Cybersecurity concerns arising from China’s new Securities Law
Zhong Lun, Shanghai
International securities firms reply on global automated trading systems and big data flowing freely around the globe. China has recently amended its policies to allow foreign investors who operate securities businesses to hold up to 100 per cent of shares in securities firms in China. On the one hand, opening the financial sector calls for global deployment of IT infrastructure and the free flow of data. On the other, cybersecurity becomes a growing concern to both regulators and financial institutions. In fact, cybersecurity has become a crucial part of financial regulation.
In the newly revised Chinese Securities Law, promulgated on 28 December 2019 and effective from 1 March 2020 (the 'New Securities Law'), the changes relating to cybersecurity are of particular note. The law provides that the establishment of a securities company shall require, among other factors, to have qualified operating premises, business facilities and information technology systems. In practice, the Chinese securities regulatory authority conduct periodic onsite inspections to determine whether a securities firm has established and maintained qualified IT systems. Moreover, the law provides that without approvals from the securities regulatory authority and other relevant national authorities, no entity or individual shall provide documents or materials overseas relating to securities operations.
Qualified information technology systems
As far as the security of IT systems is concerned, securities firms must comply with special rules in the financial sector. For example, pursuant to the Measures for the Information Technology Management of Securities and Funds Operators, effective as of 1 June 2019, securities firms shall comply with the requirements of information system security, data protection and emergency management. Securities firms must also comply with general rules regarding cybersecurity such as the Chinese Cybersecurity Law (CSL). Pursuant to the CSL, a securities firm is a network operator which must implement a multilevel protection scheme to safeguard the security of its IT. If the information systems are classified as critical information infrastructure (CII), the operator will be subject to stricter requirements under the CSL.
The New Securities Law does not, however, specify the definition or scope of ‘qualified information technology systems’. Before official clarifications are rolled out, qualified information technology systems could cover every component of the entire IT facility such as servers, cloud servers, databases, operation systems, enterprise resource planning (ERP) systems, office programs, applications, websites and even instant messaging tools.
As such, when entering the Chinese financial market, international securities firms must be prepared to deploy specific information systems in China and that their Chinese subsidiaries will have to comply with various general and special cybersecurity rules on an ongoing basis. Practically, international securities firms must consider how to localise their global IT systems according to Chinese law and integrate local IT systems into their global IT infrastructure.
Restrictions to cross-border data transfer
The New Securities Law does not prohibit cross-border data transfer per se. However, the export overseas of information relating to securities operation is subject to the China Securities Regulatory Commission’s approval and approval from other applicable authorities of the State Council. Moreover, if the securities firms are classified as CII operators, cross-border transfer of ‘personal information’ and ‘important data’ shall be subject to cross-border security assessment which is subject to government approval. Therefore, the approval of other relevant State Council authorities should include the security assessment for cross-border data transfer.
Practically, the restriction of cross-border data transfer under the new legislation presents a huge challenge to foreign-invested securities firms which heavily rely on global data processing and analysis. The restriction of cross-border transfer of all ‘documents and materials relating to securities business activities’ could mean that global databases of international securities firms will be missing China’s information, if such data export is not approved by Chinese authorities. This may result in limiting international securities firms’ strength in data processing and analysis, unless such global data processing and analysis is undertaken in China.
In addition, the restriction in providing documents and materials relating to securities operation abroad was added in the clause relating to the cooperative mechanism for cross-border regulation in the new Law. This demonstrates the Chinese government’s position on data sovereignty. The restriction, however, could serve as a legal defence against a foreign nation’s long-arm jurisdiction over data collected in China.
For example, under the United States’s CLOUD Act, a US company shall disclose customer data under its possession or control, regardless of whether such data is located within or outside of the US, the US company may file a ‘motion to quash’ if the disclosure would create a material risk of breaking a qualifying foreign government’s laws. With the restriction under the New Securities Law, US companies which own or process data for Chinese securities firms such as Microsoft, Amazon and AT&T may potentially file the ‘motion to quash’ to refuse to disclose Chinese securities firms’ data to the US government. It should be noted that the New Securities Law does not allow any entity or individual to export information relating to securities operation without government approval. Such a broad restriction could apply not only to the securities firms themselves but also to their shareholders, customers, employees, service providers, consultants, auditors.
Foreign securities firms entering the Chinese market should be prepared to deploy specific information systems for their securities firms in China. Such foreign-controlled securities firms must be aware of the importance of complying with China’s cybersecurity requirements on an ongoing basis. Foreign-invested securities firms should be aware that their data relating to securities operations might not be allowed to be exported abroad, including to their parent companies.
 Article 118, Securities Law of the People’s Republic of China.
 Article 177, Securities Law of the People’s Republic of China.
 Chapter IV, Measures for the Information Technology Management of Securities and Funds Operators.
 Chapter III, Cybersecurity Law of the People’s Republic of China.