Financial companies to be under the Chinese data cosh

• Compliance with the Cybersecurity Law will require financial institutions to radically change the way they collect, store, transmit and use data that is generated in China.
• Law exerts jurisdictional control over data and content generated in China – strongly asserting, “within Chinese territory, the Internet is under the sovereignty of China”.

On April 29 2022, the China Securities Regulatory Commission (CSRC) released a draft law that seeks to make it mandatory for investment banks, asset managers, and futures companies with local Chinese operations to share data with the Commission, allow regulator-led testing and use a centralized data backup center. The draft Administrative Measures for Network Security in the Securities and Futures Industry was subject to a one-month public consultation period.

Throughout the one month, experts, including lobby groups, have actively voiced their concerns of the draft law. The Chinese authority’s draft ruling comes at a time when a string of western investment banks and asset managers are expanding their presence in China, either by setting up wholly-owned units or by taking a bigger share in existing joint ventures.

For foreign institutions operating in China and local institutions alike, the latest cybersecurity law is raising concerns about the cost of the work to ensure compliance. Beijing is tightening its oversight of data security mainly in the tech sector as part of its wider regulatory crackdown.

What’s new?

The “Administrative Measures for Network Security in the Securities and Futures Industry” law wouldn’t be China’s first foray into cybersecurity legislation. 2021 proved to be a milestone for data protection and cybersecurity in China, when the Personal Information Protection Law (PIPL), Data Security Law (DSL) and the Cyber Security Law (CSL) came into effect, together representing the “trident” of the Chinese data protection and cybersecurity regulatory framework. Beyond the threesome, new rules have also been announced including this most recent. As international law firm Bird & Bird LLP said in an article in Lexology, the draft measures are the reaction of CSRC to tightened cybersecurity and data protection requirements under the regulatory framework established by the CSL, the DSL and the PIPL. “The CSRC is joining its fellow financial regulators in implementing these requirements in the financial industry,” the article reads.

The latest draft measures particularly apply to the following types of entities: Core Institutions (organizations that perform public functions or operate information infrastructures in the securities and futures market), Operational Institutions (securities and futures institutions), and Information Technology (IT) Service Institutions (any provider of IT related services to financial institutions affected).

The third category includes companies that provide development, testing, integration, evaluation, maintenance, and daily security management products or services for important information systems of securities and futures businesses. In brief, financial companies suppliers’ that are contracted to anything technological.

Among the series of measures that, according to the draft, are required for those financial institutions to undertake (“to ensure the security of the network system”) are the requirement to “share data” for “various purposes” and establishing a data center for backup, system failure and disaster recovery.

The draft rules also stipulate that the CSRC could conduct penetration-testing (simulated cyber attacks against companies’ system) and system scanning on securities, futures, and fund firms’ IT stacks.

Lobbyists wade in

In a recent report by Reuters, lobby group the Asia Securities Industry and Financial Markets Association (ASIFMA) in a letter addressed to the CSRC dated May 27, expressed the concerns of its members about the draft rules requiring the sharing of sensitive data. For context, the association has more than 160 members comprising leading financial institutions that trade in the region, banks, law firms, and market infrastructure service providers such as stock exchange operators.

The lobby group is concerned that passing on sensitive data will make companies in the sector vulnerable to “hackers and other bad actors.” The open letter to the CSRC states “This not only poses huge risks to all core institutions and operating institutions on an individual basis, but also brings significant systemic risks for the sector in China and globally given the interconnectedness of the global financial sector, if the data is compromised or leaked,” the ASIFMA said.

The lobby group also flagged concerns from global banks that regulator-led or regulator-commissioned penetration testing poses “real risks to firms due to the potentially disruptive nature of penetration testing and the sensitivity of testing results.” It said, “Testing systems and applications without operational context could create significant disruption to firm operations.”

On the one hand, the Chinese authorities’ concern that financial data should be better regulated might be taken with a pinch of salt. Similarly however, global financial institutions rarely embrace regulation of any sort. Both sides of the equation have significant other motives from what appear in their public statements. For western companies in any sector, the costs of doing business with China are not measured entirely in currency.