5 minute read 1 Feb 2019
Traditional Chinese Dance with Fans in Shanghai

Is China Cybersecurity Law a bigger change than Y2K

By EY Greater China

Multidisciplinary professional services organization

5 minute read 1 Feb 2019

Show resources

  • China Cybersecurity Law. A bigger change than Y2K?

The paradigm-shifting compliance requirements of the Cybersecurity Law present unprecedented challenges for financial institutions in China.

or financial institutions with a footprint in the nation, China’s first comprehensive privacy and security regulation for cyberspace will require the type of all-system response last seen in the late 90s as companies worked feverishly to upgrade computers and application programs to be Y2K-compliant.

The global Y2K effort, which costs US$300 billion, was considered a one-off, never-to-be-repeated event. But, for those who went through Y2K, China’s Cybersecurity Law is creating flashbacks.

For foreign institutions operating in China and local institutions with overseas operations, the Cybersecurity Law is raising major concerns about the amount and cost of the work required to assess all computer systems to ensure compliance.

Implications of the Cybersecurity Law for financial institutions

Unlike the Great Firewall, which controls external information inflow into China, the Cybersecurity Law is designed to protect data outflow. The law, which is still evolving, applies to operators of critical information infrastructure, putting financial institutions firmly in its scope.

Together with a dozen other related legislations, guidelines and industrial standards already released or being drafted, the principles-based Law establishes a range of new responsibilities for financial institutions.

In addition to GDPR-style privacy protections, its long and growing list of measures, standards and compliance requirements mean that any financial institution with operations in China may need to:

Why is complying with the Cybersecurity Law so challenging?

The Cybersecurity Law reflects the broader global trend to regulate cyberspace activities and counteract cyber threats that could undermine public security. Part of its purpose is to bring China in line with global best practices for cybersecurity. But it does more than that. It is also designed to exert jurisdictional control over data and content generated in China – to strongly assert, “within Chinese territory, the Internet is under the sovereignty of China”.

This means that the Cybersecurity Law comes with an overlay of a specifically Chinese nature, with implications that most Western companies would take time to be familiar with. Compliance will require financial institutions to radically change the way they collect, store, transmit and use data that is generated in China, for example:

· It introduces new data categories

The Cybersecurity Law focuses on the nature of flow of information generated in China, with a strong emphasis on, not just “personal information”, but “important data” – a new category of data for Western enterprises. China regards information to be “important” if it relates to anything likely to affect national security, the broader economy or the public interest.

Important data will be different in different industries. For financial institutions, it’s likely to cover business transaction data with material impact to the macro economy. But in China, what constitutes important information is likely to be decided by the authorities on a case-by-case basis.

· It introduces a data localization requirement

Financial institutions now have to locally store any "personal information" and "important data" collected within China, unless the business passes the Government’s security assessment. To avoid violating this requirement, institutions that currently transmit data to overseas headquarters will need to restructure their mechanisms regarding data transfer, building in mechanisms to perform the necessary assessment. The criteria for security assessments are still being developed.

· It comes with strict and wide-ranging requirements

The Cybersecurity Law extends to information security, communication security, computer security, automation and control system security. And its requirements drill right down to the network hardware level. Certain network equipment and cybersecurity products must be certified by a qualified establishment and found to be in compliance with national standards.

Adding to the challenge, China’s legislative and enforcement style – which is written in Chinese, principles-based and involves elements of judgment in its application – means the Cybersecurity Law could be complicated for and easily misunderstood by Western companies.

Responding appropriately to the new compliance requirements

Depending on the maturity of existing network security, complying with the Cybersecurity Law will require most financial institutions to do the following:

1. Strengthen network security

Current network security devices may not effectively and efficiently provide the level of network security required under the Law. Institutions will need an orchestrated approach to:

a. Put the right “gates and surveillance” at the application and network architecture levels

b. Standardize and simplify technology stacks

c. Centralize the flow of data packets to provide a complete and transparent view

d. Use security orchestration automation and response (SOAR) tools to pull all the security logs together, diagnose genuine threats and respond quickly

e. Create a business-oriented scorecard so executives can visualize threats and attacks

2. Introduce content security

Institutions need to start monitoring the information in their networks for restricted content. All text, audio and video content must be screened for messages deemed inappropriate. Illegal content must then be removed, recorded and reported. For institutions that record broker-to-client phone calls as part of their advice audit trail, this is already creating enormous challenges.

3. Establish new security audits

Institutions must conduct regular audits of cyber-technology systems and processes, including emergency response protocols. The Law includes specific requirements for emergency response that go above and beyond the standard incident response capabilities in most cybersecurity practices.

4. Protect personal information

Institutions collecting customer information must obtain consent, tell customers about the information’s intended use, notify the Government of breaches and delete or amend personal data on the user’s request.

5. Minimize cross-border data transfer

Multinationals with centralized customer relationship management (CRM), human resources (HR), procurement or other critical business systems will need a strategy for dealing with the data that flows to these central hubs. Some institutions are already considering building local data centers or moving to cloud-based services hosted on China-based data centers.

Even though the Cybersecurity Law is still evolving, the Chinese authority has already begun initiating enforcement actions for violations, including fines of up to RMB500,000, business license suspensions and detention.

As a priority, financial institutions need to assess the gaps between the Law and their current operations and create a plan to close these gaps based on the quantum of risk attached to each exposure.

Don’t be surprised if the body of work eclipses that required for Y2K.

As a priority, financial institutions need to assess the gaps between the Law and their current operations and create a plan to close these gaps based on the quantum of risk attached to each exposure.


Financial institutions need to respond to China’s Cybersecurity Law and assess their exposure.

About this article

By EY Greater China

Multidisciplinary professional services organization