Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches, International/EU Privacy

China Proposes New Cybersecurity Rules for Insurance Industry

China FlagOn 9 October 2015, the China Insurance Regulatory Commission (CIRC) issued draft Supervisory Rules for Adoption of Information Technology by Insurance Institutions (Draft Insurance IT Rules) for public comment.

The Draft Insurance IT Rules have been issued to replace the 2009 (Pilot) Guidance on Administration of Adoption of Information Technology by Insurance Companies (2009 Guidance) and they build on the requirements set forth in the 2011 (Pilot) Guidelines on the Information System Security Management of Insurance Companies (2011 Guidelines).

The Draft Insurance IT Rules come in the wake of a substantial new body of laws and draft rules in the cyber security arena in China. As may be anticipated, the draft rules carry forward many of the more invasive aspects of China’s emerging cyber security regime, although there are some indications of moderation on some issues. Below we list and discuss some of the new requirements for insurance institutions in the Draft Insurance IT Rules.

Involvement of the board of directors in the management of information technology

Under the Draft Insurance IT Rules, the board of directors must be involved in the management of information technology, including compliance issues, allocation of funding, approval of strategic plans, and ensuring that core systems for customer, financial and product information independently operate within China’s borders. This mandate is the first time that the board of directors of an insurance institution has been given such a specific statutory role. The move suggests that the government is seeking a greater degree of accountability for technology matters within insurance institutions. The emphasis in the Draft Insurance IT Rules is on stepped up management oversight of the location of processing and meeting targets for responding to changes required by the Draft Insurance IT Rules. The 2011 Guidelines already require that insurers’ server rooms be located in China, so the requirement that core systems operate onshore does not in itself add much to existing requirements.

Appointment of a qualified chief information officer

Under the 2009 Guidance, direct responsibility for IT systems could either be assigned to a chief information officer or to a senior manager. However, the Draft Insurance IT Rules remove this option and require the appointment of a chief information officer who is to be given a specific set of statutory responsibilities (see Article 10) and must have a minimum set of qualifications and background, including a minimum of five years’ work experience in technology and three years’ prior work experience in a financial institution or other experience evidencing the person has the relevant knowledge and skills.

Storage of information originating in China in data centers physically located in China

The 2011 Guidelines require that insurance institutions locate their server rooms onshore. The Draft Insurance IT Rules add greater specificity in requiring that insurance business data itself must, if originated in China, be kept in China. However, the Draft Insurance IT Rules do contemplate that foreign-invested insurance institutions may wish to transfer information outside of China, and the rules do not forbid this, but they do re-iterate that such transfers must be done in compliance with Chinese law (for personal information, this ordinarily means with user consent; the clearest guidance on this point is in a non-binding standard which requires the express consent of a person in order to transfer his or her personal information to a recipient overseas).

Priority purchasing and increased use of secure and controllable hardware and software products

“Secure and controllable” have become regulatory buzzwords in China, having been used in China’s National Security Law (passed on 1 July) and in draft technology regulations put forward by the China Banking Regulatory Commission (CBRC), China’s banking regulator, in December of 2014. The phrase draws its tone from suspicions associated with the use of foreign technology by strategically important Chinese industries. From an international perspective, the terminology raises concerns that “secure and controllable” may in practice mean favouritism of domestic products and indigenous innovation over foreign technology products. We expect this aspect of the Draft Insurance IT Rules to draw significant commentary given industry reliance on foreign technology and the costs and risks involved in procuring alternatives.

Incremental use of domestic encryption algorithms in step with the scheme laid out for China’s finance sector

Encryption is seen as a key aspect of the “secure and controllable” concept and so there is a specific provision in the draft rules addressing it. As foreshadowed by the CBRC’s draft rules, the Draft Insurance IT Rules would place insurance institutions on the same schedule for transitioning to domestic encryption technologies as the financial sector.

Value and risk assessments for cloud services

Insurance institutions are already permitted to outsource technology capabilities to capable providers, but the Draft Insurance IT Rules are the first legislative instrument in the insurance field to specifically refer to the use of cloud services. The headline point here is that the use of cloud services is permissible, but insurance institutions have a duty to carry out adequate cost/benefit, security and risk assessments for cloud solutions and conduct adequate due diligence into cloud service providers before employing cloud services. Particular focus must be given to the security of sensitive information and risk factors associated with system and data transfers.

External audits of technology functions at least every two years

CIRC previously encouraged external audits of the technology functions of insurance institutions. Now they are required.

Conclusions – new rules’ overall significance

As alluded to above, it is important to put the Draft Insurance IT Rules in the context of the rapidly developing landscape of technology regulation in China. Over the last year, China has passed a National Security Law and put forward a draft cyber security law, both of which incorporate similar approaches to “secure and controllable” technologies and support a push towards enhanced state access to information and data localisation. Both of these developments apply across all industry sectors. The Draft Insurance IT Rules follow the CBRC’s lead in making specific application of these policies to insurance, an industry of critical importance to China’s financial system and national economy.

Some of the measures proposed in the Draft Insurance IT Rules have drawn controversy when presented in the context of these separate regulatory developments. Much of what is proposed will likely be criticised for being invasive and unnecessarily prescriptive of business’ choice of technology products and services, introducing potentially burdensome or difficult safety certification regimes, mandating loosely defined cooperation with state authorities and restricting the flow of data across China’s borders. While part of the criticism is directed at the potential for increased cost in shifting to compliant technologies and the practical risk of using less robust and less tested alternatives, there are obvious geopolitical dimensions to these developments, with government access to data being a headline issue on many fronts globally. There are also concerns about technology industry protectionism and the possibility that the rules will either by design or in practice favour the adoption of domestic Chinese technologies over foreign technologies. There are signs, however, that the Draft Insurance IT Rules represent some degree of moderation on these headline grabbing issues. For example, the rules recognize cross-border data transfers by foreign-invested institutions, and propose that the adoption of secure and controllable technology and domestic encryption be phased in over time. The relatively short period allotted for public comments on what is a fairly lengthy regulation may be an indication that the authorities are confident that the draft reflects an adequate balancing of interests.