Navigating national and cybersecurity risks in China

It is also worth noting that Articles 24 and 25 of the NSL specifically refer to the need for core technology, critical infrastructure, information systems and data in core areas to be “controllable”. The term is consistent with the proposals in the draft Cybersecurity Law and the CBRC Opinions, which indicate an increased move to regulate the use of technology and the control of information and data held by private companies within China. There is a real fear that this could make it very difficult for businesses to use technology products and software supplied by foreign IT suppliers within their operations in China.

Cybersecurity Law and Anti-terrorism Law

The draft Cybersecurity Law highlights the government's move towards cyber sovereignty through tightened controls on IT networks and data.

For example, Article 19 of the draft states that “critical information infrastructure” and specialized cybersecurity products must pass a security certification or inspection before they can be sold. The national cyberspace authority, together with the relevant departments of the State Council, will draw up the certification requirements and publish a catalogue listing the specific infrastructure and products. The movement towards IT control is also reflected in the now-suspended CBRC Opinions and would not only affect companies' procurement policy but the integrity of their IT infrastructure as well. One of the key concerns of international businesses operating in China is that the use of foreign IT products and solutions may be banned.

The Cybersecurity Law may also require “critical information infrastructure operators” to conduct an annual evaluation of their network security. Such operators traditionally include financial institutions, telecom network providers, energy companies and healthcare firms, but the definition could potentially include any major organization that has a network or system with a massive numbers of users. The results, key risks and any identified corrective actions must be reported to the relevant State Council department. This is a fairly onerous – and potentially costly – undertaking.

Article 31 could also require these operators to retain the data collected from its PRC customers within the territory. Only if it is “really necessary” as a result of “business requirements” may the data be transferred to other jurisdictions. In addition, the information is subject to a mandatory security assessment prior to any transfer. This is a significant departure from current practice, which allows foreign businesses to transfer data out of China with customer consent.

This data storage requirement can make day-to-day operations difficult, particularly for cross-border transactions. Businesses that have shared offshore facilities, such as legal and operational support, may need to consider bringing these operations onshore.

In addition to the draft Cybersecurity Law, the government has tabled a draft Anti-terrorism Law that also regulates the use of technology in China. If passed in its current form, the Anti-terrorism Law would require telecom and internet companies to hand over encryption keys and install backdoors to their software so as to facilitate counter-terror investigations. This may push companies to be more cautious about engaging the services of telecom and internet companies in China. In addition, foreign TMT companies may be reluctant to provide services within the country due to these burdensome requirements.

CBRC Opinions

The CBRC Opinions, which are applicable to all financial institutions in China, were released in late 2014. They require the application of secure and “controllable” technology to strengthen the network security of the banking sector.

They mandated a number of factors to make a technology product “secure and controllable”, such as requiring key IT hardware to meet mandatory security qualifications and acquire government certification before being implemented (similar to the requirements of Article 19 of the draft Cybersecurity Law). This is troubling for a financial institution using a particular IT solution globally that does not meet the necessary requirements or have the relevant PRC certification. It (or potentially its supplier) will need to absorb the costs of obtaining the certification or select another certified supplier (most likely a local one) and use different equipment in its China offices.

Another international concern of the CBRC Opinions was the obligation to submit the source code of certain types of software and hardware to the CBRC. IT vendors are naturally very cautious about disclosing their source code and may be reluctant to supply these types of software and hardware to financial institutions in China. The CBRC Opinions also require IP to be registered, and for IT vendors to have a research and development centre, in China.

The effect of the CBRC Opinions was largely seen to promote the use of local technology to financial institutions in China. U.S. and European financial institutions, as well as a trade group representing 60 technology companies, have protested against the rules.

Financial institutions had begun to work towards meeting these requirements but continued to lobby (with the support of other affected parties) relevant government departments. As a result of this pressure, the CBRC Opinions were suspended on April 13 2015. The official reason given was that they were “not in line with China's national principles and positions” and needed further revision.

While financial institutions may take some comfort from the fact that the CBRC Opinions have been put on hold, similar guidelines will most likely be re-introduced, particularly as they align with the principles under the NSL and the draft laws on cybersecurity and anti-terrorism.

Data and technology control

The consistent use of “controllability” throughout the NSL, the draft Cybersecurity Law and the CBRC Opinions in particular, confirms the government's intention to extend its influence in relation to the use of, and access to, IT networks and equipment in China. It may become very difficult for financial institutions and other multinational companies operating in China to continue to use non-Chinese IT suppliers for its local operations. This could result in the need to use different IT networks, systems and software in the country as opposed to those in its international offices.

The requirement to obtain consent before transferring data outside the territory could also have a significant impact on how financial institutions carry out their business.

It seems to be only a matter of time until further regulations are brought in by the PRC authorities to supplement the NSL. The consultations to implement the draft Cybersecurity Law and draft Anti-terrorism Law continue and the CBRC Opinions will likely be re-introduced in some form that will reinforce the government's authority over data.

MNCs and foreign financial institutions should ensure they make their voices heard whenever possible to prevent these additional laws and regulations from being implemented in their current form. This can take the form of direct lobbying to the PRC authorities, participating in trade groups and lobbying their own national governments to make strong recommendations. This was effective in the initial suspension of the CBRC Opinions, and hopefully will be again in pushing for revisions, if they are to be reinstated at all.

Nigel Stamp, Kirstin McCracken, Hong Kong, and Jing Bu, Beijing, Eversheds