I have no idea about the legal situation in the PRC or what would count as a security incident. Perhaps this could be made clearer by adding examples of what a security incident means, by pointing to the PRC law that mandates this and arguing why this is so bad.
But in other jurisdictions there may be somewhat similar legal provisions that may make it into the terms of service. In Europe, the GDPR mandates that businesses must report data breaches withing 72 hours after becoming aware of the incident:
(86) … the controller should notify the personal data breach to the supervisory authority without undue delay and, where feasible, not later than 72 hours after having become aware of it, …
Also, in Brazil, there is a similar provision in the Lei Geral de Proteção de Dados (LGPD):
Art. 48. O controlador deverá comunicar à autoridade nacional e ao titular a ocorrência de incidente de segurança que possa acarretar risco ou dano relevante aos titulares.
I have yet to see any of this mentioned in the terms of service and privacy policies that I have read, but if it can be generalized I think it could become a case. I would disagree, however, that this communication is outside of any legal process, considering that it is explicitly provisioned for in the law. The GDPR and LGPD provisions I wouldn’t consider bad, but perhaps neutral.