Judge gavel near the China flag showing cybersecurity rules for financial firms

Potential Risk for Financial Firms in China’s New Draft Cybersecurity Rules: Mandatory Data Storage, Sharing With CSRC

A leading lobbying group in the Asia Pacific region is raising a warning about China’s new proposed cyber security rules for financial firms, sending a letter to the China Securities Regulatory Commission (CSRC) outlining its concerns that has been seen by Reuters.

The Asia Securities Industry and Financial Markets Association (ASIFMA), a trade association based in Hong Kong and with over 165 members, has raised concerns about the level of access that firms doing business in China will be required to provide to the regulator. The CSRC is requiring that financial outfits allow the regulator to perform regular testing, and that they create a centralized data backup and share customer and internal data upon request.

Cybersecurity rules could lead to data breaches, privacy invasion, lobbying association warns

The ASIFMA raises the warning as financial firms of all sorts are aggressively expanding their presence in China. China began increasing access to its markets for foreign firms in recent years, culminating in allowing outside companies to purchase stock index options and commodity derivatives late in 2021. The likes of JPMorgan, Morgan Stanley and Goldman Sachs have all since made moves into the country.

However, another trend for the Chinese government in 2021 was the strict limiting of data sharing with and listing of IPOs in other countries for its domestic firms. While China does not want foreign firms moving data out of the country, it does appear to want full access to whatever comes in.

The CSRC’s new cybersecurity rules are not yet final, having just completed a month-long public consultation. The regulator said that the ASIFMA letter was received two days too late to be included in the process, but that the feedback would be considered and that it would remain in communication with impacted financial firms.

Financial firms raise concerns about massive data center

One of the central concerns for financial firms is the requirement that a central backup data storage center be set up for their sensitive data. While the system is only supposed to be available to Chinese government regulators, it creates another possibility for data leaks and breaches that will no doubt be heavily targeted by hackers and scammers. The system could also potentially be vacuuming up data from overseas; businesses in the country already face increased government scrutiny of any domestic data they handle, but most Western companies that choose to operate there clearly separate their Chinese customers from those in other parts in the world  to stay in compliance without exposing the data of foreign customers.

On the subject of hacking, financial firms operating in the country are also greatly concerned about the provision of the cybersecurity rules that allows the CSRC to regularly test their systems. This includes unannounced system scanning and penetration testing, as well as the possibility of simulated cyber attacks. Unexpected tests of this nature could disrupt regular business operations.

Investment banks, asset managers, and futures companies operating in China will all be subject to the new cybersecurity rules. The country has established a pattern of gradually inviting foreign financial firms in since 2017, when pressure from the Trump administration led to the relaxing of rules about foreign ownership of banks and securities firms. But Western companies have also shown hesitance during this time, as it was made clear from the beginning that they would be subject to the same scrutiny and cybersecurity rules that the government applies to its domestic firms.

China’s interest in inviting foreign financial firms is to bring needed industry expertise into the country, as well as sources of capital for smaller businesses that have historically struggled when only given the option of going to state-owned banks. The country’s moves in 2021 were a mixed bag for the industry, however; foreign ownership possibilities were expanded, but in addition to the stricter cybersecurity rules new limits were also placed on how much money could be transferred in from overseas and how many loans foreign banks were allowed to issue.

Companies in China would be facing unannounced system scanning and penetration testing, as well as the possibility of simulated #cyberattacks. Unexpected tests of this nature could disrupt regular business operations. #cybersecurity #respectdataClick to Tweet

Businesses raised similar concerns in 2019 when the Chinese government began heavily revising in-country cybersecurity rules, with foreign firms asked to use storage made in the country and technology made by Chinese companies. The approach is uniquely invasive, and has caused some companies to balk at keeping a presence inside the company in spite of the vast market there to be tapped. The Ministry of Public Security already has a great deal of leeway to inspect foreign firms if a cyber attack occurs or if they are suspected of being involved in some sort of violation of the law. This creates an uncomfortable situation for foreign companies as Beijing has been known to support and even directly engage in theft of trade secrets that could bolster the country’s economy or military capability.