Why is complying with the Cybersecurity Law so challenging?
The Cybersecurity Law reflects the broader global trend to regulate cyberspace activities and counteract cyber threats that could undermine public security. Part of its purpose is to bring China in line with global best practices for cybersecurity. But it does more than that. It is also designed to exert jurisdictional control over data and content generated in China – to strongly assert, “within Chinese territory, the Internet is under the sovereignty of China”.
This means that the Cybersecurity Law comes with an overlay of a specifically Chinese nature, with implications that most Western companies would take time to be familiar with. Compliance will require financial institutions to radically change the way they collect, store, transmit and use data that is generated in China, for example:
· It introduces new data categories
The Cybersecurity Law focuses on the nature of flow of information generated in China, with a strong emphasis on, not just “personal information”, but “important data” – a new category of data for Western enterprises. China regards information to be “important” if it relates to anything likely to affect national security, the broader economy or the public interest.
Important data will be different in different industries. For financial institutions, it’s likely to cover business transaction data with material impact to the macro economy. But in China, what constitutes important information is likely to be decided by the authorities on a case-by-case basis.
· It introduces a data localization requirement
Financial institutions now have to locally store any "personal information" and "important data" collected within China, unless the business passes the Government’s security assessment. To avoid violating this requirement, institutions that currently transmit data to overseas headquarters will need to restructure their mechanisms regarding data transfer, building in mechanisms to perform the necessary assessment. The criteria for security assessments are still being developed.
· It comes with strict and wide-ranging requirements
The Cybersecurity Law extends to information security, communication security, computer security, automation and control system security. And its requirements drill right down to the network hardware level. Certain network equipment and cybersecurity products must be certified by a qualified establishment and found to be in compliance with national standards.
Adding to the challenge, China’s legislative and enforcement style – which is written in Chinese, principles-based and involves elements of judgment in its application – means the Cybersecurity Law could be complicated for and easily misunderstood by Western companies.
Responding appropriately to the new compliance requirements
Depending on the maturity of existing network security, complying with the Cybersecurity Law will require most financial institutions to do the following:
1. Strengthen network security
Current network security devices may not effectively and efficiently provide the level of network security required under the Law. Institutions will need an orchestrated approach to:
a. Put the right “gates and surveillance” at the application and network architecture levels
b. Standardize and simplify technology stacks
c. Centralize the flow of data packets to provide a complete and transparent view
d. Use security orchestration automation and response (SOAR) tools to pull all the security logs together, diagnose genuine threats and respond quickly
e. Create a business-oriented scorecard so executives can visualize threats and attacks
2. Introduce content security
Institutions need to start monitoring the information in their networks for restricted content. All text, audio and video content must be screened for messages deemed inappropriate. Illegal content must then be removed, recorded and reported. For institutions that record broker-to-client phone calls as part of their advice audit trail, this is already creating enormous challenges.
3. Establish new security audits
Institutions must conduct regular audits of cyber-technology systems and processes, including emergency response protocols. The Law includes specific requirements for emergency response that go above and beyond the standard incident response capabilities in most cybersecurity practices.
4. Protect personal information
Institutions collecting customer information must obtain consent, tell customers about the information’s intended use, notify the Government of breaches and delete or amend personal data on the user’s request.
5. Minimize cross-border data transfer
Multinationals with centralized customer relationship management (CRM), human resources (HR), procurement or other critical business systems will need a strategy for dealing with the data that flows to these central hubs. Some institutions are already considering building local data centers or moving to cloud-based services hosted on China-based data centers.
Even though the Cybersecurity Law is still evolving, the Chinese authority has already begun initiating enforcement actions for violations, including fines of up to RMB500,000, business license suspensions and detention.
As a priority, financial institutions need to assess the gaps between the Law and their current operations and create a plan to close these gaps based on the quantum of risk attached to each exposure.
Don’t be surprised if the body of work eclipses that required for Y2K.