The law looks to raise domestic corporate cyber-security standards, but multinational organisations have serious concerns.
Last week the Cyberspace Administration of China (CSC) launched its first cyber-security law in an effort to boost standards in the country.
The law, however, has been much maligned, especially by multinational organisations operating in the country who have expressed concerns around the vagueness of the wording, its seemingly intrusive nature, the potential cost to comply and ultimately whether it will make them less secure.
The impact, analysts have said, will be that some multinational companies will be seriously considering if they want to begin or continue operating in China.
Clear as mud
For multinationals and other businesses in China, the big challenge at the moment is understanding the regulation and what parts of it will impact the business.
Most crucially, businesses are trying to work out if they will be classed as ‘critical information infrastructure (CII)’ companies as these will be forced to comply with the most onerous rules. But, according to Carly Ramsey, Associate Director at Control Risks, the wording is extremely vague and no clear guidance has been given, meaning that many organisations remain in the dark about what they need to be doing.
To make matters more confusing, in other countries ‘critical’ industries are usually narrowly prescribed and include sectors such as healthcare, power and defence, for example. The same is true in China, however the CSC has also included some wording that broadens the scope of ‘critical’ companies to any that hold a lot of data, especially data that the government considers important.
“This means that any foreign company that is a key supplier to a ‘critical’ sector, as well as any company that holds significant amounts of information on Chinese citizens, could become a prime target for regulators seeking to enforce the CSL,” says Ramsey. Companies in the retail and travel space, for instance – especially if they are online businesses – may all of a sudden find themselves classed as CIIs.
Complex and costly requirements
If a company is classed as a CII then it will need to do a lot of work to be compliant with the law. The most challenging aspect will be localising Chinese data onshore on Chinese servers. “This will be a real problem for many multinational companies and could seriously impact their IT efficiency and increase costs,” says Ramsey. “This is especially true because foreign cloud server providers are not permitted to operate in China, meaning that multinationals will have to trust local companies to store their data. There will also be implications for corporates trying to do big data analytics.”
Another worrying aspect for multinationals is that this data will only be permitted to move offshore following stringent checks by the Chinese regulators.
Elsewhere, the ‘network products and services’ that CII businesses in China utilise will have to be signed off by the Chinese regulators. “There remains no clarity around what ‘network products and services’ actually means,” says Ramsey. “But you can deduce that this will include items such as telecoms infrastructure. It remains to be seen how deep this will go through and whether things like treasury management systems will be impacted at all.”
The final, although as yet unconfirmed, requirement imposed on CIIs will be the need to have their cyber-security controls audited. Although, as Ramsey explains, it is not clear if reviews conducted by auditors in other countries will be enough to satisfy the regulators or if an independent audit will be required in China.
Yes, the vagueness of the law and some of its requirements have raised serious concerns for multinationals, and for good reason. The law has also raised questions around its implication on broader freedoms in China and the country’s commitment to reforms – which have been well covered by international news outlets such as the FT.
But one positive that can be found is the government’s desire to improve the overall level of cyber-security in the country. “Ninety percent of the law is focused on building up cyber-resilience in the private and public corporate space,” says Ramsey. “This is a positive move because there is a lot of cyber-crime and fraud in China and this will improve the overall business ecosystem and ensure that critical infrastructure is not impacted by cyber-attacks.”
Yet the vagueness of the law and the issues it may potentially create for foreign businesses in China seems to outweigh any positives.