The PRC Cybersecurity Law, which came into force on 1 June 2017, will have a significant impact on companies doing business in China. Insurers are no exception to this. In this article we discuss how the new cybersecurity law will impact the insurance sector.

1. Is it likely that China’s cyber insurance market "take-off" now that a legal framework is in place similar to the US and EU?

Although it is early days, Clyde & Co expects to see more products coming to market which will specifically cover cybersecurity-related risks. These are likely to include products that insure against losses arising as a result of cybersecurity breaches, such as the cost of rectifying damage to computer networks, business interruption losses and so on, and products that indemnify the insured for the cost of defending criminal and civil proceedings arising out of a failure to take proper precautions to safeguard data from cyber threats.

A more gradual increase in products coming on to the cyber insurance market is most likely rather than a "take-off". At present, it is still unclear how the authorities will interpret and apply the new cybersecurity law which came into force in June 2017.

2. Does the new framework go as far as the US and the EU in terms of its coverage?

The EU regulations in relation to cybersecurity are set out in the Directive on Security of Network and Information Systems (the "NIS Directive"). The NIS Directive applies to digital service providers and companies “that provide a service which is essential for the maintenance of critical societal/economic activities”. These includes operators in the energy sector; transport companies using air, rail, water and roads; financial services; healthcare; drinking water supply and distribution; and internet exchange points, domain name system service providers, top level domain name registries and others. The NIS Directive imposes obligations on those organisations to ensure network and information systems are secure from cyber threats and to prevent and minimise the impact of incidents on the IT systems used to provide their services.

US cybersecurity laws are covered by three main cybersecurity regulations - the 1996 Health Insurance Portability and Accountability Act (HIPAA), the 1999 Gramm-Leach-Bliley Act, and the 2002 Homeland Security Act, which included the Federal Information Security Management Act (FISMA). These three regulations mandate that healthcare organizations, financial institutions and federal agencies should protect their systems and information from cyber threats.

By contrast, China's Cybersecurity Law is much more wide ranging. It applies not only to the organisations identified in the NIS Directive and US regulations (which are classified as "Critical Information Infrastructure" operators or "CII's") but to any organisation that operates a computer network in the course of its business. In addition, the Cybersecurity Law arguable goes further than the EU and US laws in requiring organizations to take pro-active steps to comply with the Law. For example, CII's and network operators are required to have mandatory cyber security policies and emergency response plans, appoint a dedicated cyber security officer to oversee the implementation and enforcement of cyber security policies and to co-operate with the authorities in the event of a cybersecurity breach. Further, suppliers of certain network products such as routers, switchers and anti-virus software are required to have their products inspected and certified by the relevant government authorities.

A key feature of the Cybersecurity Law is that personal information collected from users in China cannot be transferred out of China unless a security assessment is undertaken and the user consents. While there are similar provisions in the NIS Directive, the "data sovereignty" provisions in the Cybersecurity Law are arguably more far reaching and the penalties for breach potentially more serious.

3. Is it likely there is more to come from Chinese lawmakers in regards to cybersecurity?

Currently, there are draft regulations dealing with the data sovereignty requirement that are expected to come into force in 2018. There are also likely to be further regulations passed implementing various other aspects of the cybersecurity law.

4. What obstacles do insurers face, in terms of offering cyber risk insurance to businesses in China?

The key obstacle at present is a lack of certainty. As indicated above, at the present time, there is a lack of clarity as to how the PRC Cybersecurity Law will be interpreted and applied by the authorities and the courts. That is, no doubt, making it difficult for insurers to draw up and market comprehensive policies. Until there have been a few enforcement actions and prosecutions under the Law, we expect insurers will be hesitant to offer policies.

Another obstacle may be lack of awareness as to the need for insurance to cover cyber risks. Cyber security is one of those items which often only matters when an issue arises. This, coupled with the complexity of computer systems and the jargon of the IT industry often make it difficult to understand exactly what the risks are and what insurance products might be required to mitigate those risks.

5. Should insurers heed the new rules in terms of their own operations in China?

Insurers collect personal data from a large number of customers and store it on a network of computers. As such, they fall squarely within the definition of a "Network Operator" in the PRC Cybersecurity Law and as such will have obligations under the law to:

  • Develop internal procedures for protecting cybersecurity and appoint and individual to oversee those procedures;
  • Adopt technical measures to prevent cyber-attacks and viruses from endangering cybersecurity
  • Back up and encrypt important data
  • Make emergency response plans to deal with cybersecurity incidents
  • Keep user information confidential
  • Establish and maintain data protection systems to prevent information leakage, damage and loss
  • Respect the user’s right to correction of their data, as well as a right to request deletion of data in the event of a data breach
  • Establish systems for dealing with complaints about information security
  • Assist the relevant authorities to safeguard state security and investigate crimes
  • Monitor information released by users and cease transmission of any information that is prohibited by law