The Chinese Cybersecurity Law presents an unprecedented challenge to financial institutions with operations in China, as they need to assess their exposure and begin the complex transition, a study of EY reveals.
By Wilson Feng, Financial Services advisory, EY Greater China
For financial institutions with a footprint in the nation, China’s first comprehensive privacy and security regulation for cyberspace will require the type of all-system response last seen in the late 1990s when companies worked feverishly to upgrade computers and application programs to be Y2K-compliant.
The global Y2K effort, which cost $300 billion, was considered a one-off, never-to-be-repeated event. But, for those who went through Y2K, China’s Cybersecurity Law is creating flashbacks.
For foreign institutions operating in China and local institutions with overseas operations, the Cybersecurity Law is raising major concerns about the amount and cost of the work required to assess all computer systems to ensure compliance.
What Are the Implications for Financial Institutions?
Unlike the China Great Firewall, which controls external information inflow into China, Cybersecurity Law is designed to protect data outflow. The law, which is still evolving, applies to operators of critical information infrastructure, putting financial institutions firmly in its scope.
Together with other related legislation, guidelines, and industrial standards already released or being drafted, the principles-based law establishes a range of new responsibilities. In addition to GDPR-style privacy protections, its growing list of measures and compliance requirements mean that any financial institution in China has to cope with.
Why Is Complying With Cybersecurity Law So Challenging?
Cybersecurity Law (Read more here) reflects the broader global trend to regulate cyberspace activities and counteract cyber threats that could undermine public security. Part of its purpose is to bring China in line with global best practices for cybersecurity.
But it does more than that. It’s also designed to exert jurisdictional control over data generated in China – to strongly assert, «within Chinese territory, the Internet is under the sovereignty of China».
This means Cybersecurity Law comes with an overlay of a specifically Chinese nature, with implications that most Western companies would take time to be familiar with. Compliance will require financial institutions to radically change the way they collect, store, transmit and use data that is generated in China.
Adding to the challenge, China’s legislative and enforcement style – which is written in Chinese, principles-based and involves elements of judgment in its application – means Cybersecurity Law could be complicated for and easily misunderstood by Western companies.
Adapting to Operate Under China’s Cybersecurity Law
Depending on the maturity of existing network security, complying with Cybersecurity Law will require most financial institutions to:
1. Strengthen network security
2. Introduce content security
3. Establish new security audits
4. Protect personal information
5. Reduce cross-border transfer
Even though Cybersecurity Law is still evolving, the Chinese authority has already begun initiating enforcement actions for violations, including fines of up to 500,000 renminbis, business license suspensions and detention.
As a priority, financial institutions need to assess the gaps between the law and their current operations and create a plan to close these gaps based on the quantum of risk attached to each exposure. Don’t be surprised if the body of work eclipses that required for Y2K.
