China’s Cybersecurity Law came into force on 1 June 2017, despite speculation that there would be a delay in its launch.1 The new law covers a wide range of activities relating to the cyberspace, including personal data protection and security, hacking, malicious software prohibition, handling of emergency network situations, and data localisation. Many of these regulations affect the operation of financial services companies in China. There are hefty penalties for breaches, including fines of up to RMB1 million (approx.. US$150,000) and confiscation of monies illegally obtained for certain offences.

The following are key points to note as firms prepare to be compliance ready.

  • Financial services firms would be regarded as “network operators” within the purview of the Cybersecurity Law, and likely would be regarded as “critical information infrastructure operators” as well. Many of the Cybersecurity Law requirements apply to “network operators” – broadly defined as “owners of networks, administrators or managers of networks, and network service providers”. The term “network” refers to “a system that is formed by computers or other information terminals and related equipment for collecting, storing, transmitting, exchanging, and processing information according to certain rules and procedures”. Financial services firms that operate or administer intranets, servers or some other types of network systems, would be regarded as “network operators” under the Cybersecurity Law, and accordingly would need to comply with relevant requirements concerning “network operators”.In addition, financial services firms are likely to be categorised as “critical information infrastructure” – defined to include operators of important industries and areas such as “finance”.2 As a “critical information infrastructure” operator, a firm would be subject to certain further obligations under the Cybersecurity Law.
  • Firms conducting critical information infrastructure operations need to comply with data localisation requirements. Under these requirements, critical information infrastructure operators need to store within Mainland China all “personal information”3 and “important data”4 collected and generated in Mainland China. In case of business needs, and if this data is to be provided outside Mainland China, a security assessment has to be obtained prior to the provision in accordance with relevant regulations. The CAC has explained that the purpose of the data localisation requirement is to maintain network security and protect public interest in Mainland China, not to restrict cross-border data flow or international trade.As at the date of this article, the relevant regulations on security assessment have not been enacted – a draft regulation on security assessment for provision of personal information and important data out of Mainland China was issued for consultation on 11 April 2017 and is pending approval and enactment.5 Until the regulation is enacted, it would be prudent for financial services firms to conduct very careful analysis of compliance risks before providing any personal information or important data collected and generated in Mainland China outside Mainland China.
  • Firms that procure network products and services, particularly those relating to national security, critical information infrastructure and network security, must comply with National Standards and apply for security assessment. Firms with network products and services must comply with the relevant compulsory requirements of national standards, and ensure that they do not contain malicious tools or processes. When the network products, services and information systems may impact upon China’s national security, firms must also ensure that all such products or services have properly undergone network security assessment in accordance with the relevant regulations, and must sign confidentiality agreements with providers of network products and services. In addition, when financial services firms procure network products that are categorised as “network critical equipment” or “network security dedicated products”, such firms must ensure all such products have duly obtained security certification in accordance with the relevant regulations.6
  • Firms must comply with personal data protection requirements. All financial services firms must prepare personal data collection policies and/or statements setting out the purpose, manner and ambit of the collection and use of any personal information. Consent7 must be obtained from the person from whom the personal information is collected, covering the collection, use and provision of such personal information to any other person. The personal data collection policy and statement must comply with principles of legality, properness and necessity. Personal information unrelated to the service provided must not be collected. Personal information may not be provided or sold to any other person, except with consent from the person from whom personal information was collected, or if the data is irrevocably anonymised. Financial services firms must also provide avenues to entertain requests for deletion or amendment of personal information in accordance with the Cybersecurity Law.
  • Firms must implement security measures and maintain logs of network security events. All financial services firms must implement security measures, categorise data, backup and encrypt important data (not precisely defined under the Cybersecurity Law), supervise and record network operation status and technical measures taken of network security events, and maintain logs of network activities of at least the prior six months. Such firms must also keep disaster backups of important systems and databases, and conduct at least yearly security risks assessments and regular drills of cybersecurity emergency plans.
  • Firms must report security incidents and risks. All financial services firms must prepare and implement cybersecurity emergency plans. In the event of any cybersecurity events, the financial services firm must immediately trigger the emergency plan, take remedial measures, and report to the National Computer Network Emergency Response Technical Team, at