What does this cover?

The China Insurance Regulatory Commission (the CIRC) has produced a draft set of rules for information security (the Rules). The Rules requires insurance companies to meet a number of requirements on the following issues:

  • Compliant encryption tools
  • Secure and compliant hardware and software products
  • Data storage within China
  • Outsourcing management  

We are still awaiting details of the Rules. When in place the Rules will apply to all insurance companies that are legally established in China. This will include insurance group holding companies and insurance asset management companies.

The Rules are available here (Chinese).

What action could be taken to manage risks that may arise from this development?

Financial services companies should await further details of the Rules.