China to strengthen cybersecurity in securities, futures industry

CONTEXT

The CSRC published its Interim Measures on Information Security Protection as early as 2005, which was later superseded by the current version in 2012. At that time, there were very few laws or regulations on cybersecurity or data protection in China.

Since 2016, a series of important laws and implementing regulations have been enacted, and the current CSRC information security measures have become obsolete. In particular, the Cyber ​​Security Law (《网络安全法》) (“CSL“), the Data Security Law (《数据安全法》) (“DSL“), the Privacy Act (《个人信息保护法》) (“PIPL”) (For our comments on the PIPL, please click on here) have shaped the landscape of China’s cybersecurity and data protection regulatory framework. In light of regulatory developments, the CSRC has published the draft measures.

KEY PROVISIONS AND COMMENTS

I. Who are subject to the draft measures

Draft measures apply to the following three types of entities:

  1. Basic institutions, referring to institutions that perform public functions or operate securities and futures market information infrastructure, such as exchange and exchange houses, securities depository and clearing institutions Securities and Term Margin Deposit Supervisory Agencies;
  2. Operating institutions, referring to securities and futures trading institutions, such as securities companies, futures companies and fund management companies; and
  3. Information Technology (IT) Services Institutions, referring to institutions that provide products or services for development, testing, integration, evaluation, maintenance, and day-to-day security management for computer systems. information about securities and futures transactions.

While central institutions and operational institutions are the focus of the draft measures, providers of relevant information technology should also pay attention to the measures applicable to them.

II. Cybersecurity measures

Central Institutions and Operational Institutions are required to implement a series of measures to ensure the security of the network system. Key measures include:

  1. establish a robust cybersecurity management system that includes information technology governance, decision-making, management, execution and oversight;
  2. make the facility manager (usually the legal representative) primarily responsible for cybersecurity and the technology manager directly responsible for cybersecurity;
  3. ensure an adequate number of qualified personnel and sufficient financing suitable for business activities;
  4. ensure adequate performance, capacity, reliability, scalability and security of the information system and infrastructure;
  5. the implementation of the multi-level cybersecurity protection scheme (“SPLM”), which is the central regime for protecting cybersecurity under the CSL and reporting implementation details to the CSRC;
  6. take precautionary measures before launching, modifying or stopping important information systems;
  7. inform investors of the impact and of alternatives and other response measures before suspending or terminating any online service;
  8. establishment of a robust early warning system;
  9. setting up data backup and disaster recovery facilities;
  10. perform a pressure test on important information systems at least every six months and also participate in the branch-wide pressure test organized by the CSRC;
  11. strengthen its management of the supply of information products and services;
  12. continue to improve controllable and self-developed technologies; and
  13. take effective measures to protect the intellectual property of institutions.

IT service institutions are also required to establish a cybersecurity management system and file a statement with the CSRC if they provide products and services to core institutions and operating institutions.

III. Data security measures

The draft measures also provide for data security measures for central institutions and operational institutions, including:

  1. establish and refine data security management systems and organizational structure;
  2. formulate industry data standards and implement tiered, categorized data management;
  3. formulate a data access authorization strategy; and
  4. establish a data quality assessment framework.

The requirements set out in the Draft Measures on the Processing of Material Data, Master Data and Personal Information generally mirror those provided by the DSL and PIPL. Notably, the information system handling important data must meet Level Three or higher protection requirements under the MLPS, which is also compliant with the requirement under the proposed network data security by-law (《网络数据安全管理条例(征求意见稿)》).

The CSRC may also designate certain institutions to establish data centers for strategic backup in the securities and futures sectors, which will provide centralized backup of data. Central institutions and operational institutions must submit data to these data centers. Although not specified, this data may include important data, master data and personal information.

IV. Cybersecurity Incident Response

The draft measures place a strong emphasis on incident response, including by imposing obligations on central institutions and operational institutions to:

  1. set up a monitoring and early warning system for cybersecurity risks;
  2. prepare cybersecurity incident response plans;
  3. conduct cybersecurity incident response drills at least once a year;
  4. establish a cybersecurity incident response mechanism and report the incident to the CSRC;
  5. initiate an internal investigation after the incident and work with the CSRC for investigation; and
  6. publish alternative measures or other reactive measures that the parties concerned could take.

The CSRC may also request the Principal Institutions and the Operating Institution to inform the investors if the incident affects the interests of the investors.

V. Cybersecurity of critical information infrastructures

The concept of critical information infrastructure (“CII”) was first introduced into law by the CSL in 2016. The central government issued Critical Information Infrastructure Security Protection Regulation (《关键信息基础设施安全保护条例》) (“ITC Regulation”) in 2021 to implement the CII Protection Regime (for our comments on the settlement, please click here).

The CII is essentially a select group of networks or information systems that are considered particularly important in industry or key sectors which, among others, include the financial industry. In accordance with the CII Regulation, sector regulators will formulate rules for the identification of CIIs, identify CIIs and notify operators of CIIs. As of the date of this article, we have not seen any public reports indicating that an industry regulator has formulated the identification rules or identified an IIC.

The CSRC designates a cybersecurity chapter of the CII. While most of the requirements are consistent with those of the CII Regulation, the draft measures also require that CII operators in the securities and futures sector:

  1. establish a designated cybersecurity leadership group or department staffed with adequate cybersecurity specialist staff;
  2. carry out an appraisal before modifying or stopping any CII operation likely to affect the regular operation of the market;
  3. ensure adequate system performance and network capacity; and
  4. establish disaster recovery centers at the same site and across multiple sites.

VI. Legal liability

The draft measures authorize the CSRC to impose penalties for violations in accordance with the CSL, DSL and PIPL. Where violations also reveal issues of corporate governance, internal control, or business continuity principles, the CSRC may also issue sanctions under applicable securities and futures law and regulations.

In addition, the CSRC may take disciplinary action against offending institutions and personnel responsible for the violation.

In particular, the CSRC has the power to require institutions to provide information and data relevant to the management of cybersecurity, and institutions must collaborate. Central Institutions and Operational Institutions must prepare an annual cybersecurity management report and submit it to the CSRC by April 30 of each year.

CONCLUSION

The draft measures are the CSRC’s response to the enhanced cybersecurity and data protection requirements under the regulatory framework established by the CSL, DSL and PIPL. The CSRC joins its fellow financial regulators in implementing these requirements in the financial sector.

Financial institutions in the securities and futures industry and their IT providers need to keep abreast of developments and prepare for new requirements that will be implemented in the near future.

Comments are closed.