On 29 April 2022, the China Securities Regulatory Commission (“CSRC”) released the draft Administrative Measures for Cybersecurity in Securities and Futures Industry (《证券期货业网络安全管理办法（征求意见稿）》) (“Draft Measures”) for public consultation.
In this article, we highlight the key provisions of the Draft Measures and set out our observations.
The CSRC released its interim measures on safeguarding information security as early as 2005, which were later replaced by the currently effective version in 2012. At that time, there were very few laws or regulations on cybersecurity or data protection in China.
Since 2016, a series of important laws and implementing regulations have been enacted, and the current CSRC measures on information security have become outdated. In particular, the Cyber Security Law (《网络安全法》) (“CSL”), the Data Security Law (《数据安全法》) (“DSL”), the Personal Information Protection Law (《个人信息保护法》) (“PIPL”) (For our comments on the PIPL, please click here) have shaped the landscape of the Chinese cybersecurity and data protection regulatory framework. In light of the regulatory development, the CSRC released the Draft Measures.
Key provisions and observations
The Draft Measures apply to the following three types of entities:
- Core Institutions, referring to the institutions that perform public functions or operate information infrastructures in the securities and futures market, such as securities and futures exchange houses, securities depository and clearing institutions, and futures margin safe deposit monitoring agencies;
- Operational Institutions, referring to securities and futures operation institutions, such as securities companies, futures companies and fund management companies; and
- Information Technology (IT) Service Institutions, referring to institutions that provide development, testing, integration, evaluation, maintenance and daily security management products or services for important information systems of securities and futures business.
Whilst the Core Institutions and the Operational Institutions are the focus of the Draft Measures, suppliers of relevant information technologies should also pay attention to the measures applicable to them.
The Core Institutions and the Operational Institutions are required to implement a series of measures to ensure security of the network system. Key measures include:
- establishing a sound cybersecurity management system that consists of information technology governance, decision-making, management, execution and supervision;
- making the person in charge of the institution (usually the legal representative) primarily responsible for cybersecurity and the person in charge of technology directly responsible for cybersecurity;
- ensure adequate number of qualified staff and sufficient funding that are appropriate for the business activities;
- ensuring adequate performance, capacity, reliability, expandability and security of the information system and infrastructure;
- implementing the cybersecurity multi-level protection scheme (“MLPS”), which is the central regime for protecting cybersecurity under the CSL and reporting the implementing details to CSRC;
- taking precautionary measures before launching, altering or taking down important information systems;
- notifying investors of the impact and alternatives and other responding measures before suspending or terminating any online services;
- establishing sound early-warning system;
- establishing data back-up and failure and disaster recovery facilities;
- conducting a pressure test on important information systems at least every six months and also taking part in the industry-wide pressure test organised by the CSRC;
- strengthening its management of supplies of information products and services;
- continuing to improve controllable and autonomously-developed technologies; and
- taking effective measures to protect the institutions’ own intellectual properties.
IT Service Institutions are also required to establish cybersecurity management system and make a filing with the CSRC if they provide products and services to the Core Institutions and the Operational Institutions.
The Draft Measures also lay down data security measures for the Core Institutions and the Operational Institutions, including:
- establishing and perfecting data security management systems and organisational structure;
- formulating industrial data standards and implementing data multi-level categorised management;
- formulating data access authorisation strategy; and
- establishing data quality evaluation framework.
Requirements set out in the Draft Measures on processing important data, core data and personal information generally reflect those under the DSL and PIPL. Notably, the information system processing important data must meet the protection requirements of level three or above under the MLPS, which is also consistent with requirement under the draft Administration Regulations on Network Data Security (《网络数据安全管理条例（征求意见稿）》).
The CSRC may also designate certain institutions to establish data centres for strategic backup in the securities and futures industries, which will provide centralized data backup. The Core Institutions and the Operational Institutions must submit data to these data centres. Although it is not specified, such data may include important data, core data and personal information.
The Draft Measures put great emphasis on incident response, including imposing obligations upon the Core Institutions and the Operational Institutions to:
- establish a cybersecurity risk monitoring and early-warning system;
- prepare cybersecurity incident response plans;
- conduct cybersecurity incident response drills at least once a year;
- establish cybersecurity incident response mechanism and report the incident to the CSRC;
- launch internal investigation after the incident and collaborate with the CSRC for investigation; and
- publish alternative or other responsive measures that the parties involved may take.
CSRC may also require the Core Institutions and the Operational Institution to notify the investors, if the incident harms the interests of the investors.
The concept of critical information infrastructure (“CII”) was first introduced into law by the CSL in 2016. The central government published the Regulation on Critical Information Infrastructure Security Protection (《关键信息基础设施安全保护条例》) (“CII Regulation”) in 2021 to implement the CII protection regime (for our comments on the regulation, please click here).
The CII is essentially a selected group of network or information systems that are considered of particular importance in key industry or sectors that, amongst others, include the financial industry. Pursuant to the CII Regulation, sectoral regulators will formulate rules for identifying the CII, identify the CII and notify the CII operators. As of the date of this article, we have not seen any public report that a sectoral regulator has formulated the identification rules or identified any CII.
The CSRC designates a chapter to cybersecurity of the CII. Whilst most requirements are consistent with those under the CII Regulation, the Draft Measures also require the CII operators in the securities and futures industry to:
- establish a designated cybersecurity leadership group or department that is adequately staffed with cybersecurity specialists;
- conduct expert evaluation before altering or taking down any operation of the CII, which may affect the steady operation of the market;
- ensure adequate system performance and network capacity; and
- establish same-site and multi-site disaster recovery centres.
The Draft Measures authorise the CSRC to issue penalties over violations in accordance with the CSL, the DSL and the PIPL. Where the violations also expose issues with corporate governance, internal control or the principles of business continuity, the CSRC may also issue penalties under the applicable law and regulations on securities and futures.
In addition, the CSRC may take disciplinary actions against the violating institutions and the personnel responsible for the violation.
Notably, the CSRC has the power to require the institutions to provide information and data relevant to cybersecurity management, and the institutions must collaborate. The Core Institutions and the Operational Institutions must prepare a cybersecurity management annual report and submit it to the CSRC by 30 April each year.
The Draft Measures are the reaction of CSRC to tightened cybersecurity and data protection requirements under the regulatory framework established by the CSL, the DSL and the PIPL. The CSRC is joining its fellow financial regulators in implementing these requirements in the financial industry.
The financial institutions in the securities and futures industry as well as their IT suppliers should keep themselves abreast with the development and be prepared for the new requirements that will be implemented in the near future.