China’s new “rules of the road” for its various industries have now come for foreign financial firms that operate in the country. As part of a broad package of cybersecurity and privacy reforms, the China Securities Regulatory Commission (CSRC) is now proposing that it be allowed regular access to customer data and a schedule of unannounced penetration testing (among other measures).
The proposal has rankled foreign financial firms, which have made big moves into the Chinese market in recent years as regulations about outside ownership have gradually eased. The level of access that China is demanding is more invasive than regulations in any other country in which they operate, but the proposal is still in the “public comment” stage and its eventual impact remains unclear.
Demands for comprehensive data backups, invasive pen testing worry financial firms
China has taken a firm hand with its domestic companies over the past two years, greatly restricting how they can raise money overseas and handle the data of the country’s citizens. Financial firms have been required to comply with the country’s privacy and cybersecurity rules as regards the domestic market, but this is a much more invasive request in terms of access to data that originates outside of the country.
One of the controversial elements of the CSRC’s new draft cybersecurity rules is a call for a centralized data storage center that financial firms operating in the country would have to contribute all of their sensitive data to. Ostensibly for backup purposes, this giant silo of customer information would both be highly attractive to hackers and also freely accessible to the Chinese government.
Financial firms would also be subject to rigorous, and possibly unexpected, testing of their defenses under the proposed cybersecurity rules. This would appear to include the possibility of invasive penetration testing, of the sort that could disrupt business operations, at whatever time the CSRC deems to be appropriate.
Leaks, data breaches could be inadvertent result of new cybersecurity rules
The draft cybersecurity rules are slated to apply to the futures traders, asset management firms and investment banks that have piled into the country in the last few years as rules about foreign ownership have thawed. The government of China desires the presence of major foreign financial firms (such as JPMorgan and Morgan Stanley) as they bring a level of investment expertise not available from the state-run banks, as well as outside capital to help businesses develop. But it is also making clear that it will not bend for anyone on its terms for data handling, and financial firms that wish to remain in the market may have some tough choices to make.
There are concerns not just about what the government might do with the data, or how its activities might disrupt business operations, but that its requirements for data silos and constant access could end up creating security holes that outside threat actors could discover and walk right through. A letter to the CSRC penned by the Asia Securities Industry & Financial Markets Association (ASIFMA) brought up numerous concerns along these lines, but was dismissed by the regulator for arriving slightly too late to be included in the public consultation period.