On October 9, 2015, the China Insurance Regulatory Commission ("CIRC") issued a draft Regulation on Adopting Information Technology by Insurance Companies ("Draft Insurance IT Regulation") for public comment. The Draft Insurance IT Regulation sets out detailed cybersecurity requirements in relation to the corporate governance, data management, IT infrastructure, outsourcing, use of new technology and audits of insurance companies.
Once finalized, the Draft Insurance IT Regulation will replace the current Pilot Guidelines for the Administration on Adopting Information Technology by Insurance Companies issued by CIRC on December 29, 2009 ("2009 Guidelines") and they will supplement the Pilot Guidelines for Management of Information System Security of Insurance Companies, issued by CIRC on November 16, 2011 ("2011 Guidelines") (2009 Guidelines and 2011 Guidelines are collectively referred as "Previous Guidelines"). The cybersecurity requirements in the Draft Insurance IT Regulation are more detailed and specific than the Previous Guidelines. In addition, this Draft Insurance IT Regulation also provides some new requirements for insurance companies.
We have outlined the key amendments as compared to the Previous Guidelines in the summary below.
Click here to view the table.
This Draft Insurance IT Regulation follows the recent issuance of the National Security Law (effective on July 1, 2015) and Draft Cybersecurity Law (issued on July 6, 2015 for public comments) and serves as further evidence to the rapid development of the cybersecurity legal regime in China. As you have noted from the above, the CIRC has begun to impose more specific IT security rules on insurance companies.
Insurance companies as well as IT service suppliers servicing the insurance industry must actively keep track on this Draft Insurance IT Regulation. Once finalized, a review is recommended to ensure that corporate IT operations and products comply with the then current cybersecurity requirements.
We also expect regulators in other industries to amend or issue new IT security rules in light of the National Security Law and Draft Cybersecurity Law.