A new era for Cybersecurity in China
Cybersecurity Law enacted and made effective on 1 June 2017
On 7 November 2016, the 24th session of China’s Standing Committee of the 12th National People's Congress enacted the Cybersecurity Law, effective on 1 June 2017. The enactment of the Cybersecurity Law allows the enforcement of cybersecurity and commences a new era of cybersecurity in China.
The Cybersecurity Law comprehensively and systematically establishes the obligations of various parties, including relevant authorities, network operators and network users, in terms of cybersecurity protection. Furthermore, it provides fundamental security framework over network infrastructure, operations, data and information. In general, there are six aspects to highlight:
- The Cybersecurity Law ascertains the principles of cyberspace sovereignty;
- It defines the security-related obligations of network product and service providers;
- It clarifies the duties of network operators over network security;
- It further enhances the rules for protection of personal information;
- It establishes a framework of security protection for Critical Information Infrastructure; and
- It establishes regulations pertaining to cross-border transmissions of important data by Critical Information Infrastructure.
To comply with the Cybersecurity Law, enterprises may encounter the following key challenges:
- Wide coverage of Critical Information Infrastructures, and stringent requirements for operational security
Based on the current definitions by the Office of the Central Leading Group for Cyberspace Affairs, Critical Information Infrastructures can be categorized into websites, platforms and production businesses. Other than influential organizations that affect the national economy and people’s livelihood, the following criteria may put most information infrastructures in financial industry, Internet industry and consumer industry into the scope of Critical Information Infrastructures: (1) websites with more than one million daily average visits; (2) infrastructures that can cause leakage of data of more than one million people in the event of a cybersecurity incident; (3) infrastructures with more than 10 million registered users, or one million active users; and (4) infrastructures with daily average transaction or trade amounts of more than 10 million RMB.
The Cybersecurity Law stipulates stringent requirements for operational security of the Critical Information Infrastructures, including, among others, security governance structure, personnel security expertise and awareness, data classification, system and process flow, protection of security technologies, monitoring of security status, disaster recovery, and cybersecurity incident response framework. It will be a tremendous challenge for organizations to enhance their levels of operational security in a short period of time.
- Personal information protection framework to clearly define the policies and procedures
Chapter 4 of the Cybersecurity Law specifies the requirements and relevant duties and responsibilities of personal information protection from data collection and usage to storage and deletion of personal information. It requires network operators to establish a comprehensive personal information protection system. Considering that China has less developed laws and lower awareness in terms of personal information and privacy protection, enterprises may find it challenging when establishing such an information protection framework.
- Limitation on cross-border transmission of key data within Critical Information Infrastructure
Article 37 of the Cybersecurity Law states that "personal information and other important business data gathered or produced by critical information infrastructure operators during operations within the mainland territory of the People's Republic of China, shall store it within mainland China. Where due to business requirements it is truly necessary to provide it outside the mainland, they shall follow the measures jointly formulated by the State network information departments and the relevant departments of the State Council to conduct a security assessment; but where laws and administrative regulations provide otherwise, follow those provisions."
Such policy will have significant impact on those multi-national enterprises with operation in China. Once the information systems are classified as Critical Information Infrastructure, its data should not be transmitted cross-border arbitrarily.
The Technology Risk team of Deloitte China Risk Advisory has rich experiences and professional expertise on cyber security industry. The following services will help organizations enhance overall cyber security posture, and comply with the requirements of Cybersecurity Law:
Cyber strategy & governance
- Cyber security planning
- Cyber security governance
- Security awareness training
- Cyber risk assessment
- Cybersecurity management
- Big data security management
- Cloud security planning
- Data and privacy protection
- Outsourcing security assessment and management
Security alert services
- Cyber penetration and vulnerability testing
- Security information and event management (SIEM)
- Security Operations Centre management（SOC）
- Cyber Intelligence Centre（CIC）
- Business continuity
- Disaster recovery and backup
- Cyber crisis management