Cybersecurity by design in China
Shortly after the coming into force of the China Cybersecurity Law, China's Ministry of Industry and Information Security (MIIT) issued a set of draft measures entitled "Administrative Measures on Security Assessment of New Internet Business" on 8 June 2017 for consultation. The consultation period will end on 9 July 2017. The draft measures when they come into effect will replace the trial measures which have been in place since 2012.
Key features of the revised measures
The draft measures require telecom operators, including all basic telecom operators and value-added telecom operators, including "internet content providers", to ensure that any new internet business that they propose to offer have gone through a "security assessment".
Some of the key features of the draft measures include:
- "New internet business" covers: (i) any new business which a telecom operator is authorised to provide under its telecom licence; and (ii) new telecom business which makes use of the internet but which may not have been included in the "Telecom Business Classification Catalogue".
- For "security assessment", this is specifically defined to mean assessment of network information security risk.
- MIIT will publish a "New Business Security Assessment Standard" to guide the telecom operators on how the assessment should be conducted. The security assessment is expected to be carried out from four main perspectives, including:
- protection of personal information,
- protection against cyber attack,
- network information security,
- setting up of related management system.
It should be noted that in 2016, MIIT issued a fairly detailed guide on the same subject matter to support the 2012 trial measures. This guide will be instructive in understanding the expectations of MIIT.
- Telecom operators are required to prepare a written assessment report if the new internet business is intended to be public facing. The report must be filed with the relevant branch of the MIIT within 45 days of the launching of the new business. The assessment is required to be carried out even if the new internet business is for joint promotion purposes, or to be conducted on a trial or pilot basis. The assessment must be completed before the new business is launched.
- The security assessment can be conducted by the telecom operator itself. It may also engage a third party professional firm to conduct the assessment on its behalf.
- The telecom operators are further required to conduct self-inspection of the new internet business at least every six months on whether there is any significant change to: (i) the realisation of the technology; (ii) the business model and (iii) the size of the users, and to assess whether such change may present significant cyber information security risk. If so, the telecom operator must conduct a further security assessment in accordance with the measures.
- The telecom operators are expected to comply with the security assessment obligations for each new internet business for three years.
Observation
As China steps up its legal and regulatory requirements on cybersecurity and protection of personal information, perhaps it was not surprising to see one of the key ministries, i.e. the MIIT, gradually formalising interim measures in the area. The draft revised administrative measures clearly push the telecom operators to take into consideration cybersecurity and personal information protection issues as part of their new product and business launch.
