China's draft cybersecurity rules pose risks for financial firms, lobby
group warns
Send a link to a friend
 [June 02, 2022] By
Selena Li
HONG KONG (Reuters) - China's proposed
cybersecurity rules for financial firms could pose risks to operations
of western companies by making their data vulnerable to hacking, among
other things, a leading lobby group has said in a letter seen by
Reuters.
The latest regulatory proposal comes at a time when a string of western
investment banks and asset managers are expanding their presence in
China, either by setting up wholly-owned units or by taking a bigger
share in existing joint ventures.
The China Securities Regulatory Commission (CSRC) released the draft
Administrative Measures for the Management of Network Security in the
Securities and Futures Industry on April 29, and offered a month-long
public consultation on the proposals.
The draft rules seek to make it mandatory for investment banks, asset
managers, and futures companies with operations in China to share data
with CSRC, allow regulator-led testing, and help set up a centralised
data backup centre.
Morgan Stanley and HSBC are among those who have benefited in recent
months from China's opening up of financial sector for foreigners,
following Goldman Sachs and JPMorgan, which won nods to run local units
last year.
Lobby group, the Asia Securities Industry and Financial Markets
Association (ASIFMA), in a letter addressed to the CSRC and dated May
27, expressed concerns of its members about the draft rules as they
anticipate risks in sharing sensitive data.
The letter's content, which has been reviewed by Reuters, has not been
reported before.
ASIFMA, which has more than 160 members comprising leading financial
institutions from both the buy and sell side, banks, law firms, and
market infrastructure service providers, did not confirm the letter and
declined to comment on its content.
In response to Reuters request for comment, the CSRC said that ASIFMA
submitted its opinion on May 31, two days after the consultation period
ended.
"However, we still highly value the feedback forwarded by relevant
associations," it said, adding the regulator was "carefully studying the
opinions and suggestions" and will continue to communicate with them.
[to top of second column] |
A surveillance camera is pictured outside the China Securities
Regulatory Commission (CSRC) building on the Financial Street in
Beijing, China July 9, 2021. REUTERS/Tingshu Wang
The proposed new data rules for financial firms also comes against the backdrop
of Beijing's tightened oversight of data security mainly in the tech sector as
part of a wider regulatory crackdown, which has roiled the country's stock
markets and stalled offshore company listings.
'HUGE RISKS'
The draft rules require the sharing of data by financial firms for various
purposes, but the lobby group is concerned passing on sensitive data will makes
companies in the sector vulnerable to "hackers and other bad actors".
Global banks and asset managers are also pushing back on a requirement to
introduce a sector-wide data backup centre.
"This not only poses huge risks to all core institutions and operating
institutions on an individual basis, but also brings significant systemic risks
for the sector in China and globally given the inter-connectedness of the global
financial sector, if the data is compromised or leaked," the ASIFMA letter said.
The draft rules also stipulates that the CSRC could conduct penetration-testing
-- a simulated cyber attack against the operational system -- and system
scanning on securities, futures and fund firms.
However, ASIFMA flagged concerns of global banks that regulator-led or
regulator-commissioned penetration testing pose "real risks to firms due to the
potentially disruptive nature of penetration testing and the sensitivity of
testing results".
"Testing systems and applications without operational context could create
significant disruption to firm operations,” the lobby group added.
The regulator has not set any timeline for the issuance of the final rules or
for their implementation.
(Reporting by Selena Li; Editing by Sumeet Chatterjee and Kim Coghill)
[© 2022 Thomson Reuters. All rights
reserved.]
This material may not be published,
broadcast, rewritten or redistributed.
Thompson Reuters is solely responsible for this content. |
