各省、自治区、直辖市、计划单列市工业和信息化主管部门、通信管理局，有关企事业单位：

为深入贯彻《中华人民共和国网络安全法》《中华人民共和国数据安全法》等相关法律法规，落实工业和信息化部、国家金融监督管理总局《关于促进网络安全保险规范健康发展的意见》要求，加快推进网络安全保险新模式落地应用，现组织开展网络安全保险服务试点工作。有关事项通知如下：

一、试点目的

通过组织开展网络安全保险服务试点，一是促进企业提升网络安全风险应对能力，推动企业提升对网络安全保险的认知，积极利用网络安全保险防范网络安全风险，完善网络安全风险管理体系，提升网络安全意识和能力。二是建立健全网络安全保险流程机制，建立网络安全保险标准规范，针对核保、承保、理赔等重点环节完善流程标准和要求，促进网络安全保险规范健康发展。三是加快网络安全服务新业态发展，积累网络安全保险实践经验，创新一批网络安全保险产品，培育一批优质网络安全保险机构，形成一批可复制可推广的网络安全保险解决方案，促进网络安全产业高质量发展。

二、试点险种

结合现阶段我国网络安全保险现有险种，本次试点险种主要包括网络安全财产类保险和网络安全责任类保险两大类。

网络安全财产类保险，主要保障因网络安全事件造成的第一方直接损失以及因此产生的技术服务费用，包括直接物理损失、营业中断损失、数据资产重置费用、硬件改善成本、应急处置费用，以及因网络安全事件导致的公关费用、法律费用等。

网络安全责任类保险，主要保障因网络安全事件引起的对第三方个人或机构需要承担的赔偿责任，包括数据泄露责任、网络安全事件责任、媒体侵权责任、外包商相关责任、产品责任或技术服务职业责任等。

三、试点对象及内容

结合我国网络安全保险发展实际，试点内容包括面向电信和互联网、工业互联网、车联网等重点行业的企业类保险和网络安全产品、信息技术产品，以及网络安全服务类保险，主要试点内容如下。

（一）企业类

以企业法人为被保险方，主要保障网络安全事件对其造成的财产损失或赔偿责任。

1.电信和互联网企业。面向基础电信运营商、互联网企业、云服务提供商等电信和互联网企业，针对服务器、网站、平台等因网络攻击或内部人员操作不当造成的平台服务中断、数据被恶意篡改利用等风险场景，主要承保营业中断损失、数据资产重置费用、第三方索赔损失、应急处置费用等。

2.工业互联网企业。面向联网工业企业、工业互联网平台企业、标识解析企业等工业互联网企业，针对因网络攻击或内部人员操作不当造成的联网工业设备或工业控制系统运行故障、自动化生产线停止运行、重要数据被加密锁定等风险场景，主要承保营业中断损失、数据资产重置费用、应急处置费用等。面向原材料工业、装备工业、消费品工业和电子信息制造业等重要行业企业，针对因网络攻击或操作不当造成的生产制造系统运行故障，办公自动化等系统运行中断、管理数据损坏等风险场景，主要承保营业中断损失、数据资产重置费用、应急处置费用等。

3.车联网企业。面向整车生产制造企业、车辆电子系统制造企业、电子零部件企业、智能车辆运营企业等车联网相关企业，针对因网络攻击、系统设计缺陷、操作不当等导致的装配线等生产制造系统运行故障、车辆设计敏感数据被泄露等风险场景，主要承保车主、车上人员以及第三方的索赔损失、数据资产重置费用、硬件改善成本、营业中断损失、应急处置费用等。

4.其他行业企业。面向医疗卫生、金融、能源等其他行业企业，结合行业网络安全风险特征，聚焦因网络攻击、操作不当、代码缺陷等导致的部件异常、系统停用、服务中断、数据泄露等风险场景，确定可承保的第一方损失和第三方责任范围。

（二）产品服务类

以产品服务的购买方为保障对象，主要保障因网络安全事件造成的财产损失或赔偿责任。

1.网络安全产品。主要承保网络安全产品在提供或运维过程中可能产生的财产损失和第三方责任。主要保障因网络安全事件所产生的应急处置费用、营业中断等第一方损失或由于数据泄露等导致的第三方索赔损失，为网络安全产品增信。网络安全产品包括但不限于抗DDoS防护、数据防泄漏、防勒索软件、终端检测响应、Web应用防火墙等。

2.网络安全服务。主要承保从事网络安全服务的专业技术人员相关职业责任。主要保障专业技术人员在服务过程中出现的疏忽、错误和失职行为等造成的相关信息系统瘫痪、失效、崩溃或数据被更改、丢失、泄露等引发的第三方索赔损失。网络安全服务包括但不限于网络安全风险评估、安全运营、应急处置等。

3.信息技术产品。主要承保信息技术产品的网络安全责任。主要保障信息技术产品由于产品或服务未达到显性标准（如合同约定等）而造成的网络安全事件，包括用户信息系统瘫痪、失效、崩溃或数据被更改、丢失、泄露等引发的第三方索赔损失等。

四、工作流程

（一）方案征集

保险公司、再保险公司、保险中介机构、网络安全企业、基础电信运营商、保险科技公司、专业测评机构、司法鉴定机构、科研院所等网络安全保险服务机构可自行或联合相关主体（牵头单位1家，联合单位不超过10家）申报网络安全保险服务方案。申报主体应在中华人民共和国境内注册，具备独立法人资格，具有网络安全保险业务能力，每个申报主体牵头的网络安全保险服务方案总数原则上不超过5个。牵头或联合申报单位中应有至少一家取得保险业务许可资格。

网络安全保险服务机构于2024年1月28日前将《网络安全保险服务方案》（附件1）纸质版一式三份及电子版报工业和信息化部。各省、自治区、直辖市及计划单列市工业和信息化主管部门、通信管理局（以下简称“地方主管部门”）可进行推荐。经评审遴选后形成《网络安全保险典型服务方案目录》（以下简称《目录》）。

（二）试点申报

地方主管部门结合《目录》和本地发展实际，制定本地区网络安全保险服务试点工作方案（附件2）。鼓励地方综合运用现有首台（套）重大技术装备、首版（次）高端软件、产业园区、数字化转型试点城市等政策支持举措，从政策、资金、资源配套等方面为网络安全保险服务试点提供支持。

入选到《目录》的网络安全保险服务机构可联合产业链主体制定网络安全保险服务试点工作方案（附件3）。网络安全保险服务机构应积极发挥行业积累和资源优势，为供需对接和保险服务等提供资源保障。

行业企业，包括但不限于产业链“链主”企业、大型企业集团、平台企业等可结合自身风险管理需求，联合网络安全保险服务机构制定网络安全保险服务试点工作方案（附件4）。鼓励行业企业在供需对接、组织保障、技术支撑等资源配套方面予以支持。

试点工作方案应于2024年3月15日之前上报。工业和信息化部遴选符合要求的试点方案开展试点工作。

（三）试点实施

工业和信息化部组织召开试点工作启动部署会，明确工作目标要求。参与试点的地方主管部门、服务机构和行业企业定期报告试点工作进展，按照试点工作方案保质保量完成试点任务。

（四）支持保障

国家工业信息安全发展研究中心等部属单位组织开展网络安全保险政策解读、宣贯培训和交流对接，依托试点支撑平台对网络安全保险服务试点工作开展全程支撑服务。

（五）试点退出

牵头参与试点的服务机构、行业企业经营服务出现重大问题、严重违法违规等行为，取消其试点资格。

（六）工作总结

地方主管部门、服务机构和行业企业开展试点总结工作，对年度试点开展情况、网络安全保险产品创新情况、网络安全保险服务实施情况等进行总结并形成书面报告，于2024年11月10日之前上报。工业和信息化部适时组织召开总结会议，推广网络安全保险优秀实践做法。

五、工作要求

（一）提高重视程度，广泛积极参与。各单位要充分认识网络安全保险的重要意义，提高网络安全意识，积极加大资源投入，参与网络安全保险服务试点工作。

（二）强化工作机制，扎实有序推进。组织开展网络安全保险相关政策解读，建立健全试点工作机制，强化对试点工作的支撑服务，确保试点工作顺利推进。

（三）促进融合创新，优化产品服务。网络安全保险服务机构应结合典型风险场景，加强合作交流，积极创新保险产品，优化服务模式，推进网络安全保险多元化发展和新模式落地。

（四）加强指导协调，增强试点成效。地方行业主管部门应加强对网络安全保险服务试点的政策指导和支持，及时跟进试点工作进展，加强优秀实践经验梳理总结，促进典型样例应用推广，强化示范带动作用。

联系人：肖俊芳 68206187

                  孙倩文 88680837  15611629846

地  址：北京市西城区西长安街13号

附  件：

1.网络安全保险服务方案（网络安全保险服务机构）

2.网络安全保险服务试点工作方案（地方主管部门）

3.网络安全保险服务试点工作方案（网络安全保险服务机构）

4.网络安全保险服务试点工作方案（行业企业）

工业和信息化部办公厅

2023年12月14日

翻译：

Notice of the General Office of the Ministry of Industry and Information Technology on organizing the pilot work of network security insurance services

Departments in charge of industry and information technology in provinces, autonomous regions, municipalities directly under the Central Government, cities separately planned, communications administration, relevant enterprises and institutions:

In order to thoroughly implement the relevant laws and regulations such as the Cybersecurity Law of the People’s Republic of China and the Data Security Law of the People’s Republic of China, implement the requirements of the Opinions on Promoting the Standardized and Healthy Development of Cybersecurity Insurance issued by the Ministry of Industry and Information Technology and the State Financial Regulatory Administration, and accelerate the implementation of the new model of cybersecurity insurance, The network security insurance service pilot work has been organized. Notice of relevant matters is as follows:

First, the purpose of the pilot

By organizing and carrying out the pilot network security insurance service, the first is to promote enterprises to improve their ability to cope with network security risks, promote enterprises to improve their awareness of network security insurance, actively use network security insurance to prevent network security risks, improve network security risk management system, and enhance network security awareness and ability. The second is to establish and improve the network security insurance process mechanism, establish network security insurance standards and norms, improve the process standards and requirements for key links such as underwriting, underwriting, and claims, and promote the healthy development of network security insurance norms. The third is to accelerate the development of new formats of network security services, accumulate practical experience in network security insurance, innovate a number of network security insurance products, cultivate a number of high-quality network security insurance institutions, form a number of network security insurance solutions that can be copied and promoted, and promote the high-quality development of the network security industry.

Second, pilot insurance

Combined with the existing types of network security insurance in China at this stage, the pilot types of insurance mainly include two categories of network security property insurance and network security liability insurance.

Cyber security property insurance mainly protects the direct losses of the first party caused by cyber security incidents and the resulting technical service costs, including direct physical losses, business interruption losses, data asset replacement costs, hardware improvement costs, emergency disposal costs, as well as public relations costs and legal costs caused by cyber security incidents.

Network security liability insurance mainly protects the liability of third party individuals or institutions caused by network security incidents, including data breach liability, network security incident liability, media infringement liability, outcomer-related liability, product liability or technical service professional liability.

Third, the pilot object and content

Combined with the actual development of China’s network security insurance, the pilot content includes enterprise insurance and network security products, information technology products, and network security service insurance for key industries such as telecommunications and the Internet, industrial Internet, and the Internet of vehicles, and the main pilot content is as follows.

(1) Enterprise category

With the enterprise law as the insured party, it mainly protects the property loss or compensation liability caused by the network security incident.

1. Telecommunications and Internet companies. For telecom and Internet enterprises such as basic telecom operators, Internet enterprises, and cloud service providers, it mainly covers business interruption losses, data replacement costs, third-party claims losses, and emergency handling costs for risk scenarios such as platform service interruption and malicious tampering and utilization of servers, websites, and platforms caused by cyber attacks or improper operation by internal personnel.

2. Industrial Internet enterprises. For industrial Internet enterprises such as networked industrial enterprises, industrial Internet platform enterprises, and identity analysis enterprises, aiming at the risk scenarios such as the operation failure of networked industrial equipment or industrial control system, the stop operation of automated production lines, and the encryption and locking of important data caused by network attacks or improper operation of internal personnel, It mainly covers business interruption losses, data asset replacement costs, emergency disposal costs, etc. For enterprises in important industries such as raw material industry, equipment industry, consumer goods industry and electronic information manufacturing industry, it mainly covers business interruption losses, data asset replacement costs, emergency disposal costs, etc. for risk scenarios such as production and manufacturing system operation failure, office automation system operation interruption, and management data damage caused by cyber attacks or improper operations.

3. Car networking enterprises. For vehicle networking related enterprises such as vehicle production and manufacturing enterprises, vehicle electronic system manufacturing enterprises, electronic parts enterprises, intelligent vehicle operators, etc., aiming at the risk scenarios such as the operation failure of production and manufacturing systems such as assembly lines and the leakage of sensitive vehicle design data caused by cyber attacks, system design defects, and improper operation. It mainly covers claims losses of owners, vehicle personnel and third parties, data asset replacement costs, hardware improvement costs, business interruption losses, emergency handling costs, etc.

4. Enterprises in other industries. For enterprises in other industries, such as healthcare, finance, and energy, combined with the industrial network security risk characteristics, focus on component anomalies, system outages, service interruptions, data leaks and other risk scenarios caused by network attacks, improper operations, and code defects, and determine the insured first-party losses and third-party liability scope.

5. (2) Products and services

6. To the buyer of products and services as the protection object, mainly to protect the property loss or compensation liability caused by network security incidents.

7. Network security products. It mainly covers property damage and third-party liability that may arise during the provision or operation of network security products. It mainly protects first-party losses such as emergency handling costs and business interruption caused by network security incidents or third-party claims losses caused by data leaks, and enhances the credibility of network security products. Network security products include but are not limited to anti-ddos protection, data leak prevention, ransomware prevention, terminal detection response, Web application firewall, etc.

8. Network security services. It mainly covers the professional responsibilities of professional and technical personnel engaged in network security services. The main protection of professional and technical personnel in the service process of negligence, error and dereliction of duty caused by the relevant information system paralysis, failure, crash or data is changed, lost, leaked and other third-party claims losses. Network security services include but are not limited to network security risk assessment, security operations, emergency response, etc.

9. Information technology products. It mainly underwrites cyber security responsibilities for information technology products. It mainly protects the network security incidents caused by the failure of information technology products or services to meet explicit standards (such as contract agreements, etc.), including the user information system paralysis, failure, crash, or third-party claims caused by data changes, loss, disclosure, etc.

Fourth, work flow

(1) Proposal solicitation

Insurance companies, reinsurance companies, insurance intermediaries, network security enterprises, basic telecom operators, insurance technology companies, professional assessment institutions, judicial appraisal institutions, scientific research institutes and other network security insurance service institutions can declare the network security insurance service plan by themselves or jointly with relevant entities (1 lead unit, no more than 10 joint units). The applicant shall be registered in the territory of the People’s Republic of China, have independent legal personality, and have the ability of network security insurance business, and the total number of network security insurance service schemes led by each applicant shall not exceed 5 in principle. At least one of the leading or joint declaration units shall obtain the qualification of insurance business license.

The Cyber security insurance service agency shall submit the paper version of the Cyber Security Insurance Service Plan (Annex 1) in triplicate and electronic version to the Ministry of Industry and Information Technology before January 28, 2024. The competent departments of industry and information technology of provinces, autonomous regions, municipalities directly under the Central Government and cities separately listed under the plan, and the communications Administration (hereinafter referred to as the “local competent departments”) may make recommendations. After the review and selection, the Network Security Insurance Typical Service Scheme Catalog (hereinafter referred to as the Catalog) is formed.

(2) Pilot declaration

Local competent departments have formulated pilot work plans for network security insurance services in their own regions in light of the Catalogue and local development realities (Annex 2). Encourage local governments to make comprehensive use of existing policy support measures such as the first (set) of major technical equipment, the first (second) version of high-end software, industrial parks, and digital transformation pilot cities, and provide support for network security insurance service pilots from the aspects of policies, funds, and resources.

The network security insurance service organizations selected in the “Catalog” can jointly develop the network security insurance service pilot work program (Annex 3). Network security insurance service institutions should actively play the industry accumulation and resource advantages to provide resource guarantee for supply and demand docking and insurance services.

Industry enterprises, including but not limited to industrial chain “chain master” enterprises, large enterprise groups, platform enterprises, etc., can combine their own risk management needs, and jointly develop network security insurance service pilot work plan (Annex 4). Industry enterprises are encouraged to provide support in terms of matching supply and demand, organizational security, technical support and other resources.

The pilot work programme should be reported by March 15, 2024. The Ministry of Industry and Information Technology selects pilot programs that meet the requirements to carry out pilot work.

(3) Pilot implementation

The Ministry of Industry and Information Technology organized the pilot work start-up deployment meeting to clarify the work objectives and requirements. The local competent departments, service agencies and industrial enterprises participating in the pilot regularly report the progress of the pilot work, and complete the pilot tasks in accordance with the pilot work plan to ensure quality and quantity.

(4) Support and guarantee

The National Industrial Information Security Development Research Center and other subordinate units organized the interpretation of network security insurance policies, publicity training and communication docking, and carried out full support services for the pilot work of network security insurance services relying on the pilot support platform.

(5) Pilot withdrawal

Take the lead to participate in the pilot service institutions, industrial enterprises in the operation of major problems, serious violations of laws and regulations and other acts, cancel their pilot qualifications.

(6) Summary of work

Local authorities, service agencies and industry enterprises to carry out pilot summary work, annual pilot development, cybersecurity insurance product innovation, cybersecurity insurance service implementation of the summary and form a written report, to be reported before November 10, 2024. The Ministry of Industry and Information Technology duly organized a summary meeting to promote excellent practices in cybersecurity insurance.

Fifth, job requirements

(1) To increase the level of attention, extensive and active participation. All units should fully understand the significance of network security insurance, improve network security awareness, actively increase resource investment, and participate in the pilot work of network security insurance services.

(2) Strengthen the working mechanism and make solid and orderly progress. Organize the interpretation of policies related to cybersecurity insurance, establish and improve the pilot work mechanism, strengthen the support services for the pilot work, and ensure the smooth progress of the pilot work.

(3) Promote integrated innovation and optimize products and services. Network security insurance service institutions should combine typical risk scenarios, strengthen cooperation and exchanges, actively innovate insurance products, optimize service models, and promote the diversified development of network security insurance and the landing of new models.

(4) Strengthen guidance and coordination to enhance the effectiveness of the pilot. Local industry authorities should strengthen the policy guidance and support for the network security insurance service pilot, follow up the progress of the pilot work in a timely manner, strengthen the summary of excellent practical experience, promote the application and promotion of typical examples, and strengthen the demonstration and driving role.

Sixth, contact information

Contact: Xiao Junfang 68206187

Sun Qianwen 88680837 15611629846

Address: No.13, West Chang ‘an Avenue, Xicheng District, Beijing

Attachments:

1. Network Security Insurance Service Plan (Network security insurance service organization)

2. Pilot work Programme for cybersecurity Insurance services (local authorities)

3. Network Security Insurance Service pilot work Program (Network security insurance service Organization)

4. Network Security Insurance service pilot work program (industry enterprises)

Ministry of Industry and Information Technology General Office

December 14, 2023

编辑| 王雨婷  

校对| 秦必功      

网络安全,网络安全保险

免责声明：本内容来自无雀科技平台转载，不代表无雀科技的观点和立场