China's Cybersecurity Law: Critical Information Infrastructure (CII)
As part of our series providing insights into the Cybersecurity Law of the People’s Republic of China (PRC), this fourth installment focuses on the requirements in Section Two, Chapter Three, pertaining to Critical Information Infrastructure (CII) operators. According to the Cybersecurity Law, CII is defined as any information infrastructure that can endanger national security, national strategy, and civil welfare in the event of a data breach, compromised network, or system malfunction.
The Regulation classifies businesses that fall within 11 industries as critical businesses. These industries include public communications, energy, finance, and public services, among others. To determine whether all or part of their business is classified as a critical business, companies must consider the following:
- Do we have businesses or operations that are in the 11 pre-defined industries?
- Do we have businesses or operations that could be classified as critical businesses according to the definition set by different industry regulatory bodies?
- Do we have business or operations that could impact or harm national security, national economy, or public interest?
Organisations must identify whether any of their systems may be supporting CII operators that conduct critical business. The following questions can help determine which systems may be considered CIIs:
- Do the systems store and process important data as defined by industry regulatory bodies in mainland China? Examples of important data are listed in the table below.
- How many types of important data do the systems store and process?
- How frequently do systems process data?
- How much revenue is derived from the data processed by the systems?
- What are the consequences when systems are discontinued? For example, what would be the impact on reputation, the economy, lives, social order, or national security?
- How much is the loss or impact within the Maximum Tolerable Downtime (MTD)?
- Are there any alternative ways to run the business without the systems? If so, how sustainable are these alternatives?
|Critical Industry||Critical Business||Important Data|
|Medical & Healthcare|
|* This is not an exhaustive list|
The Regulation provides multiple criteria to determine whether the impact from system damage is severe enough to classify the systems as CIIs.
To begin, companies must consider the following questions on information assets, customers and users, asset values, and incident frequency:
- In terms of number of people and percentage of population, who will be affected by security incidents or data breaches?
- What are the consequences of security incidents or data breaches, such as privacy data or company data leaks?
- How much damage will the company and national security suffer from security incidents or data breaches?
These three factors will help companies assess whether they and their systems are likely to be classified as CII operators and CIIs. Companies who are classified as Critical Information Infrastructure (CIIs) will receive official notifications from the local police or industry regulatory bodies. They must open communication channels with the local police or industry regulatory bodies to confirm the official notification and coordinate the submission of compliance documents. CII operators should maintain regular contact with these organisations to stay up-to-date on the latest regulatory rules, which may often be presented as regulatory opinions, notifications, or even administrative orders.
Once a company is classified as a CII operator and has reported to the respective industry regulatory body, that regulatory body will be responsible for enforcing the company’s CII compliance. When appropriate, the regulatory body may issue additional rules and requirements for the company as long as these do not conflict with the existing laws and regulations of the central government.
The regulatory body can also conduct inspections and assessments in accordance with these additional requirements and rules. If they believe the company is not fulfilling their obligations as a CII operator, they may issue various penalties. Penalties depend on the severity of the violation and may include administrative warnings and ordered rectification, business suspension, license or certificate revocation, and administrative fines.
CII operators have tougher requirements and stricter compliance processes than network operators. Severe consequences may occur if CII operators practice passive compliance—waiting for explicit remediation orders by regulatory bodies. Instead, companies are encouraged to align with key stakeholders to actively engage in compliance.
Considering the complex structure of CII compliance, both in terms of requirements and enforcement, CII operators should adopt an active, or even proactive, approach. An active approach entails identifying gaps between current practices and effective laws and regulations for future remediation and rectification. In this situation, compliance is seen as a separate process implemented to satisfy laws and regulations. In general, an active approach is considered good enough for normal compliance, although there might be a deviation between operational procedures and compliance requirements. However, this deviation is easily exposed through the technical tests and assessments that are part of the compliance process.
A proactive approach means implementing effective security measures in response to all potential security threats and legal concerns, even if those measures are not explicitly stated in the laws or regulations. While more expensive and technically demanding, a proactive approach may be more effective because of its focus on potential technical and legal concerns.
Industry regulatory bodies are authorised by Article 39 of the Cybersecurity Law to initiate a variety of tests and assessments of CII operators. These include on-site inspections and remote penetration testing. CII operators may be informed before the tests and assessments to allow for last-minute preparations, but these warnings are not guaranteed, and organisations should be prepared for surprise inspections.
The best compliance strategy is to always be prepared for sudden assessments. If the actual operation procedures of CII operators are different from their designed procedures, operators won’t have time to do last-minute preparations. It’s important for security policies and procedures to be well-designed, documented, and communicated. Frequent spot inspections and reviews, along with a checklist, will also help ensure compliance with designed procedures. These can ensure that good security practices are executed every single day.
Another key factor to ensuring satisfactory results from assessments is communication, especially when a company is not familiar with—or unprepared for—unexpected assessments. A typical mistake is allowing frontline staff to handle inspections directly. This may result in misunderstandings and miscommunication since frontline staff is often not fully informed about compliance requirements and processes.
Protiviti aids businesses in ensuring that their IT services meet legal requirements and regulatory rules on both national and industry-specific levels. With a team of IT security professionals, compliance experts, auditors, and other professionals, Protiviti keeps track of evolving regulations based on industry innovations, environmental trends, and emerging risks.
Protiviti security and privacy services will evaluate your current compliance according to relevant legal requirements and regulatory rules and develop technical solutions that correspond with your current technology, procedures, and resources competency. We will close gaps in your IT technology and processes in line with your budget plan, as well as prevent disruptions to normal IT and business operations from compliance activities.