an emergency report and an event summary report shall be submitted to China Securities Finance Company at the same time; If it affects other institutions, it shall promptly notify the relevant institutions of the emergency. (5) When an incident involving computer crime occurs in the core institution or operating institution, it shall report to the public security organ urgently.

Chapter IV Investigation and Handling

Twenty-first China Securities Regulatory Commission and its dispatched offices have the right to investigate and deal with information security incidents; According to the needs of the investigation, you can hire industry information technology consultants and other related experts to participate in the investigation, or entrust professional institutions to conduct the investigation. Twenty-second investigators have the right to know information related to information security incidents from core institutions, business institutions, software and hardware products or technical service providers and individuals, and can take such working methods as listening to reports, asking parties, consulting documents and materials, consulting system logs, and on-site verification. In the process of incident investigation, the relevant personnel of the institution in which the information security incident occurred should be able to be present at any time for questioning, truthfully introduce the situation, and provide evidence and required documents and materials. Twenty-third investigators should be honest and fair, conscientiously perform their duties, abide by the work discipline, and strictly keep the secrets of the investigation of the incident, as well as the business secrets and technical secrets learned in the course of the investigation. Without permission, the relevant information known in the incident investigation shall not be disclosed or released without authorization. Article 24 The China Securities Regulatory Commission or its dispatched offices shall urge the institutions where information security incidents occur to implement rectification measures and supervise the implementation of rectification measures. Organizations that have information security incidents should seriously learn from the incidents, implement rectification measures as soon as possible, and eliminate potential risks. Article 25 The China Securities Regulatory Commission will notify the whole industry of information security incidents as appropriate, and the dispatched offices of the China Securities Regulatory Commission will notify the securities and futures institutions in their respective jurisdictions as appropriate. Twenty-sixth China Securities Regulatory Commission and its dispatched offices shall, in accordance with relevant laws, administrative regulations and rules, take supervision and management measures or impose administrative penalties on the institutions, directly responsible personnel in charge and other directly responsible personnel who have occurred major information security incidents. Twenty-seventh for the organization with human responsibility in the general information security accident, the accident unit shall investigate the internal responsibility of the directly responsible person in charge and other directly responsible personnel. Article 28 The China Securities Regulatory Commission, its dispatched offices and the institutions where information security incidents occurred shall determine the responsibility for information security incidents in accordance with the principle of "exemption from duty due diligence and accountability for dereliction of duty". Twenty-ninth for major and above non-responsible information security incidents, the China Securities Regulatory Commission and its dispatched offices shall, in accordance with relevant laws, administrative regulations and rules, take supervision and management measures against the institutions where information security incidents occur. Article 30 The China Securities Regulatory Commission or its dispatched offices shall take supervision and management measures such as ordering regular reports and may conduct on-site inspections as appropriate for institutions that have major and particularly major information security incidents or frequent information security incidents. Article 31 In case of any of the following circumstances, the China Securities Regulatory Commission or its dispatched office shall take supervision and management measures or impose administrative penalties on the institution in which the information security incident occurred: (1) Failing to report the incident in accordance with the provisions of these Measures, and there are delays, omissions, false reports or concealment; (2) Failing to properly preserve evidence, or intentionally concealing, forging, tampering with or destroying relevant documents, materials and evidence; (3) Failing to take timely risk prevention and control measures in accordance with the information security notification requirements of China Securities Regulatory Commission, resulting in information security incidents; (4) Failing to carry out rectification according to the requirements of the China Securities Regulatory Commission or its dispatched offices, or the rectification is not in place, resulting in an information security incident. (5) Obstructing or refusing the investigation; (six) other adverse circumstances identified by the China Securities Regulatory Commission and its dispatched offices.

Chapter V Supplementary Provisions

Article 32 These Measures shall come into force on February 1 day, 2065. Attachment: Information Security Incident Report (omitted)