On June 1, 2017, China’s Cybersecurity Law went into effect, marking an important milestone in China’s efforts to create strict guidelines on cyber governance. Long before the Cybersecurity Law took effect, China had already made some efforts to strengthen information security. For example, a white paper titled The Internet in China, published in 2010, served as an early guide to China’s policy on internet usage. But the Cybersecurity Law marks a significant milestone in China’s efforts to combat cybercrime.
Despite the Cybersecurity Law’s passage and enactment, uncertainties still plague its introduction. Because of ambiguous requirements and broadly defined terminology, some enterprises are concerned about the law’s potential impact on their operations in China, while others worry that it will create trade barriers to foreign companies in the Chinese market.
Adding to the confusion, the public is still anticipating the release by the Cyberspace Administration of China (CAC) of official guidelines to enhance the interpretation of the Cybersecurity Law. For example, on April 11, the CAC released for public comment the Draft Security Assessment Measures for Cross-Border Transfer of Private Information and Important Data. The Draft Measures provide important supplementary information to article No. 37 of the Cybersecurity Law, which offers insight into how the Chinese government plans to manage the flow of private information and important data across borders.
Overview of the Cybersecurity Law
Consisting of 79 articles in seven chapters, the Cybersecurity Law is exceptionally wide in scope, containing an overarching framework targeting the regulation of internet security, protection of private and sensitive information, and safeguards for national cyberspace sovereignty and security. Similar to some of the most commonly used cybersecurity standards, such as the Cybersecurity Framework of the National Institute of Standards and Technology (NIST) and ISO 27000-27001, the Cybersecurity Law emphasizes requirements for network products, services, operations and information security, as well as monitoring, early detection, emergency response and reporting. On the topic of protection of data privacy, the Cybersecurity Law is similar to data-privacy laws and regulations in other jurisdictions. However, the requirements related to national cyberspace sovereignty and security are more distinct.
Affected Organizations and Key Requirements
The Cybersecurity Law expressly applies to network operators and critical information infrastructure (CII) operators, as the terms for these entities are repeatedly mentioned in the law. “Network operator,” as defined in the appendix to the Cybersecurity Law, could be applicable to almost all businesses in China that own or administer their networks. Due to the loosely defined terms, however, the Cybersecurity Law may be interpreted to encompass a wide set of industries apart from traditional information technology, internet service providers and telecommunications companies.
Therefore, it is safe to assume that any company (regardless of size and domestic or multinational extent) operating its network – including websites and internal and external networks – to conduct business, provide a service or collect data in China could very likely be in scope.
Although the CAC has yet to issue further guidance on CIIs, it has incorporated a wide range of industries, including but not limited to communications, information services, energy, transportation, utility, financial services, public services and government services. In general, the requirements for network operators and CIIs are similar in terms of their objectives, but the requirements for CIIs are more stringent. The details of the differences are outlined below.
Four out of the seven chapters in the Cybersecurity Law outline its major requirements:
This chapter of the Cybersecurity Law has been divided into two subsections: those pertaining to ordinary provisions, which are applicable to network operators, and those pertaining to operations security for CIIs. Notable requirements of each section include the following:
Section 1: Ordinary Provisions
No. 22 & No. 23
- Internet product and service providers must obtain authorization before collecting customer information.
- Network equipment and internet service providers must meet government requirements and be certified by an authorized agent before they can be sold to the public.
* This is not an exhaustive list.
Compared to other security standards, article No. 24 is unique. It requires network operators to validate a user’s true identity before signing service agreements. Services might include but are not limited to network access, landline services, instant messaging and other internet services.
Section 2: Operations Security for CIIs
- Set up a dedicated security management body and security management leader and conduct security background checks on those responsible personnel in key positions.
- Periodically conduct network security, as well as technical training and skills evaluations for employees.
- Conduct disaster-recovery backups of critical systems and data.
- Formulate emergency response plans for cyber security incidents and periodically perform drills.
- CIIs should retain private information and key data collected or produced while operating in China.
- Security assessments must be conducted by the state network information departments and relevant departments of the State Council if the data needs to be transmitted outside of China.
- A cybersecurity risk assessment should be conducted annually, at minimum, by CIIs internally or by third-party vendors.
- The assessment report, along with remediation plans, should be provided to departments responsible for security protection of CIIs.
- Carry out reviews on the cybersecurity risks of CIIs.
- Regularly coordinate CIIs in conducting network-safety emergency drills.
- Promote network information security sharing among relevant departments.
- Provide technical support and assistance for network security emergency management and recovery.
* This is not an exhaustive list.
Even though article No. 37 is specific to CIIs under the Cybersecurity Law, the requirement has been extended to individuals and other organizations per the Draft Measures. The Draft Measures provide more details in terms of what is to be expected; these details include but are not limited to the following:
- Network operators are asked to perform self-security assessments before transmitting data across borders.
- Assessments should be conducted based on data quantity, type, scope and sensitivity level.
- An annual assessment on security measures related to data transmission must be conducted. In some cases, the data recipient must conduct a security assessment as well.
- In cases where certain conditions are met, the network operator must request external authorization to perform a security assessment before transmission.
Chapter four of the Cybersecurity Law pertains to information security, with a focus on the protection of private information. Private information, as defined in the appendix of the Cybersecurity Law, is applicable to information recorded by electronic or other means that can be used alone or in combination with other information to identify a person, including name, date of birth, identity document number, personal biometric information (such as fingerprints, facial recognition and retina scans), address, telephone number and similar personal details. Some selected articles from this chapter are:
- Private information collected shall not be disclosed, damaged, tampered with or shared with others without the user’s consent.
- Security measures should be taken to ensure the safety of private information. Emergency security measures shall be taken in the event of private information loss; notification shall be sent to the relevant authority and users.
* This is not an exhaustive list.
The Cybersecurity Law’s requirements on data privacy are very similar to data-privacy regulations in other jurisdictions, including Hong Kong’s Personal Data (Privacy) Ordinance.
Monitor and Response
This chapter highlights the importance of having an appropriate cybersecurity governance body to monitor, detect and respond to security incidents. In addition, security assessments are to be conducted immediately following the event to determine impact and damage. Articles of note from this chapter include:
- CIIs are required to develop a cybersecurity incident response plan and conduct drills periodically.
- Classification of cybersecurity incidents are required based on impact and risk level, and an appropriate cybersecurity incident response plan must be developed based on classification.
* This is not an exhaustive list.
This section is very similar to those requirements as specified in the NIST Cybersecurity Framework and ISO 2700x, except that both of these standards are more descriptive in regard to their specific requirements.
Chapter six of the Cybersecurity Law outlines the regulatory penalties associated with violation of the law. Penalties include monetary fines and legal liabilities to individuals and enterprises. Examples of monetary fines range from RMB 5,000 to RMB 1,000,000, while potential legal liabilities include suspension of an enterprise’s business license, removal of its business license, removal of individuals from office or responsible parties being held criminally responsible. For instance, violation of article No. 26 or article 37, mentioned previously, could lead to the suspension of a business license or termination of the business.
Immediate Impact on Regulatory Compliance Activities
Shortly after the Cybersecurity Law went into effect, regulators leveraged the new law in their investigations across various industries and enterprises. Among those under current investigation according to the Cybersecurity Law are some of China’s biggest social media platforms: Tencent, Baidu and Sina Weibo. The three internet giants are under investigation for potential violations of the Cybersecurity Law – specifically, their potential failure to control users who have posted inappropriate content. Such investigations appear to be related to national cyberspace sovereignty and security. Other reported cases for different causes (e.g., articles 21, 24 and 47) have resulted in monetary penalties or warnings to remediate those violations within a given period.
Overall, organizations that operate in China, either domestically or internationally, should take a closer look at the Cybersecurity Law to ensure that the company’s current practice is in line with the regulatory requirements. Among the actions that companies should consider taking as they determine how to comply with the Cybersecurity Law include the following:
- Take stock of how information is collected, processed and stored, including private sensitive information (in the area of national cyberspace sovereignty).
- Assess cybersecurity and privacy risks and threats in order to focus cybersecurity efforts on the most critical risks and threats.
- Strengthen overall security governance, especially security policies and procedures.
- Evaluate business processes to ensure that proper controls are in place for the collection, use and storage of private information.
- Develop clear roles and responsibilities for cybersecurity and privacy management.
- Set up a security and privacy incident monitoring system and appropriate reporting mechanisms.
- Execute periodic cybersecurity assessments.
- Ensure proper safeguards of private and important information transmitted outside of China’s borders (including security assessment).
- Design a proper security incident response plan and perform periodic drills.
For those companies already in compliance with international cybersecurity standards (such as ISO 2700x and NIST’s Cybersecurity Framework) and data-privacy regulations, the good news is that much less work will be required to adhere to the Cybersecurity Law. However, these companies will still need to attend to requirements related to national cyberspace sovereignty and security. Furthermore, for Chinese subsidiaries of multinational enterprises, the data residency requirements might require redesign of certain application systems and infrastructure.
Even many well-established multinational enterprises face the same challenge when operating abroad, where they don’t know what data is being collected, how the data is being used or where the data is located, restraining them from developing a solid baseline for their cybersecurity efforts. With the Cybersecurity Law, it becomes even more critical for companies to review their current operations, especially pertaining to data, to ensure compliance with the local regulation. At the end of the day, one cannot follow the correct procedures if one is not educated on the latest regulations.
How Protiviti Can Help
A recent Forbes article highlighted that the role of cybersecurity specialists constitutes “the fastest-growing job with a huge skills gap” and goes on to note that the “Information Systems Audit and Control Association (ISACA) foresees a global shortage of two million cybersecurity professionals by 2019.”
Recognizing that hiring a full-time chief information security officer and building up a security team can be difficult and costly, Protiviti works with audit executives and top management at companies of all sizes, public or private, to assist them with their cybersecurity needs – from strategic advice around structure and objectives to the development and implementation of tools and processes with subject-matter expertise.
The Internet in China, People’s Daily Online, June 2010.
 Cyberspace Administration of China, “Draft Security Assessment Measures for Cross-Border Transfer of Private Information and Important Data” (in Chinese).
“The Fast-Growing Job With A Huge Skills Gap: Cyber Security,” Jeff Kauflin, Forbes, March 16, 2017.