China Cybersecurity Law: Key Takeaways for Financial Services Firms in China
China’s Cybersecurity Law came into force on 1 June 2017, despite speculation that there would be a delay in its launch.1 The new law covers a wide range of activities relating to the cyberspace, including personal data protection and security, hacking, malicious software prohibition, handling of emergency network situations, and data localisation. Many of these regulations affect the operation of financial services companies in China. There are hefty penalties for breaches, including fines of up to RMB1 million (approx.. US$150,000) and confiscation of monies illegally obtained for certain offences.
The following are key points to note as firms prepare to be compliance ready.
- Financial services firms would be regarded as “network operators” within the purview of the Cybersecurity Law, and likely would be regarded as “critical information infrastructure operators” as well. Many of the Cybersecurity Law requirements apply to “network operators” – broadly defined as “owners of networks, administrators or managers of networks, and network service providers”. The term “network” refers to “a system that is formed by computers or other information terminals and related equipment for collecting, storing, transmitting, exchanging, and processing information according to certain rules and procedures”. Financial services firms that operate or administer intranets, servers or some other types of network systems, would be regarded as “network operators” under the Cybersecurity Law, and accordingly would need to comply with relevant requirements concerning “network operators”.
In addition, financial services firms are likely to be categorised as “critical information infrastructure” – defined to include operators of important industries and areas such as “finance”.2 As a “critical information infrastructure” operator, a firm would be subject to certain further obligations under the Cybersecurity Law.
- Firms conducting critical information infrastructure operations need to comply with data localisation requirements. Under these requirements, critical information infrastructure operators need to store within Mainland China all “personal information”3 and “important data”4 collected and generated in Mainland China. In case of business needs, and if this data is to be provided outside Mainland China, a security assessment has to be obtained prior to the provision in accordance with relevant regulations. The CAC has explained that the purpose of the data localisation requirement is to maintain network security and protect public interest in Mainland China, not to restrict cross-border data flow or international trade. As at the date of this article, the relevant regulations on security assessment have not been enacted – a draft regulation on security assessment for provision of personal information and important data out of Mainland China was issued for consultation on 11 April 2017 and is pending approval and enactment.5 Until the regulation is enacted, it would be prudent for financial services firms to conduct very careful analysis of compliance risks before providing any personal information or important data collected and generated in Mainland China outside Mainland China. Firms that procure network products and services, particularly those relating to national security, critical information infrastructure and network security, must comply with National Standards and apply for security assessment. Firms with network products and services must comply with the relevant compulsory requirements of national standards, and ensure that they do not contain malicious tools or processes. When the network products, services and information systems may impact upon China’s national security, firms must also ensure that all such products or services have properly undergone network security assessment in accordance with the relevant regulations, and must sign confidentiality agreements with providers of network products and services. In addition, when financial services firms procure network products that are categorised as “network critical equipment” or “network security dedicated products”, such firms must ensure all such products have duly obtained security certification in accordance with the relevant regulations.6
- Firms must comply with personal data protection requirements. All financial services firms must prepare personal data collection policies and/or statements setting out the purpose, manner and ambit of the collection and use of any personal information. Consent7 must be obtained from the person from whom the personal information is collected, covering the collection, use and provision of such personal information to any other person. The personal data collection policy and statement must comply with principles of legality, properness and necessity. Personal information unrelated to the service provided must not be collected. Personal information may not be provided or sold to any other person, except with consent from the person from whom personal information was collected, or if the data is irrevocably anonymised. Financial services firms must also provide avenues to entertain requests for deletion or amendment of personal information in accordance with the Cybersecurity Law.
- Firms must implement security measures and maintain logs of network security events. All financial services firms must implement security measures, categorise data, backup and encrypt important data (not precisely defined under the Cybersecurity Law), supervise and record network operation status and technical measures taken of network security events, and maintain logs of network activities of at least the prior six months. Such firms must also keep disaster backups of important systems and databases, and conduct at least yearly security risks assessments and regular drills of cybersecurity emergency plans.
- Firms must report security incidents and risks. All financial services firms must prepare and implement cybersecurity emergency plans. In the event of any cybersecurity events, the financial services firm must immediately trigger the emergency plan, take remedial measures, and report to the National Computer Network Emergency Response Technical Team, at www.cert.org.cn.
Footnotes
1) The Cyberspace Administration of China (CAC), in a transcript of a press conference on 31 May 2017 (Press Conference Transcript), stated that all provisions of the Cybersecurity Law would become effective despite the lack of implementation regulations. Prior to the press conference, there had been speculation in the media that there would be a delay in the launch of the Cybersecurity Law, including speculation that there would be a grace period of up to the end of December 2018 for critical information infrastructure operators to comply with the data localisation requirements. However, the official position is that all provisions of the Cybersecurity Law are effective from 1 June 2017, with relevant implementation regulations to be enacted within one year thereafter.
2) The term “critical information infrastructure operator” is broadly defined under the Cybersecurity Law as: (a) operators of important industries and areas such as public communication and information services, energy, transport, water, finance, public services, electronic government etc.; or (b) other facilities that, if destroyed, functionalities lost, or data leaked, would seriously harm China’s national security, national economy and people’s livelihood, [and/or] public interest. According to the Press Conference Transcript, the precise scope of what “critical information infrastructure” encompasses is still to be clarified by the CAC and other relevant authorities by way of further guidance documents and standards. As of the writing of this article, such guidance documents and standards have not been published, and it is not entirely clear what types of firms in the financial services industry would be regarded as “critical information infrastructure”. However, given that the authorities would likely consider that there would be huge impact upon China’s economy and public livelihood if financial services firms (e.g., banks, securities trading companies, insurance companies) suffered security breaches in their operations, it is likely that a significant number of firms in the financial services industry might be regarded as “critical information infrastructure”.
3) “Personal information” is defined to cover not only information that may be able to identify a natural person’s personal identity, but also information that may be able to identify a natural person’s activities.
4) The precise scope of “important data” is unclear, and may be clarified by future implementation regulations.
5) While acknowledging that various implementation regulations are still being drafted, the CAC recommended that relevant corporations and institutions self-regulate, including in relation to the data localisation requirement, and ensure that their network activities are compliant with the law.
6) The CAC enacted the Trial Measures for Security Examination of Network Products and Services dated 2 May 2017 (Trial Measures). On 9 June 2017, the CAC announced the first catalogue of network critical equipment and security dedicated products (First Catalogue) that require mandatory certification, and this was retroactively effective from 1 June 2017. The First Catalogue lists four types of network critical equipment and 11 types of network security dedicated products that require mandatory security certification. However, neither the Trial Measures nor the First Catalogue provides for the precise procedures for such security assessment or certification. The CAC has not expressly indicated the responsible institutions for security testing and certification, but existing institutions responsible for security testing of network products in China include the China Information Security Certification Center, China Software Testing Center, and China Information Technology Security Evaluation Center.
7) It is not entirely clear as to the precise type and manner of “consent” that network operators must obtain from data subjects, and whether or not any form of “implied consent” may be acceptable for compliance purposes. It is suggested that pending the enactment of relevant implementation regulations, express consent should be obtained by financial services firms before collection, use and provision of personal information to others, following practices of other international jurisdictions.
