CSRC Issues Administrative Measures on Information Technology for Securities M88 login Funds Business Operators

On December 19, 2018, the China Securities Regulatory Commission (CSRC) formally issued its Administrative Measures on Information Technology of Securities M88 login Fund Business Operators (“Measures”), which include numerous amendments to its May 2017 consultation paper (“Consultation Paper”).

The Measures have been issued against the backdrop of increasing regulation M88 login supervision of information technology M88 login cybersecurity following the promulgation of the Cybersecurity Law. They provide detailed requirements to guide securities M88 login fund business operators in the construction of a comprehensive compliance system for their information technology, M88 login clarify the underlying regulatory principles.

Below, we provide a brief overview of key aspects of the Measures M88 login an analysis of the implications.

I.The Measures apply to key participants involved in the securities M88 login fund sector

Chapter 1 of M88 login Measures stipulates that M88 login Measures apply to M88 login following subjects:

(1)Securities M88 login fund business operators, i.e., securities companies M88 login securities fund management companies;

(2)Information technology service providers, i.e., institutions that provide development, testing, integration, assessment, operation, maintenance or day-to-day security management services for any of the important information technology systems for securities M88 login fund business operators;

(3)Institutions providing special services to securities M88 login fund businesses (“special servicing institutions”);

(4)Commercial banks engaged in the deposit M88 login custody of securities businesses’ customer transaction settlement funds; fund custodians for publicly-raised funds; subsidiaries duly incorporated onshore by securities M88 login fund management business operators; M88 login any institutions established by such subsidiaries.

The scope of application of the Measures is relatively broad, M88 login covers almost all information technology-related market participants involved in the securities M88 login fund sector.

We note that Article 2 of the Consultation Paper specifically lists “special servicing institutions” as being among the applicable subjects, M88 login that Chapter 5 thereof details the provisions specifically applicable to these special servicing institutions. Unlike the Consultation Paper, the final version of the Measures removes the special provisions applicable to special servicing institutions from the main body M88 login stipulates in the ancillary Chapter 7 that special servicing institutions for securities investment funds shall be governed by reference to the Measures. The definition of special servicing institutions has also been expM88 logined to include fund servicing institutions engaging in investment advisory, rating M88 login evaluation, M88 login securities investment advisory institutions. While it appears that the final version of the Measures still includes special servicing institutions, it remains to be seen how such institutions will be governed in practice with reference to the Measures.

II.M88 login Measures lay out the basic requirements for building comprehensive informational technology compliance systems for securities M88 login fund business operators

1.Establish a tiered governance structure, comprising the board of directors, senior management team, information technology management committee, M88 login chief information officer

The Measures explicitly require the board of directors of a securities M88 login fund business operator to review M88 login be responsible for the company’s information technology management objectives, M88 login for the senior management team to be responsible for the management M88 login implementation of the board’s information technology decisions.

An information technology management committee or designated special committee shall be established under the company’s senior management team, with responsibility for formulating information technology strategies M88 login reviewing the relevant matters. In addition to company’s senior management officers M88 login departmental heads, the information technology management committee may also engage external professionals to serve on or as consultants to the committee.

The Measures raise the responsibility for the effectiveness of the information technology compliance system beyond that of the Consultation Paper, to board level. In addition, for the first time, the Measures stipulate that securities M88 login fund business operators shall designate a person that meets the requirements of the Measures as the chief information officer.

2.Establish comprehensive information technology compliance policies M88 login schemes covering system security, data governance M88 login emergency management

The Measures provide detailed provisions for three aspects of information technology security, namely, information system security, data governance M88 login emergency management.

System Security. The Measures require securities M88 login fund business operators to formulate special implementation plans for the launch of or material alteration to any important information technology system, or, if such system is not currently in use, to conduct an assessment of its impact, M88 login to formulate a system outage M88 login data migration M88 login safekeeping plan. Securities M88 login fund business operators shall continuously monitor the operation of all important information technology systems, identify any abnormal occurrences, M88 login deal with them in a timely manner. All relevant documents shall be collected M88 login stored so as to ensure that emergency response M88 login auditing requirements are able to be met.

Data governance. The Measures impose new requirements on securities M88 login fund business operators to classify any data obtained during business operations or from clients according to the data’s significance M88 login sensitivity, M88 login to take appropriate data management arrangements accordingly. The Measures specifically emphasize that securities M88 login fund business operators shall keep records of the usage of any data M88 login client information, M88 login continuously monitor their information technology service provider or other related parties to ensure they are performing their undertakings in relation to non-disclosure. If it is found that any information technology service provider has stored or used such data or information in violation of laws M88 login regulations, the relevant securities M88 login fund business operators shall order the information technology service provider to make the necessary corrections, M88 login to destroy such data M88 login information, M88 login shall terminate the business relationship if such service provider refuses to cooperate M88 login make corrections. The Measures also emphasize that securities M88 login fund business operators shall not collect any irrelevant client information, shall not purchase or use data which are obtained illegally or from an unknown source, shall not intercept or store client information in violation of the law, M88 login shall under no circumstances provide client information to any other institutions or individuals.

Emergency management. It is a requirement that emergency plans be formulated. There must be at least one test emergency exercise per year M88 login the reports of such exercise shall be kept on record. The emergency plans shall be subject to ongoing review M88 login improvement, M88 login shall take into full consideration any event which might influence the stable operation of important information technology systems, such as the breakdown of such systems, an outsourced technology service provider’s failure to provide services, significant staff alterations or natural disasters. Backup systems shall have the same processing capacity as the original system.

The Measures remove the requirement that the important information technology systems must be deployed within the territory of China, M88 login that important data M88 login client information collected M88 login produced during the business operation shall be stored within the territory of China, as was originally proposed in the Consultation Paper. However, according to the Cybersecurity Law M88 login other relevant laws, securities M88 login fund business operators, being financial institutions, may be still required to store important data M88 login client information collected M88 login produced by any important information systems within the territory of China, M88 login to conduct security assessments before transferring such information M88 login data overseas.

3.Enhancing internal M88 login external auditing to ensure continuous compliance

Chapters 3 M88 login 4 of the Measures provide the detailed auditing requirements to guide securities M88 login fund business operators in their information technology compliance, risk control M88 login information security protection. These include requirements for internal auditing, periodic special auditing on information technology management (not less than once per year), entrusting professional institutions to conduct comprehensive auditing on information technology management (not less than once every three years), tracking M88 login rectifying any problems in a timely manner, M88 login safekeeping auditing reports for no less than twenty years.

4.Improving supervision of entrusted M88 login services

The Measures stipulate that if a securities M88 login fund business operator engages an external information technology service provider to provide services, it shall conduct internal inspections on such servicing provider M88 login its information system, M88 login submit the relevant inspection reports to the CSRC. Before determining which external provider to engage, such securities M88 login fund business operator shall formulate procedures M88 login plans to quickly replace such external servicing provider should certain circumstances arise. A securities M88 login fund business operator M88 login a servicing provider should enter into both a service agreement M88 login a non-disclosure agreement, with the Measures providing general, in principle requirements on the content of such agreements.

The obligations that securities M88 login fund business operators assume in accordance with any laws will not be exempted or mitigated due to any entrustment or outsourcing. Securities M88 login fund business operators are expected to clearly, precisely M88 login completely understM88 login the technological structures, business logic M88 login operational procedures of their key information systems, M88 login to ensure that the operation of these systems is always under their control. An information technology service provider shall not be entrusted to independently manage the operation, maintenance M88 login day-to-day security of key information systems, unless the laws M88 login regulations stipulate this or CSRC approval has been granted.

The Consultation Paper required that securities M88 login fund business operators M88 login special servicing institutions should use only those information technology service providers domiciled within the territory of China. The final version removes this requirement, but imposes new conditions on information technology service providers, such as requiring that a service provider, its shareholders M88 login de facto controllers have no recorded violations of laws or regulations, that it has safe, stable technology servicing capacity, an effective emergency response capability, M88 login familiarity with securities M88 login funds businesses.

III.M88 login Measures set out new regulatory requirements for information technology management

1.Regulatory M88 login guiding institutions

The Measures stipulate that, under the guidance of the CSRC, the China Securities Information Technology Services Limited Company shall be responsible for formulating the relevant implementation rules to assist in the filing, monitoring, detection M88 login inspection for information technology. Information technology service providers shall voluntarily accept the operational guidance of the same M88 login comply with all relevant implementation rules.

2.Supervision M88 login administration

As well as the above mentioned requirements, when engaging information technology service providers, the Measures require that relevant materials shall be submitted to the CSRC when a securities M88 login fund business operator establishes or replaces the information system being used in trading of securities or funds, or changes the computer room where an important information system is located. Special information technology reports shall be submitted to the CSRC every year. The Measures also require that information technology service providers shall submit materials to the CSRC or its local agencies at regular intervals, M88 login immediately inform the CSRC in the event of any significant change, any obvious defects or any other circumstances that might have a significant impact.

In addition, the Measures explicitly require that all information technology service providers shall be filed with the CSRC, M88 login only those which meet the relevant requirements will be permitted to provide services to the securities M88 login fund business operators.

IV.Our Observations

Within an environment in which cybersecurity is becoming an increasingly important aspect of risk prevention in financial industries, the Measures provide insights into the CSRC’s thinking on information technology within securities M88 login fund operation institutions.

They aim to provide comprehensive supervision M88 login regulation of all major dimensions of information technology activities through various means, including requirements relating to the set-up of compliance systems, periodic reports, reports for special events M88 login filing of information technology service providers.

In addition, the Measures also provide detailed requirements for the security of information system, such as data management, system separation, M88 login minimum authorization principles. They explicitly require that securities M88 login fund business operators shall not use or purchase client information from unknown sources. In these respects, the Measures are consistent with the other approaches to compliance in the areas of cybersecurity M88 login information protection.

It remains to be seen how the Measures will be applied in practice, the scope of their application, the intensity of their enforcement M88 login how they will interact with the Cybersecurity Law, M88 login in particular the latter’s provisions regarding cross-border data transfer M88 login multi-level protection system.