On 9 October, the China Insurance Regulatory Commission (CIRC) released a draft set of rules for information security (the Insurance Cyber Rules).

The Insurance Cyber Rules impose a number of cyber security obligations on insurance companies, requiring them to:

  • “give priority to buying secure and controllable hardware and software products” and comply with CIRC and other national standards on information security – to be certified by the authorities;
  • store “data” that originates in China within data centers located in China (the draft nevertheless appears to contemplate the potential transfer of data overseas by international insurance companies, provided that any further processing overseas complies with “relevant Chinese laws”). The draft rules do not specify the kinds of data that will be required to be stored in data centres in China;
  • use only encryption products that comply with national standards and encryption requirements.

The detailed implementation measures for the CIRC rules have yet to be published. However the ‘safe and controllable’ requirement is presented in identical terms to the draft provisions released by the China Banking Regulatory Commission (CBRC) earlier in 2015 (see our discussion from 23 March ). The CBRC rules were intended to be phased in over five years, with a requirement for regulated entities to purchase and install a annually increasing minimum percentage of equipment and software that had been approved by the regulator. The requirement to use encryption products that comply with national standards and requirements in the CIRC rules also appear to be intended to be phased in over time. Government approvals for products containing encryption functionality are only issued to domestic Chinese vendors in practice. The Chinese encryption regulator does not permit the import of foreign encryption products and does not allow foreign-developed encryption products to be commercially distributed within China. The requirement will therefore equate to a requirement for insurance companies to use domestically-sourced encryption products.

The Insurance Cyber Rules also contains a chapter on outsourcing management that largely restated the existing outsourcing regulatory requirements. Insurance companies must develop a comprehensive system to manage, evaluate and deal with the risks involved with outsourcing to third party information processors. The responsibilities for managing the security of the insurance companies’ information systems may not be outsourced.

The Insurance Cyber Rules apply to all insurance companies legally established in China, including insurance group holding companies and insurance asset management companies, and will apply equally to foreign invested insurance companies.

For the Chinese version of the Insurance Cyber Rules, please see http://www.circ.gov.cn/web/site0/tab5168/info3975814.htm