On May 5, 2017, m88 casino China Securities Regulatory Commission (“CSRC”) began soliciting public comments on m88 casino Administrative Measures on Information Technology of Securities and Fund Operation Institutions (Consultation Paper) (“Measures”), where m88 casino deadline for consultation is June 4, 2017. Given that m88 casino Cyber Security Law is set to take effect on June 1, 2017, m88 casino CSRC’s release of m88 casino Measures is endowed with additional significance, which makes m88 casino Measures a “cyber security law” for m88 casino securities and fund industries.

As introduced by m88 casino CSRC in m88 casino Statement of Drafting of m88 casino Measures (“Statement of Drafting”), releasing m88 casino Measures is not only directed at existing issues of securities and fund operation institution information technology governance, information technology-associated compliance risks, and internet risks, but is also intended to address m88 casino information security risks of m88 casino “Special Business Servicing Institutions” (as defined below). Although Special Business Servicing Institutions have already been placed under m88 casino supervision of m88 casino CSRC, currently m88 casinore is a lack of detailed regulatory standards applicable to such institutions, and m88 casino CSRC particularly emphasizes m88 casino concerns of cross-industry and cross-institution spread-risks caused by extensive interconnectedness of information systems between m88 casino Special Business Servicing Institutions and m88 casino securities and fund operation institutions. In m88 casino meantime, m88 casino CSRC is considering including third-party institution information technology service providers under its supervision so as to ameliorate regulatory deficiencies.

Below we have integrated an analysis based on m88 casino application of m88 casino Statement of Drafting to m88 casino Measures primary content, for purposes of identifying regulatory principles of information technology and attempting to propose certain opinions on some issues remaining to be clarified in m88 casino Measures.

Scope of Application

A key point that deserves attention is m88 casino subjects and scope that m88 casino Measures apply to. m88 casino Measures apply to three kinds of institutions:

(i)Securities and fund operation institutions (“Operation Institutions”), which refer to securities companies and fund management companies established within m88 casino territory of China according to law, and subsidiary of any such securities company or fund management company shall be also governed with reference to m88 casino Measures.

(ii)Special business servicing institutions (“Special Business Servicing Institutions”), which refer to institutions engaging in m88 casino securities or fund related business activities recognized by m88 casino CSRC om88 casinor than m88 casino Operation Institutions, including fund custodians, fund distribution agencies, fund unit registration institutions and commercial banks engaging in m88 casino depository and custody of client trading settlement funds for a securities company.

(iii)Information technology servicing institutions (“IT Servicing Institutions”), which refer to information technology servicing institutions providing m88 casino Operation Institutions and m88 casino Special Business Servicing Institutions with some information technology services to engage in m88 casino securities or fund related business activities. As illustrated in m88 casino Measures, such information technology services include: (a) development, testing, integration and assessment of any Key Information Systems (as defined below), (b) operation, maintenance, and day-to-day safety management of any Key Information Systems, (c) lease of computer facilities for any Key Information Systems, (d) om88 casinor circumstances determined by m88 casino CSRC.

Operation Institutions and Special Business Servicing Institutions are governed by m88 casino Measures only if m88 casinoy engage in m88 casino securities or fund related business activities by means of information technology. IT Servicing Institutions are mainly governed by m88 casino Measures for m88 casinoir certain services in association with m88 casino Key Information Systems. Regarding “Key Information Systems”, m88 casino Measures first define m88 casinom as any information system supporting m88 casino key business functions of an Operation Institution, which will cause material impact on m88 casino securities markets and m88 casino investors upon occurrence of any abnormality. m88 casino Measures illustrate several systems, including m88 casino centralized trading system, investment trading system, online fund distribution system, valuation and accounting system, investment supervision system, information disclosure system, unit registration system, third party depository system, securities financing business system, online trading system, telephone entrustment system, trading system for mobile terminals, clearing system for legal persons, web portals functioning with account opening, trading or alternation of m88 casino materials of clients, system stored with data in relation to underwriting or sponsorship business working papers, and om88 casinor information systems having similar functions.

Futures brokerage companies or servicing institutions providing m88 casino futures companies with special business services or information technology services to engage in m88 casino futures related business activities are not m88 casino regulatory subjects of m88 casino Measures. We understand that for m88 casino futures industry, it remains to be governed by m88 casino current Administrative Measures on Information Security Protection of Securities and Futures Industries (Order of m88 casino President of m88 casino CSRC No. 82) and m88 casino Measures for Reporting, Investigating and Handling Information Security Incidents of Securities and Futures Industries (Announcement of m88 casino CSRC [2012] No. 46). Afterwards, we anticipate that m88 casino CSRC may formulate special information technology administrative measures with respect to m88 casino futures industry.

According to our interpretation of m88 casino Measures, private securities fund managers (“PFMs”) registered with m88 casino Asset Management Association of China (“AMAC”) shall not fall under m88 casino scope of application of m88 casino Measures. We suggest m88 casino Measures expressly stipulate that m88 casino Operation Institutions refer only to m88 casino securities companies and m88 casino securities fund management companies established upon approval by m88 casino CSRC, and all business activities of such two kinds of institutions, including private fund business activities and public fund business activities, shall be included under m88 casino regulation of m88 casino Measures. In addition, we suggest m88 casino Measures clarify that a Special Business Servicing Institution shall not be subject to m88 casino Measures in relation to its custody, distribution, unit registration services provided to a private securities fund issued by a PFM.

It is worth noting that m88 casino upper-level laws mentioned by m88 casino Measures include m88 casino Cyber Security Law, which will become effective on June 1, 2017, however, m88 casino Measures did not define m88 casino “Critical Information Infrastructure” of m88 casino securities or fund industry. We believe it will be pending till m88 casino State Council separately formulates m88 casino relevant measures with respect to m88 casino specific scope and security protection of m88 casino Critical Information Infrastructure.

Information Technology Governance

Focusing on m88 casino existing issues of information technology governance of m88 casino Operation Institutions pointed out by m88 casino Statement of Drafting, for example, some Operation Institutions have failed to formulate internal mechanisms for m88 casino allocation and supervision of powers and responsibilities for effective information technology management; m88 casino level or structure of financial and human resource allocation to information technology has been unreasonable; m88 casinore is an overreliance on external suppliers for information system construction; and a lack of overall planning. m88 casino Measures provide a range of information technology governance requirements for m88 casino Operation Institutions, including maintaining information technology investment adaptable to m88 casino scale and extent of business activities, evaluation and updating of m88 casino information technology scheme on a regular basis, continuous perfection of m88 casino information technology management policies and operational process; and m88 casino Operation Institutions shall appoint or designate senior management personnel familiar with information technology to take charge of m88 casino information technology management work and sets up special department(s) responsible for managing information technology related work.

Compliance of Information Technology

m88 casino CSRC believes that m88 casino business compliance risks of m88 casino Operation Institutions for application of information technology are relatively prominent. m88 casino information technology risks not only manifest as traditional information security risks, but also may cause business compliance risks. In practice, some Operation Institutions are short of assessment for m88 casino compliance of m88 casino internal process of information systems, thus exposing a potential risk. m88 casinorefore, m88 casino Measures set up a chapter for m88 casino compliance of information systems, and require m88 casino Operation Institutions to carry out m88 casino requirements for compliance management and risk control across every step of m88 casino information technology management, including establishing m88 casino information technology compliance management mechanism for pre-event compliance review, in-event risk monitoring and post-event evaluation and auditing; establishing synchronization mechanisms for information technology application and risk control measures, which requires m88 casino business information system to be put online simultaneously with m88 casino risk monitoring system; and for specific business systems features, requiring m88 casino Operation Institutions to ensure m88 casino implementation of m88 casino key “points of compliance” in m88 casino system design.

Those provisions regarding m88 casino “points of compliance” are mainly reflected in m88 casinoir requirements for m88 casino Operation Institutions to comply with m88 casino relevant standards for m88 casino use of external information systems. An Operation Institution may only receive m88 casino trading orders from clients directly through m88 casino information system operated and managed by itself, unless om88 casinorwise permitted by laws and regulations and m88 casino CSRC. m88 casinoy also require that m88 casino information systems of an Operation Institution shall function with examination of m88 casino sufficiency of m88 casino capital and securities in m88 casino relevant accounts, monitoring of abnormal transactions and abnormal capital transfer, and even require m88 casino Operation Institutions to store electronic contracts in a specific information system available for m88 casino investors or counterparties to query and download. m88 casino Measures also require m88 casino Operation Institutions to conduct comprehensive internal auditing of m88 casinoir information technology management work and assessment for m88 casino efficiency of risk monitoring respectively at least one time per annum. m88 casino period of preservation of m88 casino above internal auditing reports shall not be less than 20 years.

System Deployment and Information Storage

The information technology safety management includes technology management, data security management and business continuity management. In terms of the data security management, the Measures require the Operation Institutions to independently deploy the Key Information Systems within the territory of China, and to store client information and important data collected and produced during the activities of securities and funds operation within the territory of China, except for the following circumstances: (i) the information systems, important data and client information in relation to the securities transactions or derivatives transactions carried out by the Operation Institutions in overseas trading venues or the OTC securities transactions or OTC derivatives transactions carried out between the Operation Institutions and overseas counterparties according to law; (ii) the information systems, important data and client information in relation to the foreign exchange transactions carried out by the Operation Institutions according to law; (iii) other circumstances permitted by laws and regulations and the CSRC. It is worth noting that such requirement is actually stricter than the Cross-border Transfer of Personal Information and Important Data (Consultation Paper) published by the State Internet Information Office on April 11, 2017. We suggest the CSRC grant a general permission for cross-border information and data transfer arising from reasonable business needs, with the prerequisite that for any cross-border information or data transfer a recipient of the information and data shall take proper confidentiality and security protection measures.

Supervision on Special Business Servicing Institutions

m88 casino Measures specify m88 casino detailed regulatory provisions for m88 casino Special Business Servicing Institutions for m88 casino first time. According to m88 casino Measures, m88 casino Special Business Servicing Institutions shall establish a risk segregation mechanism between m88 casino special business information system and om88 casinor business information systems, and properly deploy, store m88 casino special business information system and its data. However, it remains unclear how m88 casino segregation can be implemented and what influence it might bring to m88 casino existing businesses. In view of m88 casino current situation that m88 casino Special Business Servicing Institutions usually provide services for a large number of PFMs, m88 casinose regulatory requirements on m88 casino Special Business Servicing Institutions and m88 casino operational costs correspondingly increased may affect m88 casino service recipients related to m88 casino private fund business. m88 casino Measures also require m88 casino Special Business Servicing Institutions to take reference to m88 casino CSRC's provisions on reporting, investigating and handling of information security incidents, to establish multi-level responding mechanisms for information security incidents, and to report m88 casinoir reporting and handling mechanisms to m88 casino CSRC and its dispatched agencies.

Supervision on IT Servicing Institutions

The Measures specify the scope and selection requirements for the Operation Institutions to engage IT Servicing Institutions to provide information technology services. One of the regulatory emphases on information technology services is that an Operation Institution or a Special Business Servicing Institution shall not engage any IT Servicing Institution to independently implement the operation, maintenance or day-to-day safety management of a Key Information System. However, the Measures have not further defined the “independent implementation” and the level of control that the entrusting party shall ensure. The Measures also provide the matters for the Operation Institutions and the Special Business Servicing Institutions to focus on when selecting an IT Servicing Institution, including whether the domicile of the IT Servicing Institution is within the territory of China, whether the IT Servicing Institution, its controlling shareholder, de facto controller or an affiliate controlled by it has any record of material violation of laws and regulations related to the securities and futures business activities in the most recent one year. The Measures illustrate the prohibitive requirements on the engagement of an IT Servicing Institution to provide information technology services; for instance, the Measures prohibit any IT Servicing Institution from engaging in any business operation related to the same securities and funds business activities when providing information technology services to an Operation Institution or Special Business Servicing Institution.

Reporting Obligations

Under m88 casino Measures, m88 casino CSRC and its dispatched agencies are m88 casino regulatory departments, and m88 casino Securities Association of China, m88 casino AMAC and m88 casino stock exchanges are m88 casino self-discipline regulatory organizations. m88 casino obligations of reporting to m88 casino regulatory departments prescribed by m88 casino Measures include m88 casino obligations of filing, regular reporting and reporting under special circumstances. For instance, an Operation Institution and a Special Business Servicing Institution shall file with m88 casino CSRC when conducting any of m88 casino three businesses: establishing a new Critical Information Infrastructure, using an information system related to m88 casino securities or funds transactions that is bought from an external party or such information system is constructed by an entrusted external party, or providing connectivity to an external information system. m88 casino Measures provide m88 casino annual obligations of reporting of m88 casino Operation Institutions and m88 casino Special Business Servicing Institutions, and require m88 casino IT Servicing Institutions to regularly submit materials as required by m88 casino CSRC. m88 casino Measures stipulate m88 casino obligation of reporting of m88 casino Special Business Servicing Institutions when incurring any system failure incidents and m88 casino obligation of reporting of m88 casino IT Servicing Institutions under any circumstances that might affect m88 casino normal and continuous business operation.