The latest battlefield for cybersecurity in China has emerged from a rather unexpected place: the China Insurance Regulatory Commission (CIRC), China’s national insurance regulator. In October 2015, CIRC circulated a draft law called Provisions on Insurance System Informatization. The original draft contained many problematic sections that increase the government’s control of the internet, limit data flow, and require insurance companies to only use “secure and controllable” IT.
After a backlash from the insurance industry, CIRC circulated a new draft to the World Trade Organization’s (WTO) Committee on Technical Barriers to Trade in April. According to WTO procedures, the draft is open for comments for 60 days, after which the WTO Secretariat will approve it. It will then come into effect six months afterwards.
Some are worried that the regulators will not make any further modifications during this period as the proposed date of adoption has been set for the day after the final comment submission date. The provisions will apply to all insurance entities established in China, including insurance asset management companies.
While the provisions contain some positive steps, including allowing companies to use cloud computing, there are several areas of concern:
Data Localization: Data originating from China must be stored within China, effectively instituting geographic restrictions on data flows. According to industry companies, this rule will not lead to greater data security. Insurance companies would need to partner with local entities to host their data, while bearing full responsibility for any breach of that data.
Cross-Border Data Transfer: All international data transfers must be conducted in accordance with relevant Chinese regulations, but the CIRC has not yet specified the content or identity of such regulations.
”Secure and Controllable”: The provisions would require insurance institutions to give preference in the procurement of informatization products to those that are “secure and controllable”. The definition of “secure and controllable” is unspecified but believed to mean ownership of domestically-owned and registered IP. Similar language has appeared and been later dropped by the Chinese banking regulator.
This would affect both commercial and public procurement in a sector that is not commonly considered “critical infrastructure” in other markets. Additionally, this may negatively impact companies’ global information security regimes as the “secure and controllable” products may be incompatible with or otherwise inferior to their global IT management standards.
Cryptography: This mandate would force foreign-invested insurers to implement Chinese algorithms that may differ from those used by their parent company, increasing the risks that a company’s systems could be illegally infiltrated. Firms use international encryption standards to minimize problems across systems in different countries and ensure that client data is as well protected, and this regulation may raise security concerns by forcing them to use a different standard in China.
Multi-Level Protection Scheme: Sets information system security requirements in accordance with the Multi-Level Protection Scheme (MLPS) without specifying the linkage between specific insurance industry information systems and national security. This would disproportionately impact foreign-invested insurance institutions whose operations outside China would be under no such obligation. Moreover, this may result in the restriction of procurement to domestic hardware and software products without relation to China’s essential security interests.
Security Certification: Requires that insurance companies apply for certification of their information security management systems from an institution that is recognized by China. Industry participants are concerned that the draft would prevent insurance companies from using foreign certification institutions that may not appear on China’s recognized list, which is inconsistent with existing international standards.
AmCham Shanghai will continue to work with insurance companies, the ICT industry and other interested members in pushing for meaningful changes to be made to the draft provisions.