The proposed rules would also require ICT contractors to report a cyber incident to the government within eight hours.