14 January, 2019
On December 19, 2018, the China Securities Regulatory Commission (CSRC) formally issued its Administrative Measures on Information Technology of Securities and Fund Business Operators (“Measures”), which include numerous amendments to its May 2017 consultation paper (“Consultation Paper”).
The Measures have been issued against the backdrop of increasing regulation and supervision of information technology and cybersecurity following the promulgation of the Cybersecurity Law. They provide detailed requirements to guide securities and fund business operators in the construction of a comprehensive compliance system for their information technology, and clarify the underlying regulatory principles.
Below, we provide a brief overview of key aspects of the Measures and an analysis of the implications.
I.The Measures apply to key participants involved in the securities and fund sector
Chapter 1 of the Measures stipulates that the Measures apply to the following subjects:
(1)Securities and fund business operators, i.e., securities companies and securities fund management companies;
(2)Information technology service providers, i.e., institutions that provide development, testing, integration, assessment, operation, maintenance or day-to-day security management services for any of the important information technology systems for securities and fund business operators;
(3)Institutions providing special services to securities and fund businesses (“special servicing institutions”);
(4)Commercial banks engaged in the deposit and custody of securities businesses’ customer transaction settlement funds; fund custodians for publicly-raised funds; subsidiaries duly incorporated onshore by securities and fund management business operators; and any institutions established by such subsidiaries.
The scope of application of the Measures is relatively broad, and covers almost all information technology-related market participants involved in the securities and fund sector.
We note that Article 2 of the Consultation Paper specifically lists “special servicing institutions” as being among the applicable subjects, and that Chapter 5 thereof details the provisions specifically applicable to these special servicing institutions. Unlike the Consultation Paper, the final version of the Measures removes the special provisions applicable to special servicing institutions from the main body and stipulates in the ancillary Chapter 7 that special servicing institutions for securities investment funds shall be governed by reference to the Measures. The definition of special servicing institutions has also been expanded to include fund servicing institutions engaging in investment advisory, rating and evaluation, and securities investment advisory institutions. While it appears that the final version of the Measures still includes special servicing institutions, it remains to be seen how such institutions will be governed in practice with reference to the Measures.
II.The Measures lay out the basic requirements for building comprehensive informational technology compliance systems for securities and fund business operators
1.Establish a tiered governance structure, comprising the board of directors, senior management team, information technology management committee, and chief information officer
The Measures explicitly require the board of directors of a securities and fund business operator to review and be responsible for the company’s information technology management objectives, and for the senior management team to be responsible for the management and implementation of the board’s information technology decisions.
An information technology management committee or designated special committee shall be established under the company’s senior management team, with responsibility for formulating information technology strategies and reviewing the relevant matters. In addition to company’s senior management officers and departmental heads, the information technology management committee may also engage external professionals to serve on or as consultants to the committee.
The Measures raise the responsibility for the effectiveness of the information technology compliance system beyond that of the Consultation Paper, to board level. In addition, for the first time, the Measures stipulate that securities and fund business operators shall designate a person that meets the requirements of the Measures as the chief information officer.
2.Establish comprehensive information technology compliance policies and schemes covering system security, data governance and emergency management
The Measures provide detailed provisions for three aspects of information technology security, namely, information system security, data governance and emergency management.
System Security. The Measures require securities and fund business operators to formulate special implementation plans for the launch of or material alteration to any important information technology system, or, if such system is not currently in use, to conduct an assessment of its impact, and to formulate a system outage and data migration and safekeeping plan. Securities and fund business operators shall continuously monitor the operation of all important information technology systems, identify any abnormal occurrences, and deal with them in a timely manner. All relevant documents shall be collected and stored so as to ensure that emergency response and auditing requirements are able to be met.
Data governance. The Measures impose new requirements on securities and fund business operators to classify any data obtained during business operations or from clients according to the data’s significance and sensitivity, and to take appropriate data management arrangements accordingly. The Measures specifically emphasize that securities and fund business operators shall keep records of the usage of any data and client information, and continuously monitor their information technology service provider or other related parties to ensure they are performing their undertakings in relation to non-disclosure. If it is found that any information technology service provider has stored or used such data or information in violation of laws and regulations, the relevant securities and fund business operators shall order the information technology service provider to make the necessary corrections, and to destroy such data and information, and shall terminate the business relationship if such service provider refuses to cooperate and make corrections. The Measures also emphasize that securities and fund business operators shall not collect any irrelevant client information, shall not purchase or use data which are obtained illegally or from an unknown source, shall not intercept or store client information in violation of the law, and shall under no circumstances provide client information to any other institutions or individuals.
Emergency management. It is a requirement that emergency plans be formulated. There must be at least one test emergency exercise per year and the reports of such exercise shall be kept on record. The emergency plans shall be subject to ongoing review and improvement, and shall take into full consideration any event which might influence the stable operation of important information technology systems, such as the breakdown of such systems, an outsourced technology service provider’s failure to provide services, significant staff alterations or natural disasters. Backup systems shall have the same processing capacity as the original system.
The Measures remove the requirement that the important information technology systems must be deployed within the territory of China, and that important data and client information collected and produced during the business operation shall be stored within the territory of China, as was originally proposed in the Consultation Paper. However, according to the Cybersecurity Law and other relevant laws, securities and fund business operators, being financial institutions, may be still required to store important data and client information collected and produced by any important information systems within the territory of China, and to conduct security assessments before transferring such information and data overseas.
3.Enhancing internal and external auditing to ensure continuous compliance
Chapters 3 and 4 of the Measures provide the detailed auditing requirements to guide securities and fund business operators in their information technology compliance, risk control and information security protection. These include requirements for internal auditing, periodic special auditing on information technology management (not less than once per year), entrusting professional institutions to conduct comprehensive auditing on information technology management (not less than once every three years), tracking and rectifying any problems in a timely manner, and safekeeping auditing reports for no less than twenty years.
4.Improving supervision of entrusted information services
The Measures stipulate that if a securities and fund business operator engages an external information technology service provider to provide services, it shall conduct internal inspections on such servicing provider and its information system, and submit the relevant inspection reports to the CSRC. Before determining which external provider to engage, such securities and fund business operator shall formulate procedures and plans to quickly replace such external servicing provider should certain circumstances arise. A securities and fund business operator and a servicing provider should enter into both a service agreement and a non-disclosure agreement, with the Measures providing general, in principle requirements on the content of such agreements.
The obligations that securities and fund business operators assume in accordance with any laws will not be exempted or mitigated due to any entrustment or outsourcing. Securities and fund business operators are expected to clearly, precisely and completely understand the technological structures, business logic and operational procedures of their key information systems, and to ensure that the operation of these systems is always under their control. An information technology service provider shall not be entrusted to independently manage the operation, maintenance and day-to-day security of key information systems, unless the laws and regulations stipulate this or CSRC approval has been granted.
The Consultation Paper required that securities and fund business operators and special servicing institutions should use only those information technology service providers domiciled within the territory of China. The final version removes this requirement, but imposes new conditions on information technology service providers, such as requiring that a service provider, its shareholders and de facto controllers have no recorded violations of laws or regulations, that it has safe, stable technology servicing capacity, an effective emergency response capability, and familiarity with securities and funds businesses.
III.The Measures set out new regulatory requirements for information technology management
1.Regulatory and guiding institutions
The Measures stipulate that, under the guidance of the CSRC, the China Securities Information Technology Services Limited Company shall be responsible for formulating the relevant implementation rules to assist in the filing, monitoring, detection and inspection for information technology. Information technology service providers shall voluntarily accept the operational guidance of the same and comply with all relevant implementation rules.
2.Supervision and administration
As well as the above mentioned requirements, when engaging information technology service providers, the Measures require that relevant materials shall be submitted to the CSRC when a securities and fund business operator establishes or replaces the information system being used in trading of securities or funds, or changes the computer room where an important information system is located. Special information technology reports shall be submitted to the CSRC every year. The Measures also require that information technology service providers shall submit materials to the CSRC or its local agencies at regular intervals, and immediately inform the CSRC in the event of any significant change, any obvious defects or any other circumstances that might have a significant impact.
In addition, the Measures explicitly require that all information technology service providers shall be filed with the CSRC, and only those which meet the relevant requirements will be permitted to provide services to the securities and fund business operators.
IV.Our Observations
Within an environment in which cybersecurity is becoming an increasingly important aspect of risk prevention in financial industries, the Measures provide insights into the CSRC’s thinking on information technology within securities and fund operation institutions.
They aim to provide comprehensive supervision and regulation of all major dimensions of information technology activities through various means, including requirements relating to the set-up of compliance systems, periodic reports, reports for special events and filing of information technology service providers.
In addition, the Measures also provide detailed requirements for the security of information system, such as data management, system separation, and minimum authorization principles. They explicitly require that securities and fund business operators shall not use or purchase client information from unknown sources. In these respects, the Measures are consistent with the other approaches to compliance in the areas of cybersecurity and information protection.
It remains to be seen how the Measures will be applied in practice, the scope of their application, the intensity of their enforcement and how they will interact with the Cybersecurity Law, and in particular the latter’s provisions regarding cross-border data transfer and multi-level protection system.