People’s Republic of China: CSRC Released New Cybersecurity and Data Privacy Rules for Securities and Futures Institutions
By Chloe Duan and Grace Ye
The China Securities Regulatory Commission (CSRC) released the Administrative Measures for Network and Information Security in Securities and Futures Sectors (Measures) on 27 February 2023, which will become effective on 1 May 2023.
The Measures provide an industry-specific regulatory regime in response to the reshaped cybersecurity and data privacy law of China and will replace the existing rules promulgated a decade ago. The Measures are meant to be broadly applicable to various market players, such as stock exchanges, securities and futures companies, fund managers, and information technology (IT) service providers (e.g., online trading platforms). CSRC categorized them as follows:
(i) core institutions, including securities and futures trading venues, securities registration and settlement institutions, and other core institutions undertaking public functions of the securities and futures market and operation of public IT infrastructure of the securities and futures market;
(ii) operating institutions, which are securities and futures operating institutions such as securities companies, futures companies, and fund management companies; and
(iii) IT system service institutions, which provide products or services such as development, testing, integration, evaluation, operation and maintenance, and daily security management of important information systems for securities and futures business activities.
Each category of institutions is subject to different types of regulatory requirements based on the nature of the data they are processing and the cybersecurity and privacy risks they are exposed to.
The Measures cover various aspects of network and information security, such as setting-up and operations of supervision and management systems, protection of investors’ personal information, network and information security emergency response, and critical information infrastructure security protection. CSRC and its local agencies are the regulators responsible for enforcement of the Measures and entitled to impose administrative penalties over the regulated institutions who breach the Measures.